I’m building a Google App Engine web app, with a Java back end, that relies heavily on JavaScript/JQuery in the browser (you can see it here).

I want to implement a user authentication mechanism, that will also rely on AJAX (ie. they will be able to register and login without a page refresh).

I don’t want to rely on Google’s authentication because I’ve found that a lot of people are reluctant to give up their GMail email addresses, but I would like to support authentication via Google/Facebook/Twitter etc in future.

I like the simplicity of Reddit’s approach to user authentication.

My concern is that since people won’t be using my app over HTTPS, I don’t want to have to send a password in clear-text over HTTP. I would also prefer to rely on some kind of secret token (perhaps a hash of the password and some server-provided “salt”), which could be intercepted and spoofed.

At the same time, I don’t want to have to put a huge amount of effort into implementing the authentication mechanism.

Is there an approach that gives me the simplicity I want, yet which is secure over HTTP?

edit: I just realized that Google App Engine does support HTTPS but only if you connect via the *.appspot.com URL for your site. Unfortunately you can’t do AJAX calls to this due to cross-site scripting restrictions – although I guess it may be possible with JSONP.

So, is using JSONP+HTTPS+*.appspot.com the best approach here?