App Identity Python API Overview
Code sometimes needs to determine the identifier of the application in which it is executing. This may be to generate a URL or email address, or possibly to make some run-time decision. App Engine includes an Application Identity service for this purpose.
Identifying itself
Application ID
The application ID can be found using the app_identity.get_application_id() method. The WSGI or CGI environment exposes some implementation details which are handled by the API.
Versioned hostnames
A related operation is the need to get the hostname part of a URL to the application. You can use the app_identity.get_default_version_hostname() method for this purpose. This is useful in certain scenarios when the application is not available at http://your_app_id.appspot.com.
Asserting identity to Google APIs
Many Google APIs support OAuth assertions to identify the source of the request. The App Identity API provides a service that creates tokens that can be used to assert that the source of a request is the application itself. The get_access_token() method returns an access token for a scope, or list of scopes. This token can then be set in the HTTP headers of a call to identify the calling application.
The following illustrates a REST call to the Google URL Shortener API. Note that the Google Data Client Libraries can also manage much of this for you automatically.
import logging
try:
import json # Python 2.7.
except ImportError:
import simplejson as json # Python 2.5.
from google.appengine.api import app_identity
from google.appengine.api import urlfetch
def create_short_url(long_url):
scope = "https://www.googleapis.com/auth/urlshortener"
authorization_token, _ = app_identity.get_access_token(scope)
logging.info("Using token %s to represent identity %s",
authorization_token, app_identity.get_service_account_name())
payload = json.dumps({"longUrl": long_url})
response = urlfetch.fetch(
"https://www.googleapis.com/urlshortener/v1/url?pp=1",
method=urlfetch.POST,
payload=payload,
headers = {"Content-Type": "application/json",
"Authorization": "OAuth " + authorization_token})
if response.status_code == 200:
result = json.loads(response.content)
return result["id"]
raise Exception("Call failed. Status code %s. Body %s",
response.status_code, response.content)
Note that the application's identity is represented by the service account name, which is typically [email protected]. You can get the exact value by using the get_service_account_name() method. For services which offer ACLs, you can grant the application access by granting this account access.
Asserting identity to other systems
The token generated by get_access_token() only works against Google systems. However you can use the underlying signing technology to assert the identity of your application to other systems. The sign_blob() method will sign bytes using a private key unique to your application, and the get_public_certificates() method will return certificates which can be used to validate the signature.