Is it possible to use Google Cloud Endpoints built in authentication with Google+ Domains API?

Question

Google Cloud Endpoints has it's own authentication process in which the backend endpoint method is simply passed a com.google.appengine.api.users.User object.

https://cloud.google.com/appengine/docs/java/endpoints/auth

The Google+ Domains API specifies its own authentication process in order to get the com.google.api.client.auth.oauth2.Credential object. This allows for the building of the com.google.api.services.plusDomains.PlusDomain object.

https://developers.google.com/+/domains/authentication/

How would you integrate these two authentication processes? This is for a web app (Java Script) with a Google App Engine (Java) backend.

In an ideal situation, I would like to be able to retrieve the users bio/profile basic info via my JS app while the user is offline.

Use Case: I have a comment thread where each comment has an author persisted in the Google Datastore as a com.google.appengine.api.users.User object. However when I render the comment thread in my JS web app I would like to show a profile picture for each author. If I could make a call from the web app to retrieve the bio for each commenter I could save the backend a lot of work. The web app would have the user object as JSON. Which includes the user ID and email.

Answer 1

So, your use-case is:

• your users authenticate to your app, granting the basic userinfo.profile scope needed to get the com.google.appengine.api.users.User object properly received in your endpoints API
• you persist these User objects to the DB, and when you retrieve them to display the thread they commented in, you'd like to make a call to the google+ API people.get method to retrieve their avatar image URL

The solution: if your users were presented with an oauth flow that had them grant the scope required for the google+ API call (the profile scope) in addition to the regular endpoints "userinfo.profile" scope, it should be no problem to call the Google+ API, either from the JS client or from the Java back-end, using the Google API client libraries, after going through that flow to obtain the credentials.

In order to avoid re-authenticating them each time, you should serialize and store a credentials object from the language in question, or you could even simply keep track of the refresh token for their grant and go through the low-level OAuth dance to obtain a fresh access token (you'll probably want to do the former, as it does this for you).

As noted elsewhere on the web (in several other places as well), the userid from the User object is not the same as the Google+ profile id, so be aware of that when working with the endpoints method parameter User objects. You therefore won't be able to use the userid from the User object to call people.get.

Instead, you should store the Google+ profile ID of the user at the time that they first signed-in or at least went through the oauth flow that granted the necessary Google+ scope, alongside the User object you've already been using. You'll have to use the (de)serialized credentials objects or refresh/access tokens to call the Google+ API, once you retrieve the Google+ profile id from each user's data model in your storage (whatever solution you use, from Datastore to SQL, etc.)