安全谷歌加登入到通过Android应用程序的Web应用程序 [英] Secure Google Plus Sign-in into Web App via Android App
问题描述
我开发一个Android应用程序,我希望用户使用Google+登录功能来登录到我的应用程序。
I'm developing an Android app and I want users to sign-in to my app using Google+ Sign-In.
目前,我通过我Google+中得到内PHP登录脚本的用户名。脚本加载新会话与用户的ID。
At the moment, I pass the user's name which I get from Google+ within a PHP login script. The script loads a new session with the user's ID.
目前,该网站是非常不安全的:谁知道其他用户的用户名可能会登录为它们
Currently, the site is highly insecure: anyone who knows another user's username can potentially login as them.
什么是安全的方式做到这一点?
What is a secure way to do this?
如何授权对我的服务器的用户?
How do I authorize a user against my server?
它看起来像我,谷歌是一个纯粹的社交API ...
It looks like to me, Google+ was purely a social networking API...
推荐答案
Google+登录功能使用的OAuth 2.0 - 这意味着用户不直接与您的服务器进行身份验证。相反,他们进行身份验证与谷歌,并获得由谷歌签署的令牌。您的应用程序获取令牌(从谷歌Play业务在Android),并可以将它传递到你的服务器,以证明用户身份验证与谷歌。然后,用自己的服务器上一个新的或现有的用户ID的用户的Google+ ID相关联。因此,只要用户能证明他们与谷歌认证的特定Google+的用户ID,你把他们当作验证自己的服务器上。
Google+ Sign-In uses OAuth 2.0 - which means the user does not authenticate directly with your server. Instead they authenticate with Google and obtain a token signed by Google. Your app gets that token (from Google Play services on Android) and can pass it to your servers as proof that the user authenticated with Google. You then associate the users Google+ ID with a new or existing user ID on your own servers. So whenever a user can prove that they authenticated with Google for a specific Google+ user ID, you treat them as authenticated on your own server.
要实现,你有几种选择取决于你如何构建您的系统:
To implement, you have a few options depending on how you architect your system:
- 如果你只是想你的用户来验证自己的服务器:因为他们在客户经理一个谷歌帐户在Android设备的用户往往已经与谷歌进行身份验证。您的应用程序可以利用这一点,并获得在帐户管理器的用户令牌他们无需输入任何密码。用户点击登录与谷歌在你的应用程序后,您可以使用
GoogleAuthUtils.getToken()获取他们一个ID令牌,并将其传递到你的服务器。您的服务器,验证了谷歌的签名后,就可以安全地将用户会话使用适当的用户帐户和权限相关联(即对待会话认证)。获得该令牌和验证它的过程由添布雷此处通过伊恩·巴伯这里。 - 如果你想给用户身份验证自己的服务器和从服务器让Google+的API调用:那你应该看看在的 developers.google.com上服务器端的流量文档。这需要同样的方法为选项之一,但除此之外,当为第一时间的Android应用程序请求授权code,而不是一个ID令牌用户的迹象。 /:通过使用PHP客户端库。
- 如果你想给用户身份验证自己的服务器,也使从Android设备的谷歌API调用:那么你应该的使用PlusClient 通过谷歌提供的播放服务,除了你花时间去验证你自己的服务器的用户的步骤,使谷歌的API调用。
- When you simply want to authenticate your user to your own servers: On an Android device your user is very often already authenticated with Google because they have a Google account in the account manager. Your app can take advantage of this and obtain a token for a user in the account manager without them having to type any passwords. After the user clicks 'Sign in with Google' in your app, you can fetch an ID token for them using
GoogleAuthUtils.getToken()and pass it to your server. Your server, after verifying the Google signature, can then safely associate the users session with the appropriate user account and permissions (ie. treat the session as authenticated). The process of getting the token and verifying it is discussed by Tim Bray here and by Ian Barber here. - If you want to authenticate the user to your own servers and make Google+ API calls from your servers: Then you should take a look at the server side flow documentation on developers.google.com. This takes the same approach as option one, but in addition, when the users signs in for the very first time the Android app requests an authorization code instead of an ID token. This can be exchanged by the server for an access token and refresh token - which, in turn, can be used by your server to make API calls on behalf of the user, for example, by using the PHP client library.
- If you want to authenticate the user to your own servers, but also make Google API calls from the Android device: Then you should use the PlusClient provided by Google Play services to make Google API calls in addition to the steps you take to authenticate the user with your own server.
您可能希望在您的客户端或服务器上,以便可以$ P $与来自用户的Google+个人资料中的数据对填充您的报名表,例如,使谷歌的API调用。
You probably want to make Google API calls in your client or on your server so that you can pre-populate your registration form with data from the users Google+ profile, for example.
这篇关于安全谷歌加登入到通过Android应用程序的Web应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
