在我的网站上验证“使用Google登录"中的令牌ID [英] Verifying token id in 'sign in with google' on my website
问题描述
我希望在我的网站上实施使用google登录". OpenId connect建议使用其登录客户端库Google Sign-In.但是在Google登录页面上
I wish to implement 'sign in with google' on my website. OpenId connect recommends using Google Sign-In, their sign-in client library. However on Google sign-in's page
https://developers.google.com/identity/sign- in/web/backend-auth
在
正在调用tokeninfo端点"
"Calling the tokeninfo endpoint"
被提及
验证ID令牌的最简单方法是使用tokeninfo端点.调用此端点涉及一个额外的网络请求,该请求将为您完成大部分验证,但会带来一些延迟和潜在的网络错误. 由于这些原因,它仅适用于每月活跃用户少于100个的部署以及调试和提供信息的目的. "
"The easiest way to validate an ID token is to use the tokeninfo endpoint. Calling this endpoint involves an additional network request that does most of the validation for you, but introduces some latency and the potential for network errors. For these reasons, it is suitable only for deployments with fewer than 100 monthly active users, as well as for debugging and informational purposes."
我正在工作的网站预计每月有10,000多个活跃用户.因此,我该如何实施协议以从Google登录我的网站中识别令牌.
The website I am working on expects 10,000+ monthly active users. So how can I implement a protocol to identify tokens from Google Sign in for my website.
推荐答案
您已经确定,可以使用OAuth v2的客户端库或对Google服务器的单个API调用来离线执行令牌验证.由于脱机客户端是特定于编程语言的,因此您需要查找所用特定语言的客户端/示例. Google+ GitHub页面上的一些令牌验证示例:
As you've determined, token verification can be performed offline using client libraries for OAuth v2 or using a single API call to Google's servers. Because the offline clients are programming language-specific, you need to find a client/example for the particular language you're using. A few examples of token verification from the Google+ GitHub page:
- Token Verification in Python
- Token Verification in PHP
- Token Verification in Ruby
- Token Verification in Java
或者,您可以通过客户端库或直接针对Google API端点使用tokeninfo端点,如
Alternatively, you can use the tokeninfo endpoint through the client library or directly against the Google API endpoint, as demonstrated in the Google API Explorer here. A curl example using an ID token:
curl https://www.googleapis.com/oauth2/v2/tokeninfo?id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IjkyNGE0NjA2NDgxM2I5YTA5ZmFjZGJiNzYwZGI5OTMwMWU0ZjBkZjAifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTEwNTcwOTc3MjI2ODMwNTc3MjMwIiwiYXpwIjoiMzY0MzgxNDQxMzEwLXRuOGw2ZnY2OWdnOGY3a3VjanJhYTFyZWpmaXRxbGpuLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiYXRfaGFzaCI6IlAzLU1HZTdocWZhUkZ5Si1qcWRidHciLCJhdWQiOiIzNjQzODE0NDEzMTAtdG44bDZmdjY5Z2c4ZjdrdWNqcmFhMXJlamZpdHFsam4uYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJjX2hhc2giOiJjd3hsdXBUSkc4N2FnbU1pb0tSYUV3IiwiaWF0IjoxNDM0NDcyODc2LCJleHAiOjE0MzQ0NzY0NzZ9.Gz_WljZOV9NphDdClakLstutEKk65PNpEof7mxM2j-AOfVwh-SS0L5uxIaknFOk4-nDGmip42vrPYgNvbQWKZY63XuCs94YQgVVmTNCTJnao1IavtrhYvpDqGuGKdEB3Wemg5sS81pEthdvHwyxfwLPYukIhT8-u4ESfbFacsRtR77QRIOk-iLJAVYWTROJ05Gpa-EkTunEBVmZyYetbMfSoYkbwFKxYOlHLY-ENz_XfHTGhYhb-GyGrrw0r4FyHb81IWJ6Jf-7w6y3RiUJik7kYRkvnFouXUFSm8GBwxsioi9AAkavUWUk27s15Kcv-_hkPXzVrW5SvR1zoTI_IMw
如文档中所述,网络调用确实会引入一些延迟,如果您要在每个请求上验证令牌(例如,使用ID令牌作为承载令牌),则最好使用首选语言的库来脱机验证令牌
As mentioned in the documentation, the network call does introduce some latency and if you are verifying tokens on every request (e.g. using the ID token as a bearer token) then it's preferable to verify tokens offline using a library for your preferred language.
这篇关于在我的网站上验证“使用Google登录"中的令牌ID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
