在 Android 客户端/服务器应用程序中实现 Google 登录 [英] Implement Google login in Android Client/Server app

问题描述

我正在开发的应用由两部分组成:

The app I am working on consist two parts:

1. 原生安卓应用
2. 网络服务

我想在应用程序和基于用户 Google 帐户的网络服务之间实现登录程序.阅读谷歌的开发者网站，我了解如何让用户在他的移动设备上授权一个 API 项目，我不明白的是如何将它传递给服务器以及如何处理原生 android 应用程序和我的网络服务之间的通信.

I want to implement a login procedure between the app and the webservice that is based on the user's Google account. Reading Google's developers site I understand how to make the user authorize an API project on his mobile device, what I fail to understand is how to pass it on to the server and how the communication should be dealt with between the native android app and my webservice.

移动应用如何针对 Google 身份验证服务器使用 oauth2 并获取其访问令牌这一事实如何保护它与我的服务器端的通信?

How is the fact that the mobile app used the oauth2 against Google auth servers and got it's access token, secures the communication it has with my server side?

澄清

假设本机应用对 Google 执行身份验证过程并接收令牌.然后应用程序可以访问用户个人资料并获取他的电子邮件地址 - 电子邮件地址肯定是他的.现在，用户将 POST 数据中的电子邮件地址发送到我的服务.电子邮件是他的，但服务器无法验证它.因此，假设有人发现了应用程序发送到我的服务器的 url 路径和 POST 数据语法，然后他可以向该调用注入任何电子邮件地址.服务器如何验证电子邮件地址是否有效?

Let's say the native app doing the auth process against Google and receives a token. Then the app can access the user profile and fetch he's email address - the email address is his for sure. Now the user sends the email address in the POST data to my service. The email is his, but the server cannot verify it. So lets say if someone finds out the url path and POST data syntax the app sends to my server, he then can inject any email address to that call. How can the server verify the email address as a valid one?

推荐答案

要验证应用程序用户，请查看此帖子:验证来自 Android 应用的后端调用

For verifying the app user, check out this post: Verifying Back-End Calls from Android Apps

1. 在应用中，您只需通过 Google Play 接收 Google 令牌 ID服务，真的很简单.
2. 然后您将此令牌发送到您的后端，在那里您根据 Google API 对其进行验证.有一些库可以为您处理这个问题(例如，对于 PHP).如果您想处理此问题，此答案中的有效负载还包含用户的电子邮件和 ID.

1. In the app you can simply receive a Google token-id via the Google Play Services, which is really easy.
2. Then you send this token to your backend, where you validate it against a Google API. There are libraries for handling this for you (e.g. for PHP). The payload in this answer also contains the user's email and id if you want to deal with this.

这篇关于在 Android 客户端/服务器应用程序中实现 Google 登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！