Google+ JavaScript API是否具有与Facebook的signed_request等效的功能? [英] Does Google+ JavaScript API have an equivalent to Facebook's signed_request?
问题描述
Google+登录按钮与 Facebook登录 API,我很喜欢.
The Google+ Sign-In button bears a striking similarity to the Facebook Login API, and I like that.
Facebook JS SDK上提供了 signed_request参数客户端,但可以将其传递到我的服务器,以验证客户端身份验证已进行.它是由Facebook加密签名的,这使我可以验证客户端是否已登录,而无需与服务器端的Facebook对话.
The Facebook JS SDK has a signed_request parameter that's provided on the client side but which can be passed to my server, verifying that client-side authentication has taken place. It's cryptographically signed by Facebook, which allows me to verify that the client is logged in without talking to the Facebook on the server side.
是否可以使用G + JS API做类似的事情?具体来说,我想进行客户端身份验证,然后将一些数据发布到我的服务器上,并验证客户端是否确实登录到Google,而没有向Google发起服务器端请求.
Is there a way to do something similar with the G+ JS API? Specifically, I want to do client-side authentication, then POST some data to my server and verify that the client really is logged in to Google, without initiating a server-side request to Google.
(我想要这个,是因为我只想使用登录按钮作为注册机制;我不想发布到Google Plus或获取用户的朋友列表或类似内容,通常情况下,需要完整的访问令牌.)
(I want this because I only want to use the sign in button as a registration mechanism; I don't want to post to Google Plus or get the user's list of friends or anything like that, which would normally require a full access token.)
推荐答案
因此,实际上该参数非常匹配,即与access_token一起返回的id_token.这是一个签名的json网络令牌,其中包含用户ID,客户端ID等.听起来这将解决您的用例!看看 http://android -developers.blogspot.nl/2013/01/verifying-back-end-calls-from-android.html 这篇博客帖,作者蒂姆·布雷(Tim Bray)-专注于Android,但相同的逻辑几乎适用于任何客户端.
So, actually there is a pretty good match for that parameter, the id_token that is returned along with the access_token. It's a signed json web token that includes a userid, the client ID and so on. It sounds like this would address your use case! Take a look at http://android-developers.blogspot.nl/2013/01/verifying-back-end-calls-from-android.html this blog post by Tim Bray - it's Android focused, but the same logic pretty much works for any client.
一旦获得此消息,就知道它在交付时有效,就像一个signed_request一样.当然,无论哪种情况,如果用户注销或撤消对您的应用程序的访问,则访问令牌可能不再对拨打电话有效.
Once you get this, you know its valid at the point of delivery, just liked a signed_request. Of course in either case if the user signs out or revokes access to your app the access token may no longer be valid for making calls.
这篇关于Google+ JavaScript API是否具有与Facebook的signed_request等效的功能?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
