I'd like to use my KeyCloak server to authenticate an AppEngine application.

I'm currently authenticating using Google accounts as it works out of the box, but I want to handle account management myself, largely for user perception issues.

I see two options:

1) Implement a new KeyCloak Adapter for AppEngine - I haven't found an existing one so far.

-- This seems pretty doable with all the examples to base it on... but I'd rather not write and maintain another 1000 lines of code if it's not necessary!

2) Use the experimental OpenID Connect-based federated login of AppEngine

-- I'm currently hitting an issue here where AppEngine is looking for an XRDS document. I'll try returning one pointing to the OpenId service of my server, but I suspect more issues will come up with this route, and debugging issues in the internal AppEngine auth flow is a bit tricky.

Is this a crazy approach? Has anyone else tried something similar or have better ideas?

Cheers,

Andrew