用google登录总是询问用户同意 [英] login with google always asks user consent

问题描述

我有一个公司的内部网络应用程序，它使用登录Google验证系统。它大部分工作良好，他们可以验证与谷歌，同意我的应用程序访问基本的用户详细信息，然后当他们返回到我的应用程序，我确实可以得到他们的用户详细信息。

I've got an internal web app for my company that uses a login with google authentication system. It's working well for the most part, they can authenticate with google, give consent for my app to access basic user details, and then when they are returned to my app, I can indeed get their user details.

问题是，我以为一旦他们同意他们不会每次都做。这是不正确的假设吗？现在，每次他们点击用谷歌登录，他们必须给予同意，而不是重定向回我的应用程序。

The issue is that I thought once they give consent they wouldn't have to do it each time. Is this an incorrect assumption? As it is now, each time they click the "login with google" they must give consent rather than being redirected back to my app.

我使用PHP ）和一个漂亮的Oauth lib在github（phil sturgeon的库的叉子上找到）。

I'm using PHP (codeigniter) and a pretty good Oauth lib found on github (fork of phil sturgeon's library). Is there some param I should be passing so the user doesn't have to give consent every time, after the first time?

推荐答案

Google登录不需要用户每次同意。如果您使用OAuth2登录过程，则应该可以再次登录无需重新批准： https：/ /developers.google.com/accounts/docs/OAuth2Login

Google login does not require user consent every time. If you're using OAuth2 Login procedure, you should be able to login a second time w/o re-approvals: https://developers.google.com/accounts/docs/OAuth2Login

但在某些情况下，自动批准可能会被停用，

In some contexts, however, it is possible for auto-approval to become disabled, with the subsequent requirement of user consent on every login.

第一种也是最常见的情况是，如果您的应用程序明确要求Google每次都提示同意。检查您的授权请求（您可能已从示例或示例代码中复制）包含prompt = consent或旧的非标准表单approval_prompt = force。

The first and most common case is if your application explicitly requests Google to prompt for consent everytime. Check if your authorization request (which you may have copied from an example or sample code) includes 'prompt=consent' or the older, non-standard form 'approval_prompt=force'. Removing these parameters (if present), will likely cause auto-approval to start working.

另一种情况是，如果您的重定向网址基于localhost或某个其他网址（如果存在），则可能会导致自动批准开始工作。不属于全球DNS命名空间。在这种情况下，为了安全起见，Google会在用户的计算机上的accounts.google.com域中设置一个Cookie，以表示用户授权_this_device_在localhost（或本地域）上登录到foo;如果Google发现Cookie，Google只会自动批准第二次请求。原因是localhost（或本地域或其他未建立在全球DNS命名空间上的URL）的含义是设备相关的，并允许授权跨设备应用可能会带来安全风险。因此，如果您的公司已将浏览器配置为在退出时清除所有Cookie，则和使用非绝对网址，您可能会看到您的用户必须每次都同意。解决方案是将您的端点托管在Internet有效的主机名（主机不需要从Intranet外部访问，只是主机名需要全局有效），或者您需要免除accounts.google.com cookie清除策略。

Another situation is if your redirect URL is based on 'localhost' or some other URL that does not belong to the global DNS namespace. In this case, for security reasons, Google sets a cookie on the user's computer, in the accounts.google.com domain, to signal that the user authorized _this_device_ to login to 'foo' on localhost (or local domain); Google will only auto-approve w/o consent a 2nd request if it finds the cookie. The reason is that the meaning of 'localhost' (or local domain, or other URL not built on global DNS namespace) is device-dependent, and allowing the authorization to apply across devices could introduce security risks. So if your company has configured browsers to clear all cookies on exit, and you use a non-absolute URL, you could see your users having to consent everytime. The solution is either to host your endpoint on an Internet-valid hostname (the host doesn't need to be accessible from outside the Intranet, just the hostname needs to be globally valid), or you need to exempt accounts.google.com from the cookie clearing policy.

这篇关于用google登录总是询问用户同意的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！