检查tokeninfo响应中的用户ID,以及从google +登录按钮的一次性代码流中接收到的令牌 [英] checking the user id in a tokeninfo response, with token received from the google+ sign in button's one-time code flow
问题描述
我正在将一次性代码流与我的google +登录按钮实现一起使用,但tokeninfo端点响应中的user_id与我的javascript我的javascript回调从登录中接收到的对象中的id_token不匹配布顿.
I'm using the one-time code flow with my google+ sign in button implementation, but the user_id in the response from the tokeninfo endpoint doesn't match the id_token in the object my javascript my javascript callback receives from the sign in buton.
在文档中的示例代码中,将根据一个名为gplus_id的请求参数检查tokeninfo对象中的user_id,但是示例javascript不会发送该参数,因此我不知道是否要检查正确的东西.
In the sample code in the documentation, the the user_id in the tokeninfo object is checked against a request parameter called gplus_id, but the sample javascript doesn't send this parameter, so I have no idea if I'm checking against the right thing.
因此,要明确我正在谈论的代码的特定部分:
So, to be clear about the particular sections of code I'm talking about:
使用此在服务器上处理一次性代码示例代码,它使用一个名为gplus_id的请求参数.
The one-time code is processed on the server using this sample code, and it uses a request parameter called gplus_id.
本节中的代码发送一个时间代码发送到服务器,但是正如我所看到的,它不会发送gplus_id
The code in this section sends the one time code to the server, but as I can see, it doesn't send a gplus_id
推荐答案
示例页面上的步骤6似乎不完整,应该发送了gplus_id,但不是.
It looks like step 6 on the example page is incomplete, and is supposed to be sending the gplus_id, but isn't.
Take a look at the connectServer function (and the function that calls it) in https://github.com/googleplus/gplus-quickstart-java/blob/master/index.html for a more complete example of how to get the user's ID and pass it to the server for verification.
(而且,我将尝试在快速入门示例中对负责文档的人员进行ping操作,以使其在各个平台上均保持更新和一致.您还可以跟踪
(And I'll try to ping the people responsible for the documentation to get it updated and consistent across the platforms in the quickstart examples. You can also track bug 573 to see progress on them fixing the documentation.)
注意:值得注意的是,发送gplus_id有点多余.您已经信任从客户端发送的代码,并通过从代码派生的步骤获取ID.因此,虽然通过并检查gplus_id是一项不错的检查,但实际上并不会为您带来任何额外的安全性.
NOTE: It is worth noting, however, that sending the gplus_id is a bit redundant. You're already trusting the code sent from the client, and you're getting the ID through steps derived from the code. So while passing and checking the gplus_id is a nice sanity check, it really doesn't gain you any additional security.
这篇关于检查tokeninfo响应中的用户ID,以及从google +登录按钮的一次性代码流中接收到的令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
