使用Google登录管理浏览器会话 [英] Managing browser sessions with Google sign in
问题描述
我已按照此页面中概述的步骤为我的网站实现了google登录按钮:
I have implemented a google sign in button for my website using the steps outlined in this page:
https://developers.google.com/identity/sign-在/网络/登录
然后,页面提取id_token并将其发送到我的后端服务器,该服务器根据Google验证端点对其进行验证.然后,我使用其在id_token中编码的Google ID来检索与其关联的应用程序特定数据(存储在我的数据库中).
The page then extracts the id_token and sends it to my backend server, which validates it against the Google validation endpoint. I then use their Google ID that is encoded in the id_token to retrieve the application specific data associated with it (stored on my database).
对于让用户登录"我的应用程序并继续安全地从后端API检索数据的下一步工作,我有些困惑.
I'm just a bit confused on what I need to do next to keep the user "signed in" to my application and to continue to securely retrieve data from my backend API's.
我打算执行以下操作:
- 在验证了id_token之后,我为用户创建了一个会话ID
- 我将会话ID和用户的Google ID一起存储在数据库的会话"表中
- 我通过设置具有会话ID的cookie来响应请求
- 对于所有后续请求,我都会在Cookie中检查会话ID
- 如果会话表中有该会话ID的条目,我将使用与其关联的Google ID来检索用户信息
我想知道这听起来是否合理,是最佳实践还是有更好的方法来做到这一点?是否有安全的方法来生成会话ID或有API来帮助解决此问题(我目前正在为后端服务使用ASP.Net Web Api 2)
I would just like to know if this sounds reasonable, is it best practice or if there is a better way to do this? Is there are secure way to generate session ID's or are there API's to help with this (I am currently using ASP.Net Web Api 2 for my backend services)
非常感谢,
推荐答案
我认为您在混淆身份验证和授权.您应该在服务器应用程序中拥有自己的用户记录,键是Google,而不是名称".这是我在Django(Python)应用程序中所做的事情:
I think you're confusing authentication and authorization. You should have your own record of the user in your server app and the key is Google, not the "name". Here's what I do in my Django (Python) application:
def auth_id_token(request):
# This is called by the AJAX code that triggers when
# the user has successfully signed in
id_token = request.POST.get('id_token')
# Using the google-api-python-client library
idinfo = client.verify_id_token(
id_token,
settings.OAUTH2_CLIENT_ID
)
# Use the Django ORM to talk to my user database
user = User.objects.get(email=idinfo['email'])
# Using a Django primitive that makes sure the user
# gets a session cookie and asserts that the user is now signed in
auth.login(request, user)
return http.HttpResponse('User is now signed in on the server')
注意. Django从现在开始处理所有授权. Google只是在这里处理身份验证,这向我证明他/她拥有该电子邮件地址.
Note. Django handles all the authorization from this point onwards. Google was just there to handle the authentication that proves to me that he/she owns that email address.
这篇关于使用Google登录管理浏览器会话的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
