让我的用户使用 Google 登录的首选 JavaScript 方法实际上是什么? [英] What is actually the preferred JavaScript method to let my users sign in with Google?
问题描述
我一直在争先恐后地将我的网站(该网站使用服务器端、基于 Go 的 OpenID 解决方案,谷歌在上周一可能已禁用或未禁用)转换为谷歌 JavaScript oauth 库,以启用我的用户使用他们的 Google 帐户登录.我首先提出一个问题 here ,并收到了一些试图提供帮助的人的评论,但没有得到明确的答案.然后我决定谨慎行事并转换为另一种方法,起初似乎进展顺利,但现在我的用户抱怨他们无法登录,请参阅我的下一个问题 此处.
I have been scrambling to convert my website (which was using a server-side, Go-based OpenID solution, which may or may not have been disabled by Google this past Monday) over to a Google JavaScript oauth library to enable my users sign in with their Google account. I first reached out by asking a question here, and received several comments from people trying to help, but could get no definite answers. I then decided to just play it safe and convert to another method, which seemed to go well at first, but I now have some complaints from my users that they cannot get signed in, see my next question here.
我现在的问题是,我在 Google 官方网站上遇到过至少四组不同的 api 库文档,它们都声称告诉我如何执行此操作.无特定顺序:
My problem now is that I have come across at least FOUR different sets of documentation for different api libraries, all on official Google sites, that all claim to tell me how to do this. In no particular order:
我现在对实际的首选"方法可能是什么感到非常困惑,并且想知道我是否可能使用了可能导致我的问题的过时方法?我目前正在使用上面列表中选项 #2 中的快速入门指南中使用的方法.
I am now thoroughly confused as to what the actual "preferred" method might be, and am wondering if I am possibly using an outdated method that could be causing my problem? I am currently using the method used in the Quick Start guide from option #2 in my list above.
任何见解将不胜感激.
推荐答案
简短版本:使用 Google 登录网站.从 OpenID2 迁移:https://developers.google.com/identity/sign-in/auth-migration#oid2
Short version: Use Google Sign-in for Websites. To migrate from OpenID2: https://developers.google.com/identity/sign-in/auth-migration#oid2
如果您必须/非常喜欢直接使用标准 OAuth2:https://developers.google.com/identity/protocols/OpenID2Migration
If you must/strongly prefer to use standard OAuth2 directly: https://developers.google.com/identity/protocols/OpenID2Migration
在客户端与 Google Identity Platform Javascript API(Google 网站登录)的基本集成如下所示:
A basic integration with the Google Identity Platform Javascript API (Google Sign-In for Websites) on the client side looks something like this:
<html lang="en">
<head>
<meta name="google-signin-scope" content="profile email">
<meta name="google-signin-client_id" content="YOURCLIENTID.apps.googleusercontent.com">
<script src="https://apis.google.com/js/platform.js" async defer></script>
</head>
<body>
<div class="g-signin2" data-openidrealm="YOUR_REALM" data-onsuccess="onSignIn"></div>
<script>
function onSignIn(googleUser) {
// Useful data for your client-side scripts:
var profile = googleUser.getBasicProfile();
console.log("ID: " + profile.getId()); // NB. don't send this directly to your server, as that is insecure. Instead, send the full id_token, which your server can extract the id from using the 'sub' value.
console.log("Name: " + profile.getName());
console.log("Image URL: " + profile.getImageUrl());
console.log("Email: " + profile.getEmail());
// The ID token you need to pass to your backend:
var id_token = googleUser.getAuthResponse().id_token;
console.log("ID Token: " + id_token);
};
</script>
</body>
</html>
以上内容让用户登录,并为您提供他们的 ID Token.您需要将YOURCLIENTID.apps.googleusercontent.com"替换为您在 Developers 中注册的客户端 ID控制台(创建一个项目,然后导航到 APIs & auth -> Credentials -> Create a new Client ID).请务必指定您的生产&Authorized JavaScript origins"列表中的开发域.还将该示例中的YOUR_REALM"替换为您之前的 OpenID 2.0 领域.
The above logs the user in, and gives you their ID Token. You'll need to replace "YOURCLIENTID.apps.googleusercontent.com" with a client ID that you register in the Developers Console (Create a Project, then navigate to APIs & auth -> Credentials -> Create a new Client ID). Be sure to specify your production & development domain in the "Authorized JavaScript origins" list. Also replace "YOUR_REALM" in that sample with your previous OpenID 2.0 realm.
一旦您拥有id_token",您就可以向后端进行身份验证.为此,您可以将id_token"传递给后端,然后使用 JWT 库对其进行验证和解码.特别是对于 OpenID 迁移,您需要将openid_id"值从 JWT 映射到新的子"ID.
Once you have an "id_token" you can authenticate with your backend. You do this by passing the "id_token" to your backend, then validating and decoding it with a JWT library. For OpenID Migration in particular, you'll need to map the "openid_id" value from the JWT to the new "sub" ID.
id_token 验证的一些示例代码在这里:
Some sample code for id_token validation is here:
为了进行测试,您可以使用此工具解码 ID 令牌以查看其数据包含(它应该包含 openid_id 作为声明).
For testing, you can decode an ID token using this tool to see the data it contains (it should contain openid_id as a claim).
关于文档:对于登录,首选方法是 Google 网站登录 (#4).它实现了最简单、更新最好的登录 API.
Regarding documentation: For Sign In the preferred approach is Google Sign-in for Websites (#4). It implements the simplest and best-updated API for Sign In.
在幕后,Google Sign In 是 OAuth2/OpenIDConnect 的实现.上面的链接 #3 描述了使用此标准流程和整页重定向.这是一个受支持的流程,但如链接中所述,在可能的情况下,首选 Google 网站登录.
Under the hood, Google Sign In is an implementation of OAuth2/OpenIDConnect. Link #3 above describes using this standard flow, with full-page redirect. It is a supported flow, but as noted on the link, Google Sign-in for Websites is preferred where possible.
Google API 客户端库 (#1) 在幕后使用 OAuth.它的示例代码描述了一个旧的、遗留的身份验证模型,应该更新.我们很快就会这样做;感谢您的关注.
Google APIs Client Library (#1) uses OAuth under the hood. Its sample code describes an old, legacy authentication model and should be updated. We will do that shortly; thanks for raising attention.
最后,随着最近 Google 网站登录功能的推出,Google+ 平台 API (#2) 不再是登录的首选方法.我们也在尽快为此更新文档,以避免将来出现混淆.
Finally, with the recent launch of Google Sign-in for Websites, the Google+ Platform API (#2) is no longer the preferred approach for Sign In. We are updating docs for this soon as well to avoid future confusion.
这篇关于让我的用户使用 Google 登录的首选 JavaScript 方法实际上是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
