Google始终会返回过期的ID令牌(JWT) [英] Google always returns expired id token(JWT)

问题描述

根据

如果您使用ID令牌到期时间来确定会话生存期，则应在每次对应用程序服务器进行API调用之前调用silentSignIn来检索刷新的ID令牌.

If you use the ID token expiry time to determine your session lifetime, you should retrieve a refreshed ID token, by calling silentSignIn prior to each API call to your application server.

我正在尝试通过调用silentSignIn获得新令牌.但是，我总是得到相同的过期ID令牌.可以帮我指出正确的文档，该文档显示如何强制刷新以获取新令牌.我的代码没什么特别的.几乎与Google示例中的相同.

I am trying to get a new token by calling silentSignIn. But, I always get the same expired ID token. Can some one please help me in pointing out the right documentation that shows how to force refresh to get a new token. My code is nothing special. It's almost the same as what we have in google's sample.

private void buildGoogleApiClient()
{
    // Configure sign-in to request the user's ID, email address, and basic profile. ID and
    // basic profile are included in DEFAULT_SIGN_IN.
    GoogleSignInOptions gso = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
            //.requestServerAuthCode(serverClientId)
            .requestIdToken(SERVER_ID)
            .requestScopes(new Scope(Scopes.PLUS_LOGIN))
            .requestEmail()
            .build();

    // Build a GoogleApiClient with access to GoogleSignIn.API and the options above.
    mGoogleApiClient = new GoogleApiClient.Builder(this)
            .enableAutoManage(this, this)
            .addApi(Auth.GOOGLE_SIGN_IN_API, gso)
            .build();
} 

我如上所述构建了我的API，并且当用户点击Google按钮登录时，我将执行以下操作

I build my API as above and when user clicks on login with google button I perform the following action

OptionalPendingResult<GoogleSignInResult> opr = Auth.GoogleSignInApi.silentSignIn(mGoogleApiClient);
        if (opr.isDone())
        {
            // If the user's cached credentials are valid, the OptionalPendingResult will be "done"
            // and the GoogleSignInResult will be available instantly.
            Timber.d("Got cached sign-in");
            GoogleSignInResult result = opr.get();
            handleSignInResult(result);
        }
        else
        {
            // If the user has not previously signed in on this device or the sign-in has expired,
            // this asynchronous branch will attempt to sign in the user silently.  Cross-device
            // single sign-on will occur in this branch.
            Timber.d("Checking if user has already given access to this app on an other device.");
            showProgressDialog();
            opr.setResultCallback(new ResultCallback<GoogleSignInResult>()
            {
                @Override
                public void onResult(GoogleSignInResult googleSignInResult)
                {
                    hideProgressDialog();
                    handleSignInResult(googleSignInResult);
                }
            });
        }

handleSignInResult方法将获得ID令牌为

handleSignInResult method would get the id token as

GoogleSignInAccount acct = result.getSignInAccount();
String idToken = acct.getIdToken();
Timber.d(acct.getIdToken());

编辑1

我还有另一个相关问题.

I have another related question.

我从 https://security.google.com/撤消了许可settings/u/1/security/permissions 我仍然能够检索ID令牌(JWT).假设此令牌已缓存，并且Android play服务从本地副本提供了该令牌.令牌过期后(60分钟)，播放服务应与Google的服务联系以获取最新状态.但是，我看不到这种情况.实际上，我注意到的另一件奇怪的事情是，当我在大约一天左右的时间内调用了silentSignIn()时，在未经用户同意的情况下，我得到了一个新令牌.有人可以测试一下这个用例，让我知道输出吗?

After I revoked the permission from https://security.google.com/settings/u/1/security/permissions I was still able to retrieve the ID token(JWT). Let's assume that this token is cached and Android play services is providing it from a local copy. After the token expires(60 mins) play service should contact Google's service to get the latest status. But, I don't see this happening. In fact, another strange thing that I have noticed is when I call silentSignIn() after like a day or so, I get a new token with out user's consent. Can some one please test this use case and let me know the output.

如何确保用户被撤消后再次要求授予权限.

How can I make sure user's are requested to give permission again when they have revoked it.

推荐答案

您将需要使用startActivityForResult()，然后在onActivityResult()中处理登录结果，如此处

You will need to use startActivityForResult(), then handle the sign-in result in onActivityResult(), as explained here Integrating Google Sign-In into Your Android App. Then, to verify the authenticity of the token, please see Google's guide for Google Sign-In for Android on how to Authenticate with a backend server.

一种简单的方法是将令牌传递给Google tokeninfo端点 https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123其中XYZ123是您的令牌.

A simple way is to pass the token to the Google tokeninfo endpoint https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123 where XYZ123 is your token.

这篇关于Google始终会返回过期的ID令牌(JWT)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！