使用谷歌登录总是征求用户同意 [英] login with google always asks user consent
问题描述
我的公司有一个内部网络应用程序,它使用谷歌身份验证系统登录.大多数情况下它运行良好,他们可以通过谷歌进行身份验证,同意我的应用程序访问基本用户详细信息,然后当他们返回到我的应用程序时,我确实可以获得他们的用户详细信息.
I've got an internal web app for my company that uses a login with google authentication system. It's working well for the most part, they can authenticate with google, give consent for my app to access basic user details, and then when they are returned to my app, I can indeed get their user details.
问题是我认为一旦他们同意,他们就不必每次都这样做.这是一个错误的假设吗?就像现在一样,每次他们点击使用谷歌登录"时,他们都必须表示同意,而不是被重定向回我的应用.
The issue is that I thought once they give consent they wouldn't have to do it each time. Is this an incorrect assumption? As it is now, each time they click the "login with google" they must give consent rather than being redirected back to my app.
我正在使用 PHP (codeigniter) 和一个在 github 上找到的非常好的 Oauth 库(phil sturgeon 的库的分支).我是否应该传递一些参数,以便用户在第一次之后不必每次都同意?
I'm using PHP (codeigniter) and a pretty good Oauth lib found on github (fork of phil sturgeon's library). Is there some param I should be passing so the user doesn't have to give consent every time, after the first time?
推荐答案
Google 登录不需要每次都需要用户同意.如果您使用 OAuth2 登录程序,您应该能够在没有重新批准的情况下再次登录:https://developers.google.com/accounts/docs/OAuth2Login
Google login does not require user consent every time. If you're using OAuth2 Login procedure, you should be able to login a second time w/o re-approvals: https://developers.google.com/accounts/docs/OAuth2Login
但是,在某些情况下,自动批准可能会被禁用,随后每次登录都需要用户同意.
In some contexts, however, it is possible for auto-approval to become disabled, with the subsequent requirement of user consent on every login.
第一种也是最常见的情况是,如果您的应用程序明确要求 Google 每次都提示同意.检查您的授权请求(您可能已从示例或示例代码中复制)是否包含prompt=consent"或较旧的非标准形式approval_prompt=force".删除这些参数(如果存在)可能会导致自动批准开始工作.
The first and most common case is if your application explicitly requests Google to prompt for consent everytime. Check if your authorization request (which you may have copied from an example or sample code) includes 'prompt=consent' or the older, non-standard form 'approval_prompt=force'. Removing these parameters (if present), will likely cause auto-approval to start working.
另一种情况是,如果您的重定向 URL 基于本地主机"或不属于全局 DNS 命名空间的其他 URL.在这种情况下,出于安全原因,谷歌在用户计算机上的accounts.google.com 域中设置了一个cookie,以表示用户授权_this_device_ 登录localhost(或本地域)上的'foo';如果 Google 找到了 cookie,它只会在不同意第二个请求的情况下自动批准.原因是localhost"(或本地域,或其他未建立在全局 DNS 命名空间上的 URL)的含义取决于设备,并且允许跨设备应用授权可能会带来安全风险.因此,如果您的公司已将浏览器配置为在退出时清除所有 cookie,并且您使用非绝对 URL,您可能会看到您的用户每次都必须同意.解决方案是将您的端点托管在 Internet 有效的主机名上(不需要从 Intranet 外部访问该主机,只需主机名需要全局有效),或者您需要免除 account.google.comcookie 清除政策.
Another situation is if your redirect URL is based on 'localhost' or some other URL that does not belong to the global DNS namespace. In this case, for security reasons, Google sets a cookie on the user's computer, in the accounts.google.com domain, to signal that the user authorized _this_device_ to login to 'foo' on localhost (or local domain); Google will only auto-approve w/o consent a 2nd request if it finds the cookie. The reason is that the meaning of 'localhost' (or local domain, or other URL not built on global DNS namespace) is device-dependent, and allowing the authorization to apply across devices could introduce security risks. So if your company has configured browsers to clear all cookies on exit, and you use a non-absolute URL, you could see your users having to consent everytime. The solution is either to host your endpoint on an Internet-valid hostname (the host doesn't need to be accessible from outside the Intranet, just the hostname needs to be globally valid), or you need to exempt accounts.google.com from the cookie clearing policy.
这篇关于使用谷歌登录总是征求用户同意的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
