验证谷歌ID令牌在C＃ [英] Validating Google ID tokens in C#

问题描述

我需要验证在移动设备上通过了一项谷歌ID令牌在我的ASP.NET Web API。

I need to validate a Google ID token passed from a mobile device at my ASP.NET web api.

谷歌有一些样品code 这里但它依赖于智威汤逊的NuGet包，它是净4.5只（我使用C＃/。NET 4.0）。任何人是否知道其这样做没有这些软件包或已经实现了这个自己的任何样本？使用这个包使得它非常困难的工作，我需要做的，没有它。

Google have some sample code here but it relies on a JWT NuGet package which is .Net 4.5 only (I am using C#/.Net 4.0). Is anyone aware of any samples which do this without these packages or has achieved this themselves? The use of the package makes it very difficult to work out what I need to do without it.

推荐答案

目前的挑战是验证在ID令牌的智威汤逊证书。目前不是图书馆我所知道的，可以做到这一点，并不需要的.Net 4.5，直到有对智威汤逊验证在.NET 4.0中的解决方案，不会有一个简单的解决方案。

The challenge is validating the JWT certificate in the ID token. There is currently not a library I'm aware of that can do this that doesn't require .Net 4.5 and until there is a solution for JWT validation in .NET 4.0, there will not be an easy solution.

不过，如果你有一个访问令牌，你可以看看执行验证使用<一个href="https://developers.google.com/apis-explorer/#search/oauth2.tokeninfo/m/oauth2/v1/oauth2.tokeninfo"相对=nofollow> oauth2.tokeninfo 。要使用令牌信息进行基本的验证，你可以做类似如下：

However, if you have an access token, you can look into performing validation using oauth2.tokeninfo. To perform basic validation using token info, you can do something like the following:

// Use Tokeninfo to validate the user and the client.
var tokeninfo_request = new Oauth2Service().Tokeninfo();
tokeninfo_request.Access_token = _authState.AccessToken;
var tokeninfo = tokeninfo_request.Fetch();
if (userid == tokeninfo.User_id
    && tokeninfo.Issued_to == CLIENT_ID)
{
    // Basic validation succeeded
}
else
{
    // The credentials did not match.
}

从谷歌OAuth2 API返回的信息告诉你一个特定的令牌的详细信息，如客户端ID也被发布过，以及它的到期时间。

The information returned from the Google OAuth2 API tells you more information about a particular token such as the client id it was issued too as well as its expiration time.

注意您不能绕过访问令牌，而是交换一次性code检索访问令牌后应该做此项检查。

Note You should not be passing around the access token but instead should be doing this check after exchanging a one-time code to retrieve an access token.

这篇关于验证谷歌ID令牌在C＃的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！