Please note that the contents
of this offline web site may be out of date. To access the most
recent documentation visit the
online version
.
Note that links that point to online resources are
green
in color and will open in a new
window.
We would love it if you could give us feedback about this material
by filling
this form
(You have to be online to fill it)
Code sometimes needs to determine the identifier of the application in which it is executing. This may be to generate a URL or email address, or possibly to make some run-time decision.
App Engine includes an Application Identity service for this purpose.
The application ID can be found using the
getApplicationId()
method.
Versioned hostnames
A related operation is the need to get the hostname part of a URL to the application. You can use the
getDefaultVersionHostname()
method for this purpose. This is useful in certain scenarios when the application is not available at
http://your_app_id.appspot.com
.
Asserting identity to other App Engine apps
If you want to determine the identity of the App Engine app that is making a
request to your App Engine app, you can use the request header
X-Appengine-Inbound-Appid
. This header is added to the request by the URLFetch
service and is not user modifiable, so it safely indicates the requesting
application's ID, if present.
In order for this header to be added to the request, the app making the request
must tell the UrlFetch service to not follow redirects when it invokes URLFetch.
App Engine will then automatically add the header to the HTTP response.
In your application handler, you can check the incoming ID by reading the
X-Appengine-Inbound-Appid
header and comparing it to a list of IDs allowed
to make requests.
Asserting identity to Google APIs
Many Google APIs support OAuth assertions to identify the source of the request. The App Identity API provides a service that creates tokens that can be used to assert that the source of a request is the application itself. The
getAccessToken()
method returns an access token for a scope, or list of scopes. This token can then be set in the HTTP headers of a call to identify the calling application.
The following illustrates how to use the App Identity API to retrieve Google Calendar contacts using OAuth.
// Retrieves Google Calendar contacts using OAuth
use google\appengine\api\app_identity\AppIdentityService;
function setAuthHeader(){ $access_token =AppIdentityService::getAccessToken('https://www.google.com/m8/feeds'); return[sprintf('Authorization: OAuth %s', $access_token['access_token'])]; }
if(strcmp($email, $service_account)!=0){ die(sprintf('%s does not match the service account name %s.', $email, $service_account)); }
Note that the application's identity is represented by the service account name, which is typically
applicationid@appspot.gserviceaccount.com
. You can get the exact value by using the
getServiceAccountName()
method. For services which offer ACLs, you can grant the application access by granting this account access.
Asserting identity to other systems
The token generated by
getAccessToken()
only works against Google systems. However you can use the underlying signing technology to assert the identity of your application to other systems. The
signForApp()
method will sign bytes using a private key unique to your application, and the
getPublicCertificates()
method will return certificates which can be used to validate the signature.
