使用联合登录或 OpenID(无 GAE)的 Android 应用程序 + 网络服务器 API [英] Android app + webserver API using Federated login or OpenID (WITHOUT GAE)

问题描述

我有一个需要将数据上传到 API 的 Android 应用程序(然后 API 会将数据保存在 MySQL 数据库中).我想使用联合登录 (Google) 或 OpenID 身份验证程序，以便用户无需为我的应用注册电子邮件 + 密码，而是可以使用保存在 AccountManager.

I have an Android app that needs to upload data to an API (API will then save data in MySQL DB). I would like to use a Federated login (Google) or OpenID authentication procedure so that user does not need to register email + password for my app, but rather can use Google (or other account) that is saved in AccountManager.

直到今年年初，解决方案都是使用 GAE，按照 Nick Johnson 的著名配方.但自从 Google 开始对 GAE 的使用收费后，这不再是一个可行的解决方案.请不要推荐使用 GAE.

Up until early this year, the solution was using GAE, as per Nick Johnson's famous recipe. But since Google started charging for the use of GAE, this is not a viable solution anymore. PLEASE DO NOT RECOMMEND USE OF GAE.

是否有人设法解决了使用联合登录或 OpenID 进行身份验证然后在第三方(您的)网络服务器 API 上获得授权的问题?

Has anyone ever managed to solve the problem of authenticating with Federated Login OR OpenID and then getting authorization on a third-party (your) webserver API?

注意:OAuth 将是一种直接的授权解决方案，只是它依赖于(以受信任的方式)与先前经过身份验证的消费者进行交互，而当您使用 FedLogin 对应用程序用户(在移动设备上)进行身份验证时，情况并非如此或 OpenID.如果我的应用(移动 + 网络服务器)对用户进行身份验证(并且我存储登录名 + 密码——这正是我想要避免的)，OAuth 有效，但如果谷歌(或 FB)为你这样做，则无效.

NOTE: OAuth would be a straightforward solution for authorization except that it would rely on interacting (in a trusted manner) with a previously authenticated consumer, which is not the case when you authenticate the app user (on the mobile) using FedLogin or OpenID. OAuth works if my app (mobile + webserver) authenticates user (and I store login + password — which is EXACTLY what I am trying to avoid), but not if Google (or FB) do this for you.

推荐答案

这就是 OpenID Connect 所做的.演示应用程序此处.

That's what OpenID Connect does. Demo app here.

至于 GAE，它仍然有一个免费层(28 个前端实例小时，足以运行 24/7)，如果您没有太多流量，它应该足够了.无论如何，您必须在某处运行服务器(即使它是您自己的机器)，因此无法使其完全免费.所以是的，GAE 是一个可行的选择.您可以免费开始，然后根据需要进行扩展.避免 GAE 还有其他原因，但我必须(在某个时候)支付(某事)，因此放弃它"，这绝对是错误的心态.

As for GAE, it still has a free tier (28 frontend instance hours, enough to run 24/7) an it should be enough for you if you don't get much traffic. Anyway you do this, you have to run a server somewhere (even if it is your own machine), so there is not way to make this completely free. So yes, GAE is a viable option. You can start off for free and scale up as needed. There are other reasons to avoid GAE, but 'I have to (at some point) pay (something), therefore scrap it', is definitely the wrong mindset.

这篇关于使用联合登录或 OpenID(无 GAE)的 Android 应用程序 + 网络服务器 API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！