Google Code offered in: English - Español - 日本語 - 한국어 - Português - Pусский - 中文(简体) - 中文(繁體)
Applications sometimes need to reference their own identity and assert this identity to others. App Engine includes an Application Identity service for this purpose.
Applications sometimes need to determine the Application Identitifer with which the code is executing. This may be to generate a URL or email address, or possibly to make some run-time decision.
The application ID should be looked up using the app_identity.get_application_id()
method. The CGI environment
exposes some implementation details which are handled by the API.
A related operation is the need to get the hostname part of a URL to the application.
You can use the
app_identity.get_default_version_hostname()
method for this purpose.
This is useful in certain
scenarios when the application is not available at http://your_app_id.appspot.com
.
App Identity is an experimental, innovative, and rapidly changing new feature for App Engine. Unfortunately, being on the bleeding edge means that we may make backwards-incompatible changes to App Identity. We will inform the community when this feature is no longer experimental.
Many Google APIs support OAuth assertions to identify the source of the request.
The App Identity API provides a service that creates tokens that can be used to assert that the source of a request is the application itself.
The get_access_token()
method
returns an access token for a scope, or list of scopes. This token can then be set in the HTTP headers of a call to identify the calling application.
The following illustrates a REST call to the Google URL Shortener API. Note that the Google Data Client Libraries can also manage much of this for you automatically.
import logging try: import json # Python 2.7. except ImportError: import simplejson as json # Python 2.5. from google.appengine.api import app_identity from google.appengine.api import urlfetch def create_short_url(long_url): scope = "https://www.googleapis.com/auth/urlshortener" authorization_token, _ = app_identity.get_access_token(scope) logging.info("Using token %s to represent identity %s", authorization_token, app_identity.get_service_account_name()) payload = json.dumps({"longUrl": long_url}) response = urlfetch.fetch( "https://www.googleapis.com/urlshortener/v1/url?pp=1", method=urlfetch.POST, payload=payload, headers = {"Content-Type": "application/json", "Authorization": "OAuth " + authorization_token}) if response.status_code == 200: result = json.loads(response.content) return result["id"] raise Exception("Call failed. Status code %s. Body %s", response.status_code, response.content)
Note that the application's identity is represented by the service account name, which
is typically applicationid@appspot.gserviceaccount.com. You can get the exact
value by using the get_service_account_name()
method.
For services which offer ACLs, you can grant the application access by granting this account access.
The token generated by get_access_token()
only works against
Google systems. However you can use the underlying signing technology to assert the identity of your application
to other systems. The sign_blob()
method will sign bytes using a private
key unique to your application, and the get_public_certificates()
method will return certificates which can be used to validate the signature. Note that the certificates may be
rotated from time to time, and the method may return multiple certificates, all of which are currently valid.