Custom Authentication for Google Cloud Endpoints (instead of OAuth2)

We are super excited about App Engine's support for Google Cloud Endpoints.

That said we don't use OAuth2 yet and usually authenticate users with username/password so we can support customers that don't have Google accounts.

We want to migrate our API over to Google Cloud Endpoints because of all the benefits we then get for free (API Console, Client Libraries, robustness, …) but our main question is …

How to add custom authentication to cloud endpoints where we previously check for a valid user session + CSRF token in our existing API.

Is there an elegant way to do this without adding stuff like session information and CSRF tokens to the protoRPC messages?

I'm using webapp2 Authentication system for my entire application. So I tried to reuse this for Google Cloud Authentication and I get it!

webapp2_extras.auth uses webapp2_extras.sessions to store auth information. And it this session could be stored in 3 different formats: securecookie, datastore or memcache.

Securecookie is the default format and which I'm using. I consider it secure enough as webapp2 auth system is used for a lot of GAE application running in production enviroment.

So I decode this securecookie and reuse it from GAE Endpoints. I don't know if this could generate some secure problem (I hope not) but maybe @bossylobster could say if it is ok looking at security side.

My Api:

    import Cookie
    import logging
    import endpoints
    import os
    from google.appengine.ext import ndb
    from protorpc import remote
    import time
    from webapp2_extras.sessions import SessionDict
    from web.frankcrm_api_messages import IdContactMsg, FullContactMsg, ContactList, SimpleResponseMsg
    from web.models import Contact, User
    from webapp2_extras import sessions, securecookie, auth
    import config

    __author__ = 'Douglas S. Correa'

        'token_max_age': 86400 * 7 * 3,
        'token_new_age': 86400,
        'token_cache_age': 3600,

    SESSION_ATTRIBUTES = ['user_id', 'remember',
                          'token', 'token_ts', 'cache_ts']


    @endpoints.api(name='frank', version='v1',
                   description='FrankCRM API')
    class FrankApi(remote.Service):
        user = None
        token = None

        def get_user_from_cookie(cls):
            serializer = securecookie.SecureCookieSerializer(SESSION_SECRET_KEY)
            cookie_string = os.environ.get('HTTP_COOKIE')
            cookie = Cookie.SimpleCookie()
            session = cookie['session'].value
            session_name = cookie['session_name'].value
            session_name_data = serializer.deserialize('session_name', session_name)
            session_dict = SessionDict(cls, data=session_name_data, new=False)

            if session_dict:
                session_final = dict(zip(SESSION_ATTRIBUTES, session_dict.get('_user')))
                _user, _token = cls.validate_token(session_final.get('user_id'), session_final.get('token'),
                cls.user = _user
                cls.token = _token

        def user_to_dict(cls, user):
            """Returns a dictionary based on a user object.

            Extra attributes to be retrieved must be set in this module's

            :param user:
                User object: an instance the custom user model.
                A dictionary with user data.
            if not user:
                return None

            user_dict = dict((a, getattr(user, a)) for a in [])
            user_dict['user_id'] = user.get_id()
            return user_dict

        def get_user_by_auth_token(cls, user_id, token):
            """Returns a user dict based on user_id and auth token.

            :param user_id:
                User id.
            :param token:
                Authentication token.
                A tuple ``(user_dict, token_timestamp)``. Both values can be None.
                The token timestamp will be None if the user is invalid or it
                is valid but the token requires renewal.
            user, ts = User.get_by_auth_token(user_id, token)
            return cls.user_to_dict(user), ts

        def validate_token(cls, user_id, token, token_ts=None):
            """Validates a token.

            Tokens are random strings used to authenticate temporarily. They are
            used to validate sessions or service requests.

            :param user_id:
                User id.
            :param token:
                Token to be checked.
            :param token_ts:
                Optional token timestamp used to pre-validate the token age.
                A tuple ``(user_dict, token)``.
            now = int(time.time())
            delete = token_ts and ((now - token_ts) > TOKEN_CONFIG['token_max_age'])
            create = False

            if not delete:
                # Try to fetch the user.
                user, ts = cls.get_user_by_auth_token(user_id, token)
                if user:
                    # Now validate the real timestamp.
                    delete = (now - ts) > TOKEN_CONFIG['token_max_age']
                    create = (now - ts) > TOKEN_CONFIG['token_new_age']

            if delete or create or not user:
                if delete or create:
                    # Delete token from db.
                    User.delete_auth_token(user_id, token)

                    if delete:
                        user = None

                token = None

            return user, token

        @endpoints.method(IdContactMsg, ContactList,
                          path='contact/list', http_method='GET',
        def list_contacts(self, request):


            if not self.user:
                raise endpoints.UnauthorizedException('Invalid token.')

            model_list = Contact.query().fetch(20)
            contact_list = []
            for contact in model_list:

            return ContactList(contact_list=contact_list)

        @endpoints.method(FullContactMsg, IdContactMsg,
                          path='contact/add', http_method='POST',
        def add_contact(self, request):

            if not self.user:
               raise endpoints.UnauthorizedException('Invalid token.')

            new_contact = Contact.put_from_message(request)


            return IdContactMsg(

        @endpoints.method(FullContactMsg, IdContactMsg,
                          path='contact/update', http_method='POST',
        def update_contact(self, request):

            if not self.user:
               raise endpoints.UnauthorizedException('Invalid token.')

            new_contact = Contact.put_from_message(request)


            return IdContactMsg(

        @endpoints.method(IdContactMsg, SimpleResponseMsg,
                          path='contact/delete', http_method='POST',
        def delete_contact(self, request):

            if not self.user:
               raise endpoints.UnauthorizedException('Invalid token.')

                contact_to_delete_key = ndb.Key(Contact,
                if contact_to_delete_key.get():
                    return SimpleResponseMsg(success=True)

            return SimpleResponseMsg(success=False)

    APPLICATION = endpoints.api_server([FrankApi],