在Google App Engine上,我可以将使用Android AccountManager的Google OAuth 2令牌和SACSID令牌关联起来吗? [英] On Google App Engine, can I relate a Google OAuth 2 Token and a SACSID token I got using Android's AccountManager?
问题描述
我正在编写一个Google App Engine应用程序以及一个CLI客户端,一个Android客户端和一个Javascript客户端。此应用程序的目的是允许用户通过使用CLI或Javascript客户端来控制安装Android客户端的Android手机。
身份验证播放作为bug的关键角色可能会允许恶意用户控制其他人的手机。
Android客户端是经过编写和运行的。它使用此方法对用户进行身份验证。基本上,这给我一个所谓的SACSID令牌,我可以存储在一个cookie中。当设置此Cookie时,App Engine会识别我的用户。然后,服务器应用程序可以调用UserService以获取要在其上调用getUserId()的用户。 getUserId()返回一个标识我的用户的不透明字符串。到目前为止这么好。
现在我正在编写JS和CLI客户端。
由于CLI客户端没有可靠的方式显示CAPTCHA或打开浏览器,我想它需要使用设备API (客户登录不是一个选项)。此API需要使用OAuth 2进行身份验证。此外,我希望JS客户端访问用户的联系人,这似乎也表明OAuth 2将是合适的。
如果我的用户使用OAuth 2进行身份验证,是否我会以某种方式将Google OAuth 2令牌转换为与Android客户端连接时所获得的相同的不透明字符串?如果没有,我可以修改我的Android应用程序,以便它使用OAuth而不是Sacsid标记吗?
更具体地说,我看到三件事可以解决我的问题:
- 一种从客户经理获取OAuth 2令牌的方法
- 一种交换用于SACSID令牌的OAuth 2令牌
- 使用SACSID令牌和OAuth2获取相同的不透明用户ID的方式,但前提是两个认证系统都可以在同一应用程序上使用。 / li>
- 一种交换用于SACSID令牌的OAuth 2令牌
类似于第三种可能的解决方案的东西是从OAuth和SACSID令牌获取用户的电子邮件地址,并使用作为用户ID。然而,这对我来说看起来有点笨拙:
- 每当我收到OAuth 2请求时,我都需要调用Google API来检索用户的电子邮件地址(或者构建我自己的令牌系统,这似乎不安全并引入了许多其他困难)。
- 给定用户的电子邮件地址可能会更改,使我失去用户之间的关联和他以前的数据。
b
https://developers.google.com/appengine/ docs / java / endpoints /
他们使用oauth2,它们很容易实现并且支持android IOS和Web。
I am writing a Google App Engine application along with a CLI client, an Android client and a Javascript client. The purpose of this application is to allow one to control an Android phone on which the Android client is installed, by using either the CLI or the Javascript client.
Authentication plays a crucial role as a bug might allow a malicious user to control others' phones.
The Android client is written and works. It authenticates the user using this method. Basically, this give me a so-called SACSID token I can store in a cookie. When this cookie is set App Engine recognizes my user. The server application can then call the UserService to get a User on which to call getUserId(). getUserId() returns me an opaque string that identifies my user. So far so good.
Now I am writing the JS and CLI clients. Because the CLI client has no reliable way of displaying a CAPTCHA or opening a browser, I suppose that it needs to use the Device API ("Client login" is not an option). This API requires using OAuth 2 for authentication. Also, I want the JS client to access the user's contacts, which also seems to indicates that OAuth 2 would be suitable.
If my user authenticates using OAuth 2, will I be hable to somehow transform this Google OAuth 2 token into the same opaque String that I get when the Android client connects ? If not, can I modifiy my Android Application so that it uses OAuth instead of a Sacsid token ?
To be more specific, I see three things that would solve my problem :
- A way of getting an OAuth 2 token from the Account Manager
- A way of exchanging the OAuth 2 token for a SACSID token
- A way of getting the same opaque UserID both with the SACSID token and the OAuth2, but only if I can have both authentication system on the same application.
Something that seems similar to the third possible solution is to get the user's email address from both OAuth and the SACSID token, and to use that as the user ID. This however looks a bit clumsy to me :
- Every time I receive an OAuth 2 request, I would need to call Google APIs to retrieve the user's email address (or build my own system of tokens which seems insecure and introduces many other difficulties).
- The email address of a given user can change, making me lose the association between the user and his previous data.
Use End Points instead:
https://developers.google.com/appengine/docs/java/endpoints/
They use oauth2, they are easy to implement and have support for android IOS and Web.
这篇关于在Google App Engine上,我可以将使用Android AccountManager的Google OAuth 2令牌和SACSID令牌关联起来吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
