As I understand, App Engine Apps are OAuth 1 providers by default.
Is there a way to use OAuth2, e.g. with Google+ Sign-In or (mobile) chrome.identity API while still taking advantage of the GAE Users API and not having to implement a custom provider?
If not possible, what are the alternatives?
Cloud Endpoints seem to be exactly the solution I need. They are not (yet?) a part of the official GAE for Go documentation, but can be found at Github.
Probably the best way to start is the examplary tictactoe app.
A quick test with the Google+ Sign-In button was successful (although with my probably wrong config it is performing multiple calls under the hood and some of them resulting in scoping errors).
Can't say anything about what you refer to as "(mobile) chrome.identity API," but, inasmuch as I got to your question because of its google-chrome-app tag, I can answer for a Chrome App: Yes, it's possible to use the chrome.identity API to connect to an OAuth1 server (I've done it), but it's a lot of work, and you have to horse around with all of the OAuth1 handshaking. It's somewhat easier than trying to connect without chrome.identity, but not nearly as easy as connecting to an OAuth2 server, which is pretty much automatic.
Note that this is not a way of using OAuth2 to connect, which is what you literally asked. Rather, it is a way of using chrome.identity (for a Chrome App) to connect to an OAuth1 server.