带有后端验证流程说明的Google登录 [英] Google Sign-In with Backend Verification Flow Clarification
问题描述
我花了数小时浏览各种教程和文章,并最终屈服于要求.
I've spent hours trawling through various tutorials and articles and am finally giving in to asking.
我想对Angular 7应用程序的所有用户强制使用Google登录身份验证.但是,一旦Google身份验证完成,我想首先检查该用户是否存在于我的后端数据库(PostgreSQL)中.如果他们这样做了,那么我想出于两个目的发布JWT:
I want to enforce the use of Google Sign-In authentication for all users of my Angular 7 application. However, once Google authentication is complete, I want to first check that the user exists in my back-end DB (PostgreSQL). If they do, then I want to issue a JWT for two purposes:
- 确保以后仅对授权用户满足对Spring Boot REST服务的调用.
- 使用可识别令牌的AuthGuard保护我的Angular路线.
到目前为止,我已经能够从gapi auth2 auth响应中检索id_token并将其转发到我的Spring Boot POST映射,但是我一直在努力确切确定我所使用的OAuth 2.0/OpenId的流向/授权旨在寻找合适的Spring Boot文档/教程时,这样做会给生活带来困难.
So far, I have been able to retrieve the id_token from the gapi auth2 auth response and forward it to my Spring Boot POST mapping, but I'm struggling to pin down exactly which OAuth 2.0/OpenId flows/grants I'm aiming for which is making life difficult when sourcing appropriate Spring Boot documentation/tutorials.
有人能够澄清我应该瞄准的流程/拨款以及我目前的方向是否有效?
Is anyone able to clarify which flow/grant I should be aiming for and whether or not my current direction is valid?
推荐答案
我建议您结合Google登录ID提供程序实现无状态"身份验证系统.
I suggest you to implement a "stateless" authentication system, coupled with Google Sign-in ID provider.
使用JWT作为授权的承载者,您可以通过简单地检查有效载荷中的到期时间是否尚未到期以及签名是否有效来无状态地验证用户是否已通过身份验证." -乔纳坦·尼尔森(Jonatan Nilsson)
"Using a JWT as a bearer for authorization, you can statelessly verify if the user is authenticated by simply checking if the expiration in the payload hasn’t expired and if the signature is valid." — Jonatan Nilsson
关于该主题的一些很好的资源:
Some good resources on the subject :
- https://www.jbspeakr.cc/purpose-jwt-stateless-authentication /
- https://auth0.com/blog/stateless-auth-for -stateful-minds/
- https://www.jbspeakr.cc/purpose-jwt-stateless-authentication/
- https://auth0.com/blog/stateless-auth-for-stateful-minds/
总体思路是:
- frontend检索Google登录身份验证JWT令牌.
- 前端通过每个HTTP请求(带有授权标头)发送JWT令牌
- 后端为每个请求检索JWT,验证其签名并获取有效负载属性(电子邮件,id…)
- 然后,后端在用户数据库中检查电子邮件"或"id"以允许或不允许请求.
后端是无状态的,并且易于实现. 这种设计倾向于在云平台上成为一种良好的做法,例如,Google Cloud在其新产品中大量使用了这种设计:
Backend is stateless, and simple to implement. This design tends to become a good practice in cloud platform, and for instance, Google Cloud is using this a lot in its new products : Cloud Run
每个步骤的一些详细信息:
1)前端检索Google登录身份验证JWT令牌.
为此,您可以直接使用Google登录库,也可以使用 ng-gapi 在Angular中管理Google登录.
To do that, you can use Google Sign-in library directly or use ng-gapi to manage Google Sign-In in Angular.
2)每个对后端的http调用都有一个带有JWT令牌的授权标头(id_token).
2) Each http call to backend has an authorization header with JWT token (id_token) retrieved from Google Sign-in.
您可以为此使用HttpInterceptor.
You can use an HttpInterceptor for that.
headers: {
Authorization: Bearer ___JWT ID TOKEN___
}
请注意,不要将Google JWT Id_token存储在变量中.如果过期,它可能会刷新(由Google登录自动完成),因此,每次在HttpInterceptor中使用它时,都应使用一个新版本.
Pay attention, to not store the Google JWT Id_token in variable. It could be refreshed if expired (automatically done by Google Sign-in), so you should take a fresh version each time you use it inside HttpInterceptor.
3)在Spring Boot中实现过滤器
对于每个请求,此安全过滤器将检索JWT ID TOKEN并通过Google图书馆进行验证.
For each request, this security filter will retrieve JWT ID TOKEN and validate it with Google library.
NetHttpTransport transport = new NetHttpTransport();
JsonFactory jsonFactory = new GsonFactory();
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
.setAudience(Collections.singletonList(clientId))
.build();
GoogleIdToken idToken = GoogleIdToken.parse(verifier.getJsonFactory(), token);
boolean tokenIsValid = (idToken != null) && verifier.verify(idToken);
if (tokenIsValid) {
GoogleIdToken.Payload payload = idToken.getPayload();
// Get profile information from payload
payload.getEmail())...
...
但是要小心,不要为每个请求都创建一个GoogleIdTokenVerifier,请使用factory模式.
此类将检索证书并自动对其进行缓存,以避免对Google服务器的无用请求.
But be careful, to not create a GoogleIdTokenVerifier for each request, use factory pattern.
This class will retrieve certificates and cache them automatically, to avoid useless request to google servers.
一些资源: Google登录,使用后端服务器进行身份验证
这篇关于带有后端验证流程说明的Google登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
