如何验证 Google 身份验证 API 访问令牌? [英] How can I verify a Google authentication API access token?

问题描述

如何验证 Google 身份验证访问令牌?

我需要以某种方式查询 Google 并询问:[给定访问令牌] 对 [example@example.com] Google 帐户是否有效?

短版:
很清楚如何通过 Google Authentication Api :: OAuth Authentication for Web Applications 提供访问令牌 然后可用于从一系列 Google 服务请求数据.目前尚不清楚如何检查给定的访问令牌对于给定的 Google 帐户是否有效.我想知道怎么做.

Short version:
It's clear how an access token supplied through the Google Authentication Api :: OAuth Authentication for Web Applications can be used to then request data from a range of Google services. It is not clear how to check if a given access token is valid for a given Google account. I'd like to know how.

长版:
我正在开发一个使用基于令牌的身份验证的 API.在提供有效的用户名+密码或从 N 项可验证服务中的任何一项提供第三方令牌时，将返回令牌.

Long version:
I'm developing an API that uses token-based authentication. A token will be returned upon provision of a valid username+password or upon provision of a third-party token from any one of N verifiable services.

其中一个第三方服务是 Google，允许用户使用他们的 Google 帐户对我的服务进行身份验证.这稍后将扩展到包括雅虎帐户、受信任的 OpenID 提供商等.

One of the third-party services will be Google, allowing a user to authenticate against my service using their Google account. This will later be extended to include Yahoo accounts, trusted OpenID providers and so on.

基于 Google 的访问的示意图示例:

替代文字 http://webignition.net/images/figures/auth_figure002.png

API"实体完全由我控制.公共界面"实体是任何基于 Web 或桌面的应用程序.一些公共接口在我的控制之下，其他的不会，还有一些我可能永远都不知道.

The 'API' entity is under my full control. The 'public interface' entity is any web- or desktop-based app. Some public interfaces are under my control, others will not be and others still I may never even know about.

因此，我无法信任在第 3 步中提供给 API 的令牌.这将与相应的 Google 帐户电子邮件地址一起提供.

Therefore I cannot trust the token supplied to the API in step 3. This will be supplied along with the corresponding Google account email address.

我需要以某种方式查询 Google 并询问:此访问令牌是否对 example@example.com 有效?

I need to somehow query Google and ask: Is this access token valid for example@example.com?

在这种情况下，example@example.com 是 Google 帐户的唯一标识符 - 某人用来登录其 Google 帐户的电子邮件地址.这不能被假定为 Gmail 地址 - 有人可以在没有 Gmail 帐户的情况下拥有 Google 帐户.

In this case, example@example.com is the Google account unique identifier - the email address someone uses to log in to their Google account. This cannot be assumed to be a Gmail address - someone can have a Google account without having a Gmail account.

Google 文档清楚地说明了如何使用访问令牌从许多 Google 服务中检索数据.似乎没有说明首先如何检查给定的访问令牌是否有效.

The Google documentation clearly states how, with an access token, data can be retrieved from a number of Google services. Nothing seems to state how you can check if a given access token is valid in the first place.

更新该令牌对 N 个 Google 服务有效.我无法针对 Google 服务尝试使用令牌来验证它，因为我不知道给定用户实际使用的所有 Google 服务的哪个子集.

Update The token is valid for N Google services. I can't try a token against a Google service as means of verifying it as I won't know which subset of all Google's services a given user actually uses.

此外，我永远不会使用 Google 身份验证访问令牌来访问任何 Google 服务，仅作为验证假定的 Google 用户实际上是他们所说的身份的一种方式.如果有其他方法可以做到这一点，我很乐意尝试.

Furthermore, I'll never be using the Google authentication access token to access any Google services, merely as a means of verifying a supposed Google user actually is who they say they are. If there is another way of doing this I'm happy to try.

推荐答案

对于用户检查，只需发布获取访问令牌作为 accessToken 并发布并获得响应

For user check, just post get the access token as accessToken and post it and get the response

https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=accessToken

你也可以在浏览器的地址栏中尝试，在java中也可以使用httppost和response

you can try in address bar in browsers too, use httppost and response in java also

响应就像

{
     "issued_to": "xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
     "audience": "xxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com",
     "user_id": "xxxxxxxxxxxxxxxxxxxxxxx",
     "scope": "https://www.googleapis.com/auth/userinfo.profile https://gdata.youtube.com",
     "expires_in": 3340,
     "access_type": "offline"
    }

范围是 accessToken 的给定权限.您可以在此链接

The scope is the given permission of the accessToken. you can check the scope ids in this link

更新:新API发帖如下

https://oauth2.googleapis.com/tokeninfo?id_token=XYZ123

响应如下

 {
 // These six fields are included in all Google ID Tokens.
 "iss": "https://accounts.google.com",
 "sub": "110169484474386276334",
 "azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "iat": "1433978353",
 "exp": "1433981953",

 // These seven fields are only included when the user has granted the "profile" and
 // "email" OAuth scopes to the application.
 "email": "testuser@gmail.com",
 "email_verified": "true",
 "name" : "Test User",
 "picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
 "given_name": "Test",
 "family_name": "User",
 "locale": "en"
}

欲了解更多信息，https://developers.google.com/身份/登录/android/backend-auth

这篇关于如何验证 Google 身份验证 API 访问令牌?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！