English | Site Directory

Configuring Your App's Authentication

Introduction

With Google App Engine, you can use Google Apps to:

  1. restrict your application to members of your domain
  2. deploy your application to any domain you own

In the next article, we discuss how to deploy your application on a custom domain. Below, we discuss the available authentication options, and how to select the correct one for your application.

App Engine authentication options

Google offers two different systems for authenticating your application's users. Only one form of authentication can be used for a given application.

  • Google Accounts

    Google Accounts is Google's unified sign-in system. All a user needs is a valid email address (it doesn't need to be a Gmail address!) to sign up for a Google Account.

  • Google Apps for your Domain

    Users of Google Apps for your Domain can choose to restrict all or part of their web application to only those people who have a valid email address on their domain.

Currently, you are not able to switch authentication options for existing App Engine apps.

Administering your App Engine Application

With Google App Engine, you can administer your application using a Google Account or a Google Apps for your Domain account. Your app's administration account should use the same authentication as the app's users. For instance, if you set your app's authentication to Google Apps, you should administer that account using a Google Apps email address. While it is possible to have an account that is both a valid Google Apps account and a valid Google Accounts account, you should avoid using such an account to administer your applications.

If your App Engine developer account is a Google Account, you can access the Administration Console at http://appengine.google.com. If you are using a Google Apps account, you can access the Administration Console at http://appengine.google.com/a/YOURDOMAIN (substituting YOURDOMAIN with your actual domain name).

Restrict your application's authentication to members of your domain

If you restrict your application's authentication to your domain, all pages requiring login must be served off of some subdomain of that domain. For example, restricting users to the domain foo.com means that the application can only be accessed through subdomain.foo.com. If you trying to view the page at appid.appspot.com it will result in a server error.

The option for restricting an application's authentication settings can only be set at app creation time, so your first step is to create a new application:


You'll need to specify the Application Identifier (a unique ID you'll include in your app.yaml configuration file) and the Application Title.

By default, Google App Engine applications use Google Accounts for authentication, which means that if your application uses authentication, anyone with a valid Google Account will be able to sign in. This does not include Google Apps accounts.

If you'd like to restrict your application to members of your Google Apps domain (i.e. only users with accounts on mydomain.com), click on the 'Edit' button at the bottom of the orange Authentication Options box.


Select the radio button next to 'Restricted to the following Google Apps domain:' and enter your Google Apps domain (e.g. mydomain.com) in the text box and click 'Save'. You will be taken to a confirmation screen indicating your application has been successfully registered.