Google App Engine: Reverse Proxy + OpenID, users being redirected to appspot domain after login

I am using a reverse proxy to enable ssl on a custom domain. The proxy works fine on the public pages, however when the user attempts to access a login_required directory the login url shifts them over to my appspot domain after sign-in.

Is there a way to keep users on the custom domain?

Here is my login handler:

class OpenIDLoginHandler(webapp.RequestHandler):
    def get(self):
        domain = self.request.get('domain')
        continue_url = self.request.GET.get('continue')

        if not continue_url:
            continue_url = 'https://my_domain/login_required_directory/'    

        if domain:
            self.redirect(users.create_login_url(dest_url=continue_url,
                _auth_domain=None,federated_identity=domain))
        else:               
            login_url =开发者_如何学C users.create_login_url(dest_url=continue_url,
                federated_identity='https://www.google.com/accounts/o8/id')         
            self.redirect(login_url)

application = webapp.WSGIApplication(
                     [                                       
                         ('/_ah/login_required', OpenIDLoginHandler)],
                     debug=True)    

def main():
    run_wsgi_app(application)

if __name__ == "__main__":
    main()

I've tried overriding the destination url in the users.create_login_url call - the function still returns a login_url with the appspot domain as the 'continue' parameter, like this:

"https://appspot_domain/_ah/login_redir?claimid=https://www.google.com/accounts/o8/id&continue=https://appspot_domain"

I attempted simply rewriting the returned login_url and replacing the 'continue' parameter with my custom domain, but this resulted in a 404 error.

Any thoughts?

Thanks in advance!

I'm not sure this is an option for you, but the next release of app engine claims to have support for ssl on custom domains (http://code.google.com/appengine/business/). If your application won't be in production for a while maybe it would just be easier to wait until they officially add support. They appear to be on a ~3 month release cycle (http://code.google.com/appengine/docs/revision_history.html)

you can handle this yourself in app.yaml with a wildcard handler that redirects all requests to ssl. If you don't want to handle all requests that way, you can use regex to restrict the wildcard.

app.yaml:

application: yourthing
version: 1
runtime: python
api_version: 1

handlers:

- url: .*
  script: redirect_to_ssl.py

This also cleans up any non-https requests that might come in from users who type the url.