如何验证Google Openid响应 [英] how to verify google openid response

问题描述

我正在尝试向用户添加授权抛出google openid.我正在接收ID( https://www. google.com/accounts/o8/id?id=AIt...Ew-Bo )，但如何检查其合法性.我的意思是用户可以用其他用户的电子邮件创建恶意请求，我如何检查返回的电子邮件和声称的ID是否合法?

I'm trying to add authorization throw google openid to my users. I'm receiving id (https://www.google.com/accounts/o8/id?id=AIt...Ew-Bo) but how can i check that it's legit. I mean user can create malicious request with email of another user, how can i check that returning email and claimed id is legit?

推荐答案

您不是应该自己尝试执行发现和签名验证，而是应该使用为此目的已经创建的众多库之一.以下是用于各种编程语言的一堆:

Rather than trying to implement discovery and signature verification by yourself, you really ought to use one of the many libraries that have already been created for this purpose. Here are a bunch for various programming languages:

http://openid.net/developers/libraries/

这篇关于如何验证Google Openid响应的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！