https://www.googleapis.com/oauth2/v3/certs中的v1,v2和v3之间的区别 [英] Difference between v1, v2 and v3 in https://www.googleapis.com/oauth2/v3/certs
问题描述
我正在尝试通过 Google登录获取帐户名,通过GoogleAuthUtil.getToken(getApplicationContext(),app,scopes)获取令牌,然后将令牌发送到我的NodeJS后端服务器进行验证
我
PS:我从Android应用程序进入我的nodejs的令牌是:
版本1 似乎是密钥ID到证书字符串的基本JSON映射.我没有任何内部信息,但是我推测这是一种简单的自产"格式,Google的某人将其格式化为分发公钥的简便方法. 您已经注意到,版本2 和 RFC 7517 中定义的,该规范确切说明了如何构造JSON表示加密密钥的响应. 关于v2和v3之间的区别,看起来好像包含了v2 将等号作为填充填充,而在v3中,他们只是将它们剥离了. 我也读过术语'x5c'是什么? 在规范中,"x5c"被定义为一个可选参数,用于指定共同形成链的信任" ,这将允许客户端应用通过依次验证每个证书并遵循链回到已知的,受信任的Google Sign-in to get the account name, grab the token via GoogleAuthUtil.getToken(getApplicationContext(), app, scopes), and then send the token to my NodeJS back-end server to verify I found this great stackoverflow question on how to decode it, cache the key id (KID) so it's not doing a round trip every time, etc. (haven't implemented this part yet, but sort of played around with it) My only question is: what's the difference between the following googleapis certs: The KID on each version are identical, but the content is overtly different. Why? v2 and v3 seem to be almost identical except that v2 has an "==" appended at the end of the value of property 'n' Most importantly, which version do I use? I think these certs are called JSON Web Keys (JWK). I've also read the term 'x5c' What is that? PS: The token I'm getting on my nodejs from my android app is:
Version 1 appears to be a basic JSON mapping of key ids to certificate strings. I don't have any inside information, but I would speculate that this is a simple "home-grown" format that somebody at Google made up as an easy way to distribute their public keys. As you have noted, versions 2 and 3 are distributed in the JSON Web Key (JWK) format. This format is defined in a formal specification, RFC 7517, which lays out exactly how to structure a JSON response representing cryptographic keys. As for the difference between v2 and v3, it looks like v2 included trailing equal signs as padding and in v3 they've simply stripped those off. I've also read the term 'x5c' What is that? In the specification, 'x5c' is defined as an optional parameter for specifying a list of cryptographic certificates that together form a "chain of trust" that would allow a client application to validate the key by verifying each certificate in turn and following the chain back to a known, trusted root certificate. Most importantly, which version do I use? If possible, I would suggest using the most-current version. But as long as the keys themselves are identical, it probably doesn't matter very much. 这篇关于https://www.googleapis.com/oauth2/v3/certs中的v1,v2和v3之间的区别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!{
"iss": "accounts.google.com",
"sub": "SOME_LONG_NUMBER_THAT_I_DONT_KNOW_IF_SHOULD_SHOW",
"azp": "SERVER_CLIENT_ID",
"email": "ANDROID_USER_EMAIL",
"email_verified": "true",
"aud": "ANDROID_CLIENT_ID",
"iat": "SOME_NUMBER",
"exp": "SOME_NUMBER",
"alg": "RS256",
"kid": "e53139984bd36d2c230552441608cc0b5179487a"
}
{
"iss": "accounts.google.com",
"sub": "SOME_LONG_NUMBER_THAT_I_DONT_KNOW_IF_SHOULD_SHOW",
"azp": "SERVER_CLIENT_ID",
"email": "ANDROID_USER_EMAIL",
"email_verified": "true",
"aud": "ANDROID_CLIENT_ID",
"iat": "SOME_NUMBER",
"exp": "SOME_NUMBER",
"alg": "RS256",
"kid": "e53139984bd36d2c230552441608cc0b5179487a"
}
