Custom domain app requesting permission to access Google Account

I refer here to that page you are redirected after you login to GAE app with your google account, which asks your permission to access your google account.

Put this toghether with custom domain and https and you get my problem.

Sorry for the lengthiness. I searc开发者_如何转开发hed everywhere. Didn't find anything. Not sure it is an OAuth issue (think not).

My configuration:

• developed myapp.appspot.com
• configured custom domain myapp.mydomain.com to point to myapp
• myapp is making use of GAE login service
• need for https posts from custom domain (!), solved as follows:
  • page is loaded in HTTP from http://myapp.mydomain.com
  • some submit HTTPS URLs are hardcoded in the page, as https://myapp.appspot.com/someservice
  • same domain policy resolved server side by means of http headers
• GAE login service applies both to http://myapp.mydomain.com handler AND https://myapp.appspot.com/someservice handler

The workflow is:

1. user not yet authenticated
2. user browse http://myapp.mydomain.com (not ssl)
3. user is redirected to google account login page
4. user logins
5. user is redirected to the abovementioned page: myapp is requesting permission to access user's google account
6. user grants his permission
7. user is in - OK
8. Now comes the problem:
9. user makes a submit to https://myapp.appspot.com/someservice (so that data is ssl transmitted), which is loginrequired decorated
10. login is ok, user is not again redirected to the login page,
    • I think this is because the google login is cross application (the same should appen if the user was already logged in into gmail, to say)
11. but now https://myapp.appspot.com/ is again requesting permission to access user's google account - and this is the problem

The user is prompted TWICE to grant permission to myapp to access his account:

• once when he browse to http://myapp.mydomain.com
• and another one when he submits data to https://myapp.appspot.com/someservice

My user doesn't like it and me too !!!

I suspect this is because the user answer (Allow or No Thanks) is saved server side with respect to the URL of the app and not with respect to some other unique id of the app.

But I have no idea how to solve it or at least work it around.

Thank you for your patience in reading up to here.

Any help would be appreciated.

---

The cookie that is issued for the user's session is per-domain and per-protocol. As a result, the same session won't work on the appspot app and on your custom domain. This isn't an App Engine limitation - it's simply how HTTP works.

The best solution, currently, is to put the form itself on HTTPS as well (which is in general a good idea anyway).