存储的Andr​​oid帐目的Rails +设计帐户认证 [英] Stored Android Accounts for Authentication of Rails + Devise Accounts

问题描述

摘要：我试图使用存储谷歌账号的Andr​​oid应用程序在本机应用程序来验证用户身份，通过一个Rails 3 +设计的应用程序提供了一个API，和我被困

。

详细信息：
我们有一个应用程序（http://push-poll.com），它可以让用户从一帮朋友收集反馈意见。我们还内置了原生Android应用程序。我们的web应用程序允许您与您的谷歌帐户登录，我们希望这些功能扩展到原生的Andr​​oid应用程序。 Web应用程序达到了这个标准制定（帐户权限）+ Omniauth（谷歌为帐户信息和OAuth交互）。

版本：
的Andr​​oid 2.1+，Rails的3.2.2，2.1.2设计，Omniauth 1.1.0

建议验证工作流程：

1. 用户击中Android应用程序
与谷歌帐户登录

2. 用户选择使用的AccountManager Android设备上存储的帐户，并提供适当的权限


3. Android应用程序发送谷歌帐户标记到Rails API


4. Rails应用程序发送帐户令牌谷歌OAuth的API＆LT; - 这是我卡


5. 谷歌返回成功信息和账户信息（具体名称+电子邮件）


6. Rails应用程序查找/创建电子邮件地址的用户


7. Rails应用程序创建/读取用户帐户/更新访问令牌


8. Rails的访问令牌重新调校到Android应用（这是我们的应用程序目前是如何处理与标准登录API访问）

在所有API调用
9. Android应用程序，包括Rails的访问令牌

我已经冲刷谷歌的文档，但我完全卡在（4）和（5）。一旦我有谷歌提供的电子邮件地址，一切正常象现在这样（适用于标准登录或谷歌/ Omniauth /设计帐户）。通过我最好的猜测，这可以通过以下任一操作来解决：

• 创建为与网络应用程序共享的Andr​​oid应用程序的API /密钥，以使谷歌帐户的API请求


• 找到一个谷歌API的端点我可以简单地验证对一个Android帐户令牌，并返回账户细节

我一直在敲打我的头靠在墙上就这一个，至少一个星期。

FYI：我是网络开发，我们的Andr​​oid开发人员已经还跟我提供一个废止的Andr​​oid应用程序，将从Android的发送一个访问令牌我选择的API端点。

解决方案

OK，所以我能有一点更好的理解的OAuth的解决这个问题。显然令牌能够被不同的服务器之间传来传去，这其实并不重要谁拥有它们，它们继续发挥作用。

因此​​，使用Android的的AccountManager我能够提取足够的权限范围userinfo.email，然后发送到服务器的令牌。然后服务器可以打：

https://www.googleapis.com/oauth2/v1/tokeninfo？的access_token = TOKENVALUE

请注意：这是通过HTTPS发送到Rails应用程序 - 你永远不应该以明文形式发送一个令牌在互联网上

下面是我们如何做到这一点的部分片段：

 ＃使用谷歌的令牌验证方案来提取用户的电子邮件地址
令牌=参数[：令牌]
URI = URI.parse（https://www.googleapis.com）
HTTP =净:: HTTP.new（uri.host，uri.port）
http.use_ssl =真
http.verify_mode = OpenSSL的SSL :: :: VERIFY_NONE
PATH =/的oauth2 / V1 / tokeninfo？=的access_token＃{}令牌
RESP，数据= http.get（路径）
数据= JSON.parse（数据）
如果RESP。code ==200
  ＃查找用户
  @user = User.where（：电子邮件=＆GT;数据[电子邮件]）。第一
  如果！@user
    ＃创建与我们刚回来的数据的用户
  结束
其他
  ＃坏或撤销令牌
结束
 

Summary: I'm trying to use stored Google accounts on an Android application to authenticate users in a native application, with an API provided by a Rails 3 + Devise application, and I'm stuck.

Details: We have an application (http://push-poll.com) which lets users gather feedback from a bunch of their friends. We've also built a native Android application. Our web app allows you to log in with your Google account, and we want to extend that functionality to the native Android app. The web app accomplishes this with Devise (for account permissions) + Omniauth (for Google account info and OAuth interaction).

Versions: Android 2.1+, Rails 3.2.2, Devise 2.1.2, Omniauth 1.1.0

Proposed authentication workflow:

1. User hits "log in with Google account" on Android application
2. User selects a stored account on Android device using AccountManager and gives permission
3. Android app sends Google account token to Rails API
4. Rails app sends account token to Google OAuth API <-- This is where I'm stuck
5. Google returns success and account information (specifically, name + email)
6. Rails app find/create user by email address
7. Rails app create/read/update access token from user account
8. Rails access token is retuned to Android app (this is how our app currently handles api access with standard login)
9. Android app includes Rails access token in all API calls

I've scoured Google's documentation, but I am totally stuck on (4) and (5). Once I have the Google-provided email address, everything works as it does now (for either standard logins or Google/Omniauth/Devise accounts). By my best guess, this can be solved with either of the following:

• Create an API/secret key for the Android app that is shared with a web app, in order to make requests of the Google Accounts API
• Find a Google API endpoint I can simply authenticate an Android account token against and return account details

I've been banging my head against a wall on this one for at least a week.

FYI: I'm the web dev, and our Android dev has been kind enough to furnish me with a stubbed-out Android app that'll send an access token from Android to the API endpoint of my choosing.

解决方案

OK, so I was able to resolve this with a little better understanding of OAuth. Apparently tokens are able to be passed around between different servers and it doesn't really matter who holds them, they continue to function.

So, using Android's AccountManager I was able to extract a token with sufficient permissions for the scope userinfo.email, and then sending that to the server. Then the server can hit:

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=TOKENVALUE

Note: This is being sent to the Rails app via HTTPS - you should never send a token over the internet in clear text.

Here's a partial clip of how we do this:

# Use Google's Token Verification scheme to extract the user's email address
token = params[:token]
uri = URI.parse("https://www.googleapis.com")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
path = "/oauth2/v1/tokeninfo?access_token=#{token}"
resp, data = http.get(path)
data = JSON.parse(data)
if resp.code == "200"
  # Find a user
  @user = User.where(:email => data["email"]).first
  if !@user
    #Create a user with the data we just got back
  end
else
  # Bad or revoked token 
end

这篇关于存储的Andr​​oid帐目的Rails +设计帐户认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！