什么是身份验证的谷歌+登入后推荐的方法是什么？ [英] What is the recommended way of authentication after google+ signin?

问题描述

我在下面最新的Google+登录的集成，我的应用程序（ HTTPS ：//developers.google.com/+/mobile/android/sign-in ），它说

I'm following the latest Google+ Sign-in integration for my app (https://developers.google.com/+/mobile/android/sign-in), which says

在Google+登录按钮，对用户进行认证和管理
  OAuth 2.0用户流量，从而简化了与谷歌的整合
  的API。

The Google+ Sign-In button authenticates the user and manages the OAuth 2.0 flow, which simplifies your integration with the Google APIs.

因此​​，通过谷歌+用户成功后的迹象，（我们理应不需要手动管理令牌和各是什么？）什么是打你的服务器的身份验证终端的推荐安全的方式？
（例如通过用户的电子邮件到你自己的服务器端点，并获得用户信息回来吗？是我们应该通过一些象征性的？或会话ID？我们从谷歌+用户数据回来？）

so after the user signs in successfully through google+, (we supposedly don't need to manually manage the tokens and all that?) what is the recommended secure way of hitting your server's authentication endpoint? (e.g. pass user email to your own server's endpoint, and get user info back? are we supposed to pass some token? or session id? that we got back from google+ user data?)

推荐答案

如果你需要的是验证你自己的服务器（而不是访问任何谷歌托管的信息），可以使用的使用谷歌登录与您的服务器的技术，这让您得到令牌与新谷歌登录API ：

If all you need is authentication to your own server (rather than access to any Google hosted information), you can use the Using Google Sign-In with your server techniques, which allows you get tokens with the new Google Sign In API:

 GoogleSignInOptions gso = 
     new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)  
   .requestIdToken(getString(R.string.server_client_id))  
   .requestEmail()  
   .build(); 

凡 server_client_id 是Web应用程序从的凭据页。然后你会得到来自ID令牌<一个href=\"https://developers.google.com/android/reference/com/google/android/gms/auth/api/signin/GoogleSignInAccount.html#getIdToken()\"相对=nofollow> googleSignInResult.getSignInAccount（）。getIdToken（）。

Where the server_client_id is a OAuth 2.0 client ID for web applications from the Credentials page. You'll then get the id token from googleSignInResult.getSignInAccount().getIdToken().

您就可以验证您的服务器端的ID令牌，你就会知道用户的电子邮件地址和请求来自Android应用的到来。

You can then verify the id token on your server side and you'll know the user's email address and that the request is coming from your Android app.

通过完整的工作流程运行，包括指向文档出<一个href=\"https://developers.google.com/api-client-library/java/google-api-java-client/reference/1.19.1/com/google/api/client/googleapis/auth/oauth2/GoogleIdTokenVerifier\"相对=nofollow> GoogleIdTokenVerifier 类，它可以使验证令牌容易多了。

The documentation runs through the full workflow, including pointing out the GoogleIdTokenVerifier class which can make verifying the token much easier.

这篇关于什么是身份验证的谷歌+登入后推荐的方法是什么？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！