是否可以从Google的id_token中获取个人资料信息? [英] Is it possible to get profile information in an id_token from Google?
问题描述
使用Google的OpenIDConnect身份验证系统时,可以在scope参数中指定email或profile或两者.如果您请求email范围,则id_token中将包含"email"和"email_verified"声明,该声明将作为成功的OAuth2身份验证会话的一部分返回.
When using Google's OpenIDConnect authentication system, it's possible to specify email or profile or both in the scope parameter. If you request the email scope, the "email" and "email_verified" claims will be included in the id_token that gets returned as part of a successful OAuth2 authentication session.
下面是Google文档的示例:
Here's an example from Google's documentation:
ID令牌的有效载荷
An ID token's payload
ID令牌是一个JSON对象,其中包含一组名称/值对. 下面是一个示例,其格式具有可读性:
An ID token is a JSON object containing a set of name/value pairs. Here’s an example, formatted for readability:
{"iss":"accounts.google.com",
"at_hash":"HK6E_P6Dh8Y93mRNtsDB1Q",
"email_verified":"true",
"sub":"10769150350006150715113082367",
"azp":"1234987819200.apps.googleusercontent.com",
"email":"jsmith@example.com",
"aud":"1234987819200.apps.googleusercontent.com",
"iat":1353601026,
"exp":1353604926,
"hd":"example.com"
}
但是,请求profile范围似乎对id_token的内容没有任何影响.为了检索个人资料信息,您必须发出单独的HTTP请求,一个不同的端点(使用您刚刚收到的access_token进行身份验证),以获取外观非常相似但具有更多信息的文档:
However, requesting the profile scope seems to have no effect whatsoever on the contents of the id_token. In order to retrieve the profile information, you have to make a separate HTTP request to a distinct endpoint (authenticated with the access_token you just received) to get a document that looks very similar, but with more information:
{
"kind": "plus#personOpenIdConnect",
"gender": string,
"sub": string,
"name": string,
"given_name": string,
"family_name": string,
"profile": string,
"picture": string,
"email": string,
"email_verified": "true",
"locale": string,
"hd": string
}
理想情况下,我宁愿获取id_token JWT中包含的配置文件信息(实际上只是name),而不必进行单独的调用.有什么方法可以指定其他字段并将其作为声明包含在id_token中?如果没有,为什么email被特殊对待并返回到id_token中?
Ideally, I would prefer to get the profile information (just name, actually) included in the id_token JWT rather than having to make a separate call. Is there any way to specify additional fields and have them included as claims in the id_token? If not, why is email treated specially and returned in the id_token?
推荐答案
从今天开始,当您在令牌端点交换代码(即使用代码流")时,您将获得配置文件信息.
Starting today you will get profile information when exchanging the code at the token endpoint (i.e. using the "code flow").
使用方法:将profile作用域添加到您的请求中,并确保您使用的是OpenID Connect兼容端点(
How to use: add the profile scope to your request, and make sure you are using the OpenID Connect compliant endpoints (the ones listed in https://accounts.google.com/.well-known/openid-configuration).
在这些ID令牌响应中查找诸如name和picture之类的声明.和以前一样,如果您的请求中包含email范围,则ID令牌将包含与电子邮件相关的声明.
Look for claims such as name and picture in these ID Token responses. As before, if the email scope is in your request, the ID Token will contain email related claims.
刷新访问令牌时,随同新的访问令牌一起返回的ID令牌通常也会包含这些附加声明.您可以检查这些字段,并且如果存在(并且与您存储的内容不同),则更新用户的个人资料.这对于检测姓名或电子邮件地址的更改很有用.
When you refresh your access token, every so often the ID Token that is returned with the fresh access token will also contain these additional claims. You can check these fields, and if present (and different to what you have stored), update your user's profile. This can be useful to detect name or email address changes.
这篇关于是否可以从Google的id_token中获取个人资料信息?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
