I’m writing an application on GAE that is exposing a RESTlike API to a fixed number of remote servers which may be using any OS/software. At the moment I’m pondering how to identify and authenticate these remote servers painlessly.
I’m trying to avoid having to program too much of this myself for obvious security concerns.
If I’d were on an Apache or nginx I’d use SSL client certificates and let the clients choose whatever they want to contact the API, curl, webapp, whatever.
I understand that, at this time, GAE doesn’t provide checking client certificates this way.
Is there any other way to do this in GAE with Py2.7?
If this is not possible or a very big hassle, can anyone point me to another good way to identify and authenticate remote servers in a situation like this?
I can only post two links of what I checked
https://groups.google.com/forum/?fromgroups=#!topic/google-appengine-python/c5PHMrAMAcI
https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app
plus much more over the last few days. I found some questions which are similar to mine, but none with a satisfying answer, to me at least.
I’d suggest looking into Google Cloud Endpoints, which is currently in the trusted tester phase. I discuss it in more detail in this answer, but the main things you’ll get are:
We’re primarily targeting developers building APIs in their application backends, but other “same party” (e.g. you’re the API developer and consumer) uses should work equally well.