识别使用OAuth2.0登录的Google帐户用户 [英] Identify logged in Google Account user with OAuth2.0
问题描述
我正在开发一个Web应用程序,该应用程序使用OAuth2登录用户的Google帐户.我也正在访问一些Google Data API,因此我也要求刷新令牌和脱机访问(以防万一).
I am developing a web application that uses OAuth2 to login the users with their Google Accounts. I am also accessing some Google Data APIs so I am asking for refresh tokens and offline access too( in case that it makes a difference ).
我的问题如下:在应用程序的用户首次登录后,OAuth是否完成,我将令牌/用户ID保存在数据库中,所以我需要安装一个系统,该系统可以在以后的访问中识别用户.
My problem is the following : after the app's user first comes to login, does OAuth and I save the tokens/user id in the database, I need to have in place a system that identifies the user on subsequent visits.
我是通过将Google用户ID(通过调用"userinfo"端点获取的)保存在Session变量中来实现的.在用户注销其Google帐户并可能使用另一个帐户(登录到Google而不是我的应用程序)之前,此方法可以正常工作.此时,我的应用不再具有正确的登录用户,并且可以显示不属于正确用户的数据.
I do this by saving the Google user ID (obtained by a call to the 'userinfo' endpoint) in a Session variable. This works fine until the user logs out of their Google Account and possibly logs in with another account( to Google, not my app ). At this point my app does not have the correct logged in user anymore and can show data that does not belong to the right user.
有人知道我如何有效地识别已登录的Google帐户用户吗?
Does anyone know how I can identify in an efficient way the logged in Google Account user?
我想我总是可以调用userinfo终结点,但是在我的应用程序的每一页上执行此操作似乎对我来说是矫kill过正,并且想要一种更有效的方法.
I suppose I can always call the userinfo endpoint, but doing this on every page of my application seems overkill to me and would like a more efficient approach.
我正在使用PHP进行编程,并使用"google-api-php-client"库进行开发.
I am programming in PHP and using 'google-api-php-client' library for development.
预先感谢您的帮助.
推荐答案
您是对的.当前,最有效的方法是查询userinfo端点.
You're right. Currently the most efficient way to do this is to query the userinfo endpoint.
但是,我们发现,根据您的UI外观,可以选择更改身份是一个不错的选择.一个小的链接,例如不是吗?"登录按钮上的是一个选项.有一个非常新的api(未完全记录),可让您强制用户选择另一个帐户.查看此答案:强制使用Google帐户选择器
However, depending on what your UI looks like, we've found that giving the option to change identities is a good compromise. A small link like "not you?" on the signed-in button is an option. There is a very new api that is not fully documented that lets you force a user to select another account. See this answer: Force google account chooser
我们希望使网站更加无缝和高效,但此刻没有其他消息.
We hope to make this more seamless and efficient for websites but have nothing more to announce at this moment.
这篇关于识别使用OAuth2.0登录的Google帐户用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
