谷歌身份验证与后端服务器所需的作用域 [英] Google Authentication with a Backend Server required Scopes
问题描述
我下面这些说明(的 https://developers.google.com/identity/sign-in/android/backend-auth )获取一个ID令牌发送给我的后端,但是当我设置字符串范围=观众:服务器:CLIENT_ID:+ Service.SERVER_CLIENT_ID; (是的 SERVER_CLIENT_ID 不是Android客户端ID)我没有得到一个令牌,抛出这个错误。
E /登录:com.google.android.gms.auth.GoogleAuthException:未知
然而,当我用下面的范围,而不是
字符串范围=oauth2:个人资料的电子邮件;
我顺利拿到A标记,但它不是只要我希望它是我怕这可能是错误的。
我的问题是...
1)为什么没有范围=观众:服务器:CLIENT_ID:+ SERVER_CLIENT_ID; 在指导工作中使用
2)是我使用字符串范围=得到令牌?oauth2:个人资料的电子邮件; 安全的一个用于在后端验证用户
在code是如下。
@覆盖
保护字符串doInBackground(空... PARAMS){
字符串帐户名= Plus.AccountApi.getAccountName(googleApiClient);
账户账户=新的帐户(帐户名,GoogleAuthUtil.GOOGLE_ACCOUNT_TYPE);
//字符串作用域=oauth2:个人资料的电子邮件;
字符串范围=观众:服务器:CLIENT_ID:+ Service.SERVER_CLIENT_ID; //没有应用程序的客户端ID。
Log.d(TAG,账户名称:+帐户名);
Log.d(TAG的范围:+范围);
尝试 {
userIdToken = GoogleAuthUtil.getToken(getApplicationContext(),账号,范围);
返回userIdToken;
}赶上(IOException异常E){
Log.e(TAG的IOError检索ID令牌,E);
返回null;
}赶上(UserRecoverableAuthException E){
startActivityForResult(e.getIntent(),RC_SIGN_IN);
返回null;
}赶上(GoogleAuthException E){
Log.e(TAG,GoogleAuthError检索ID令牌,E);
返回null;
}
}
当您设定的范围oauth2:个人账户邮箱将返回一个访问令牌,该令牌是由一个ID标记不同的
这是访问令牌可用于访问谷歌的API,一个ID令牌是一个包含有关该数字是由谷歌签署的用户身份信息的智威汤逊。的格式是不同的。如果您尝试使用提供ID令牌样品code授权的访问令牌,你会得到一个无效的错误。
如果你看一下的GoogleAuthUtil.getToken的文档(),你会看到GoogleAuthException是一个致命的异常通常是由客户端错误导致,如无效,范围或无效的客户端。 <一href="https://developers.google.com/android/reference/com/google/android/gms/auth/GoogleAuthUtil#getToken(android.content.Context,%20android.accounts.Account,%20java.lang.String,%20android.os.Bundle)" rel="nofollow">https://developers.google.com/android/reference/com/google/android/gms/auth/GoogleAuthUtil#getToken(android.content.Context, android.accounts.Account,java.lang.String中,android.os.Bundle)
请确保您已设置了既有App和Web服务器oAuth2 ID在谷歌开发者控制台,并在你的清单包名称创建应用程序ID,当您提供随SHA指纹包的名称相匹配。使用Web服务器ID为SERVER_CLIENT_ID。
我上传了一些样品code到Github上。 https://github.com/kmosdev/google-signin-backend-auth
我开始与谷歌的样本登录应用程序,并修改它来添加后台身份验证。进一步的细节可以在自述。
另一件事是检查的是你有你的清单文件中的正确的权限,但我相信你会得到一个不同的错误,如果这是错误的:
&LT;使用-权限的Android:名称=android.permission.INTERNET对/&GT;
&LT;使用-权限的Android:名称=android.permission.GET_ACCOUNTS/&GT;
&LT;使用-权限的Android:名称=android.permission.USE_CREDENTIALS/&GT;
I am following these instructions (https://developers.google.com/identity/sign-in/android/backend-auth) for getting an ID token to be sent to my Backend but when I set String scopes = "audience:server:client_id:" + Service.SERVER_CLIENT_ID; (Yes the SERVER_CLIENT_ID is not the Android Client ID) I fail to get a token and throws this error.
E/Login: com.google.android.gms.auth.GoogleAuthException: Unknown
However when I use the following scope instead
String scopes = "oauth2:profile email";
I successfully get 'a' token but it's not as long as I expected it to be and I'm afraid it might be wrong.
My questions are...
1) Why doesn't the scopes = "audience:server:client_id:" + SERVER_CLIENT_ID; used in the guide work?
2) Is the token I get from using String scopes = "oauth2:profile email"; a safe one for verifying a user on a Backend?
The code is below.
@Override
protected String doInBackground(Void... params) {
String accountName = Plus.AccountApi.getAccountName(googleApiClient);
Account account = new Account(accountName, GoogleAuthUtil.GOOGLE_ACCOUNT_TYPE);
//String scopes = "oauth2:profile email";
String scopes = "audience:server:client_id:" + Service.SERVER_CLIENT_ID; // Not the app's client ID.
Log.d(TAG, "Account Name: " + accountName);
Log.d(TAG, "Scopes: " + scopes);
try {
userIdToken = GoogleAuthUtil.getToken(getApplicationContext(), account, scopes);
return userIdToken;
} catch (IOException e) {
Log.e(TAG, "IOError retrieving ID token.", e);
return null;
} catch (UserRecoverableAuthException e) {
startActivityForResult(e.getIntent(), RC_SIGN_IN);
return null;
} catch (GoogleAuthException e) {
Log.e(TAG, "GoogleAuthError retrieving ID token.", e);
return null;
}
}
When you set the scope to oauth2:profile email you are returned an access token, which is different from an id token.
An access token can be used to access Google APIs, an id token is a JWT that contains identity information about the user that is digitally signed by Google. The formats are different. If you try to authorize an access token using the sample code provided for id tokens you'll get an invalid error.
If you look at the documentation for GoogleAuthUtil.getToken() you'll see that GoogleAuthException is a fatal exception usually caused by a client error such as invalid scope or invalid client. https://developers.google.com/android/reference/com/google/android/gms/auth/GoogleAuthUtil#getToken(android.content.Context, android.accounts.Account, java.lang.String, android.os.Bundle)
Make sure that you have set up both an App and Webserver oAuth2 ID in Google Developer console and that the package name in your manifest matches the package name you provide along with the SHA fingerprint when creating the App ID. Use the Webserver ID as SERVER_CLIENT_ID.
I uploaded some sample code to Github. https://github.com/kmosdev/google-signin-backend-auth
I started with Google's sample sign-in app and modified it to add backend auth. Further details are in the Readme.
Another thing to check is that you have the correct permissions in your manifest file, but I believe you'd get a different error if this was wrong:
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
<uses-permission android:name="android.permission.USE_CREDENTIALS" />
这篇关于谷歌身份验证与后端服务器所需的作用域的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
