跨客户端Google OAuth:在iOS上获取身份验证代码并在服务器上访问令牌 [英] Cross-client Google OAuth: Get auth code on iOS and access token on server
问题描述
我正在尝试通过我的iOS应用和Rails网络应用设置Google OAuth.我在API控制台中设置了2个单独的客户端(当然具有不同的客户端ID,但是具有相同的前缀).一个用于iOS应用程序,另一个用于Web应用程序(也具有client_secret.我想在iOS上使用AppAuth SDK来获取用户的身份验证代码,然后将其发送到我的Web应用程序,然后执行交换访问令牌.
I'm trying to set up Google OAuth with my iOS app and Rails web app. I have 2 separate clients (with of course different client IDs, but with the same prefix) set up in the API Console. One for the iOS app, and the other for the web app (which also has a client_secret. I want to use the AppAuth SDK on iOS to get the user's auth code, then send that to my web app, which will then perform the exchange for the access token.
首先,这听起来像是一件合理的事情,还是不可能像这样在客户之间拆分交易?
First of all, does this sound like a reasonable thing to do, or is it not possible to split the transaction across clients like that?
我的第一个尝试是仅获取身份验证代码并执行交换,但是由于missing_code_verifier invalid_grant错误而失败,因此我还传递了与AppAuth用于获取身份验证代码的相同的code_verifier服务器,并修复了该错误.首先,是否有必要将此代码验证程序传递给服务器?似乎有些奇怪.
My first try was to just take the auth code and perform the exchange, but that failed with the missing_code_verifier invalid_grant error, so I also passed the same code_verifier that AppAuth used to get the auth code to my server, and that fixed that error. First of all, is it necessary to pass this code verifier to the server? Seems a little strange.
现在,它以unauthorized_client错误失败.我的网络应用正在发出这样的请求:
Now though, it fails with the unauthorized_client error. My web app is making a request like this:
{
"grant_type"=>"authorization_code",
"code"=>"4/XYZ...",
"client_id"=>"WEB_APP_CLIENT_ID_HERE.apps.googleusercontent.com",
"client_secret"=>"WEB_APP_CLIENT_SECRET_HERE",
"redirect_uri"=>"https://www.myapp.com/oauth_callback",
"parse"=>"json",
"code_verifier"=>"CODE_VERIFIER_STRING_HERE"
}
查看类似的帖子
- Unable to exchange authorization code for access token and refresh token in Cross Client google oauth2.0
- Google+ Sign-in for server-side apps, exchanging auth code for access token
看来redirect_uri在这里可能是个问题.我在iOS上的AppAuth配置将重定向URI设置为com.googleusercontent.apps.iOS_CLIENT_ID_HERE,并且还将Info.plist URL方案设置为. API控制台中Web应用程序的授权重定向URI"部分具有许多Web URL,我也向其中添加了com.google....这个配置不正确吗? redirect_uri在进行跨客户端身份验证时重要吗?
it looks like the redirect_uri might be an issue here. My AppAuth config on iOS has the redirect URI set as com.googleusercontent.apps.iOS_CLIENT_ID_HERE, and the Info.plist URL scheme too. The web app's "Authorized redirect URIs" section in the API Console has a bunch of web URLs, and I added the com.google... to it as well. Is this config incorrect? Is the redirect_uri important when doing cross-client auth?
任何帮助将不胜感激!到目前为止,我所有的反复试验都没有取得成果:(
Any help is greatly appreciated! All my trial-and-error have had no fruition so far :(
推荐答案
我是AppAuth的首席维护者,并且在Google Identity Platform上工作;希望我能帮上忙.
I am the lead maintainer of AppAuth, and work on the Google Identity Platform; hopefully I can help.
我想在iOS上使用AppAuth SDK来获取用户的身份验证代码,然后将其发送到我的Web应用程序,然后由该Web应用程序执行访问令牌的交换.
I want to use the AppAuth SDK on iOS to get the user's auth code, then send that to my web app, which will then perform the exchange for the access token.
首先,这听起来像是一件合理的事情,还是不可能像这样在客户之间拆分交易?
First of all, does this sound like a reasonable thing to do, or is it not possible to split the transaction across clients like that?
交换服务器上的代码听起来很合理,但是我认为您使用的配置可能不正确.如果您要在服务器上请求交换代码,请在授权服务器的请求中使用服务器的客户端ID .从您的描述中,听起来您的授权服务器请求正在发送您的iOS客户端ID,然后您正在与服务器客户端ID进行交换,我相信这就是为什么您会看到"unauthorized_client"消息的原因.错误.
Exchanging the code on your server sounds reasonable, however I think the configuration you are using is possibly incorrect. If you are requesting a code for exchange on your server, use the server's client id in the request to the authorization server. From your description it sounds like your authorization server request is sending your iOS client ID, and you are then doing the exchange with your server client ID, and I believe this is why you are seeing an "unauthorized_client" error.
对此并没有很好的记录,对此表示歉意.在离线访问"文档的本节中提到了此内容. ,但纯粹是通过GoogleApiClient讨论Android使用情况.
This is not terribly well documented, apologies for that. It is alluded to in this section of the documentation on "offline access", though it talks about it purely in terms of Android usage via GoogleApiClient.
是否有必要将此代码验证程序传递给服务器?似乎有些奇怪.
is it necessary to pass this code verifier to the server? Seems a little strange.
PKCE的目的是确保发出授权请求的实体与发出代码交换请求的实体相同. code_verifier在正常情况下不应离开设备.
The intention behind PKCE is to ensure that the entity making the authorization request is the same as the entity making the code exchange request. The code_verifier should not leave the device under normal circumstances.
但是,如果您使用由后端控制的客户机密来交换代码,则不必使用PKCE.您可以针对这种情况在AppAuth中禁用PKCE.
However, it is not necessary to use PKCE if you are exchanging your code using a client secret controlled by your backend; you can disable PKCE in AppAuth for this scenario.
这篇关于跨客户端Google OAuth:在iOS上获取身份验证代码并在服务器上访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
