Hey NP, This may very well be a side-effect of the decommissioning of Google's OpenID provider service and the moving to OpenID Connect.
Could you link which "published Google Libraries for OpenID Connect" you've used, and if possible some of the code relevant to your use-case? As noted in the docs <https://cloud.google.com/appengine/docs/python/users/functions#create_login_url>, support for OpenID was experimental, probably since the landscape of Auth has been changing quite a bit, as new improvements are made through the experience of successive paradigms, however all I really need to comment on is that it was "experimental". Despite this, I'm committed to helping you find a solution that works. There are several docs in our Developers resources which discuss OpenID Connect [1] <https://developers.google.com/identity/protocols/OpenID2Migration?hl=en>, [2] <https://developers.google.com/+/web/api/rest/openidconnect/>, [3] <https://developers.google.com/identity/protocols/OpenIDConnect?hl=en>, and you might want to give those a read. If the login: admin feature turns out to have been specific to Google OpenID accounts, you can rest assured that: A) A feature request in the public issue tracker <http://code.google.com/p/google-appengine/issues/list> to get this function updated to work with OpenID Connect is possible and awesome B) you can implement your own admin feature using an admin check in your request handlers and implementing an OpenID Connect auth scheme which allows accounts from OpenID Connect services (you would add the various sign-in buttons to the sign-in page of your (web)app). Best wishes, Nick On Tuesday, August 4, 2015 at 1:08:50 PM UTC-4, NP wrote: > > Hello all, > > I have an application (python) on GAE which uses Federated Login. In > app.yaml, I have restricted some urls to be accessible only to admins (i.e. > login; admin). According to GAE documentation, any url restricted to admin > for applications using Federated Login will trigger a call to > /_ah/loginrequired and I'm supposed to handle such calls by getting user to > login using* users.create_login_url(dest_url, federated_identity).* > > Documentation for users.create_login_url says if no federated_identity is > specified (when your site is set to use federated identity), the system > will default to Google as the OpenID provider. So the application currently > defaults to 'https://www.google.com/accounts/o8/id' which is no longer > supported by Google and I believe this is the reason why it gives me a 500 > server error. > > I have tried using the published Google Libraries for OpenID Connect. If I > use the library outside of the create_login_url, I'm able to log in and get > the user email but calling users.get_current_user() returns None and so the > application doesn't see me as being logged in which means I don't get > access to the url that I had restricted to admins. If I apply the OpenID > Connect url to create_login_url, I get a 500 server error. > > Does anybody know how to handle requests to urls restricted to logged-in > users/admins using the new OpenID Connect? > > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/a944c093-28cc-4b21-ae5d-3e0e65041e2c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
