验证Chrome扩展与非谷歌的API使用谷歌帐户 [英] Authenticate Chrome extension with non-Google API using Google account
问题描述
我的是大量使用谷歌企业应用套件,现在Chrome操作系统设备的一个教育机构的工作。当我们走上一个项目是开发一个Chrome扩展(可能是多个),这将复制在Windows环境下的功能,我们有。这些将仅在我们的域和对我们的设备一般使用的,无法使用。
I work for an educational institution which is making heavy use of Google Apps and now ChromeOS devices. A project we've embarked upon is to develop a Chrome extension (possibly multiple) which will duplicate functionality we have in the Windows environment. These will be used only within our domain and on our devices, not available generally.
我们有一个HTTP / JSON的API构建都是在室内,它提供的各种详细信息,如提醒和其他的东西从我们的管理信息系统(同样,在内部构建),并能提供与弹出窗口信息等。这是可能的,以确保API知道谁是当前用户是通过Windows下的NTLM身份验证。
We have an HTTP/JSON-based API built in-house which provides various details such as reminders and other stuff from our MIS (again, built in-house) and can provide popups with this information and so on. It's possible to make sure the API knows who the current user is via NTLM authentication under Windows.
我需要的API能够知道谁从Chrome设备访问,当用户以某种方式。这意味着扩展需要能够告诉用户是谁以安全的方式在API。如果API可以建立登录用户的谷歌Apps电子邮件地址,就可以判断谁的人从我们的数据库。我的问题是,我怎么做到这一点?
I need some way of the API being able to know who the user is when accessing from a Chrome device. This means the extension needs to be able to tell the API who the user is in a secure manner. If the API can establish the logged in user's Google Apps email address, it can determine who the person is from our database. My question is, how do I achieve this?
这被认为和拒绝一些解决方案:
Some solutions that have been considered and rejected:
- 的扩展直接告诉API当前用户的电子邮件地址
的拒绝由于这一事实,它可以很容易伪造。这必须是安全的。的 - 询问用户输入他们的Active Directory凭据,而不是
的延伸应该能够在没有用户输入的操作 - 我们可以授权代表用户对谷歌Apps域扩展的 。
- Have the extension simply tell the API the current user's email address
Rejected due to the fact it could be easily faked. This must be secure. - Ask the user for their Active Directory credentials instead
The extension should be able to operate without user input - we can authorise the extension against the Google Apps domain on users' behalf.
在另外的谷歌的OAuth 2.0登录似乎是特定于它们psented在浏览器$ P $网站。这需要时自动处理。
In addition the Google OAuth 2.0 for login seems to be specific to websites which are presented in a browser. This needs to be handled silently.
据我所知,这是一个非常模糊的问题,但很类似问题的任何建议或例子得到解决。将AP preciated。 它的核心就是:我怎么能与使用谷歌凭据非谷歌API的一个Chrome扩展身份验证? (该API可以扩展到支持这种在必要的任何方式。)
I understand that this is a very vague question, but any recommendations or examples of very similar problems being solved would be appreciated. The core of it is this: how can I have a Chrome extension authenticate with a non-Google API using Google credentials? (The API can be extended to support this in any way necessary.)
一些进一步的细节:
- 在我们的API是基于.NET的
- 在Chrome扩展可以运行在我们的学院只有这些设备中的设备将被注册到我们的领域。只有域内的用户将被记录并运行该扩展。
推荐答案
您可以执行以下操作:
- 在谷歌云控制台,创建一个API凭证的Chrome扩展
在Chrome扩展,使用身份API 以获得身份验证令牌该应用程序并将其发送给您的API。您只需要这个范围: https://www.googleapis.com/auth/userinfo.email
In the Chrome extension, use the Identity API to obtain an authentication token for this application and send it to your API. You only need this scope :
https://www.googleapis.com/auth/userinfo.email
在你身边的API,每次收到令牌时,请访问以下网址(更换访问令牌与一个由分机发送的例子):
On your API side, every time you receive a token, access the following URL (replace the access token in the example with the one sent by the extension) :
<一个href="https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.iAXXXXXXXXXXXXXXi-mrflhzc-X-U14eb" rel="nofollow">https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29.iAXXXXXXXXXXXXXXi-mrflhzc-X-U14eb
您会得到这样的事情:`
You will get something like this :`
{
"issued_to": "407408718192.apps.googleusercontent.com",
"audience": "407408718192.apps.googleusercontent.com",
"user_id": "1170123456778279183758",
"scope": "https://www.googleapis.com/auth/userinfo.email",
"expires_in": 3585,
"email": "someone@yourdomain.com",
"verified_email": true,
"access_type": "offline"
}
确认,观众是Chrome委托人身份证(非常重要),你有电子邮件!
Make sure that the audience is the Chrome client id (very important), and you have the email !
这篇关于验证Chrome扩展与非谷歌的API使用谷歌帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
