如何验证Google身份验证API访问令牌? [英] How can I verify a Google authentication API access token?

问题描述

如何验证Google身份验证访问令牌?

我需要以某种方式查询Google并询问:[给定的访问令牌]是否对[example@example.com] Google帐户有效?

短版:
很明显，如何通过 Google身份验证Api :: Web应用程序的OAuth身份验证提供访问令牌可用于从一系列Google服务中请求数据.目前尚不清楚如何检查给定的访问令牌对于给定的Google帐户是否有效.我想知道如何.

Short version:
It's clear how an access token supplied through the Google Authentication Api :: OAuth Authentication for Web Applications can be used to then request data from a range of Google services. It is not clear how to check if a given access token is valid for a given Google account. I'd like to know how.

长版:
我正在开发使用基于令牌的身份验证的API.提供有效的用户名+密码或提供 N 可验证服务中的任何第三方令牌后，将返回令牌.

Long version:
I'm developing an API that uses token-based authentication. A token will be returned upon provision of a valid username+password or upon provision of a third-party token from any one of N verifiable services.

第三方服务之一将是Google，它允许用户使用其Google帐户针对我的服务进行身份验证.稍后将扩展到包括Yahoo帐户，受信任的OpenID提供程序等.

One of the third-party services will be Google, allowing a user to authenticate against my service using their Google account. This will later be extended to include Yahoo accounts, trusted OpenID providers and so on.

基于Google的访问的示例:

替代文字http://webignition.net/images/figures/auth_figure002.png

"API"实体在我的完全控制之下. 公共界面"实体是任何基于Web或桌面的应用程序.一些公共接口在我的控制之下，其他一些则不会，而其他一些我可能甚至都不知道.

The 'API' entity is under my full control. The 'public interface' entity is any web- or desktop-based app. Some public interfaces are under my control, others will not be and others still I may never even know about.

因此，我无法信任在步骤3中提供给API的令牌.该令牌将与相应的Google帐户电子邮件地址一起提供.

Therefore I cannot trust the token supplied to the API in step 3. This will be supplied along with the corresponding Google account email address.

我需要以某种方式查询Google并询问:此访问令牌是否对example@example.com 有效?

I need to somehow query Google and ask: Is this access token valid for example@example.com?

在这种情况下，example@example.com是Google帐户的唯一标识符-某人用来登录其Google帐户的电子邮件地址.不能假定此地址为Gmail地址-某人可以拥有一个Google帐户而没有一个Gmail帐户.

In this case, example@example.com is the Google account unique identifier - the email address someone uses to log in to their Google account. This cannot be assumed to be a Gmail address - someone can have a Google account without having a Gmail account.

Google文档清楚地说明了如何使用访问令牌从许多Google服务中检索数据.似乎没有任何内容说明您如何首先检查给定的访问令牌是否有效.

The Google documentation clearly states how, with an access token, data can be retrieved from a number of Google services. Nothing seems to state how you can check if a given access token is valid in the first place.

更新 该令牌对N个Google服务有效.我无法尝试对Google服务使用令牌作为验证令牌的方式，因为我不知道给定用户实际使用的所有Google服务的子集.

Update The token is valid for N Google services. I can't try a token against a Google service as means of verifying it as I won't know which subset of all Google's services a given user actually uses.

此外，我绝不会使用Google身份验证访问令牌来访问任何Google服务，而只是作为一种方法来验证假定的Google用户实际上就是他们所说的真实身份.如果还有另一种方法，我很乐意尝试.

Furthermore, I'll never be using the Google authentication access token to access any Google services, merely as a means of verifying a supposed Google user actually is who they say they are. If there is another way of doing this I'm happy to try.

推荐答案

对于用户检查，只需发布 获取访问令牌作为accessToken并将其发布并获取响应

For user check, just post get the access token as accessToken and post it and get the response

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=accessToken

您也可以在浏览器的地址栏中尝试，也可以在Java中使用httppost和response

you can try in address bar in browsers too, use httppost and response in java also

响应就像

{
     "issued_to": "xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
     "audience": "xxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
     "user_id": "xxxxxxxxxxxxxxxxxxxxxxx",
     "scope": "https://www.googleapis.com/auth/userinfo.profile https://gdata.youtube.com",
     "expires_in": 3340,
     "access_type": "offline"
    }

范围是accessToken的给定权限.您可以在此链接

The scope is the given permission of the accessToken. you can check the scope ids in this link

更新: 新的API 发布如下

Update: New API post as below

https://oauth2.googleapis.com/tokeninfo?id_token=XYZ123

响应将为

 {
 // These six fields are included in all Google ID Tokens.
 "iss": "https://accounts.google.com",
 "sub": "110169484474386276334",
 "azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "iat": "1433978353",
 "exp": "1433981953",

 // These seven fields are only included when the user has granted the "profile" and
 // "email" OAuth scopes to the application.
 "email": "testuser@gmail.com",
 "email_verified": "true",
 "name" : "Test User",
 "picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
 "given_name": "Test",
 "family_name": "User",
 "locale": "en"
}

有关更多信息，请 https://developers.google.com/身份/登录/android/后端身份验证

这篇关于如何验证Google身份验证API访问令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！