OAuth2ErrorException invalid_token 在服务器上的 GoogleAuthUtil.getToken() Google+ 上验证令牌时 [英] OAuth2ErrorException invalid_token when verifying token on GoogleAuthUtil.getToken() Google+ on server
问题描述
第一次使用 Google+ API.我有一个带有 Web 和 Android 客户端的应用程序,它使用 G+ 进行身份验证.Web 客户端运行良好.我在 Google API 控制台中设置了一个Web 应用程序的客户端 ID",我用它来通过 javascript 客户端获取令牌.
javascript 客户端使用以下按钮(基本上逐字取自 Google 演示应用程序):
<块引用>我在 Python 服务器上验证:
<块引用>url = ('https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=%s' % 令牌)h = httplib2.Http()结果 = json.loads(h.request(url, 'GET')[1])到目前为止一切顺利.令牌按预期验证.
现在对于 android 应用程序...我为同一个项目设置了一个android 应用程序的客户端 ID",并使用以下生成的调试指纹:keytool -exportcert -alias androiddebugkey -keystore debug.keystore -list -v
客户端 ID 名称的包与我的 Android 清单中的内容相匹配.
我正在使用 GoogleAuthUtil 在我的 Android 应用中生成令牌:
字符串标记 =GoogleAuthUtil.getToken(这个,"selected@email.address","oauth2:server:client_id::" +"api_scope:https://www.googleapis.com/auth/plus.login"); 如果我使用我新创建的 Android 应用客户端 ID,我会得到:GoogleAuthException:com.google.android.gms.auth.GoogleAuthException:未知
我还没有弄清楚,但一些解决方案暗示我应该只使用 Web 应用程序客户端 ID,并且异常按预期工作.
如果我使用我的 Web 应用程序客户端 ID,那么一切似乎都可以正常工作并返回一个令牌,但是当我将令牌发送到我的服务器进行验证时,令牌被拒绝:
{u'error_description': u'Invalid Value', u'debug_info': u'code: INVALID_VALUEhttp 状态:400参数:[invalid_token]原因:com.google.security.lso.protocol.oauth2.common.OAuth2ErrorException:\invalid_token 在com.google.security.lso.grant.token.TokenManager.getTokenInfo(TokenManager.java:603) 在com.google.security.lso.apiary.tokeninfo.TokenInfoAction.execute(TokenInfoAction.java:92)我已经验证到达服务器的令牌与应用中获取的令牌相同(没有杂散空白等).
知道我做错了什么吗?感谢您的任何建议!
我最终做了以下事情:
调用 GoogleAuthUtil 时,而不是以下范围:
<块引用>oauth2:server:client_id::api_scope:https://www.googleapis.com/auth/plus.login 我用过:
<块引用>audience:server:client_id:其中 client_id 是 web 客户端 ID.
这会产生一个更长的令牌.您可以通过以下方式解密/验证此令牌:
<块引用>https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=注意查询参数键是id_token,而不是access_token.
服务器响应如下:
<块引用><代码>{"issuer": "accounts.google.com","issued_to": "","观众": "","user_id": "",expires_in":3354,issued_at":1406474776,"email": "<传递给 GaiaAuthUtil 的电子邮件地址>",verified_email":真} 在您的服务器上,您:
- 验证受众和发布的字符串是否符合您的预期
- 验证用户名/电子邮件是否已授权
然后继续处理请求.
此解决方案混合了来自其他 StackExchange 讨论和本教程的信息:http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
希望这会为某人节省一些时间!
First time using the Google+ API. I have an application with a web and Android client that uses G+ for authentication. Web client is working nicely. I have a "Client ID for web application" set up in the Google API console, which I use to fetch a token with a javascript client.
The javascript client uses the following button (taken basically verbatim from a Google demo app):
<button class="g-signin" data-scope="https://www.googleapis.com/auth/plus.login" data-requestvisibleactions="http://schemas.google.com/AddActivity" data-clientId="my_web_application_client_id" data-callback="onSignInCallback" data-theme="dark" data-cookiepolicy="single_host_origin">
I verify on the Python server with:
url = ('https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=%s' % token) h = httplib2.Http() result = json.loads(h.request(url, 'GET')[1])
So far so good. Token verifies as expected.
Now for the android app... I set up a "Client ID for android application" for the same project with a debug fingerprint generated by: keytool -exportcert -alias androiddebugkey -keystore debug.keystore -list -v
The package for the client id name matches what's in my Android manifest.
I'm using GoogleAuthUtil to generate a token in my Android app:
String token =
GoogleAuthUtil.getToken(
this,
"selected@email.address",
"oauth2:server:client_id:<client_id>:" +
"api_scope:https://www.googleapis.com/auth/plus.login");
If I use my my newly-created android app client id, I get: GoogleAuthException: com.google.android.gms.auth.GoogleAuthException: Unknown
I haven't figured that one out yet, but some solutions hint that I should just be using the web application client id and that the Exception is working as intended.
If I use my web application client id, then everything appears to work just fine and a token is returned, but when I send the token to my server to verify, the token gets rejected:
{u'error_description': u'Invalid Value', u'debug_info': u'code: INVALID_VALUE
http status: 400
arguments: [invalid_token]
cause: com.google.security.lso.protocol.oauth2.common.OAuth2ErrorException:\
invalid_token at
com.google.security.lso.grant.token.TokenManager.getTokenInfo(TokenManager.java:603) at
com.google.security.lso.apiary.tokeninfo.TokenInfoAction.execute(TokenInfoAction.java:92)
I've verified the token arriving at the server is the same one that is fetched in the app (no stray whitespace, etc).
Any ideas what I'm doing wrong? Thanks for any suggestions!
What I ended up doing is the following:
When calling GoogleAuthUtil, instead of the following scope:
oauth2:server:client_id:<client_id>:api_scope:https://www.googleapis.com/auth/plus.login
I used:
audience:server:client_id:<client_id>
where client_id is the web client id.
This produces a much longer token. You can decrypt/authenticate this token via:
https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=<token>
Note that the query param key is id_token, not access_token.
The server responds with the following:
{ "issuer": "accounts.google.com", "issued_to": "<android_client_id>", "audience": "<web_client_id>", "user_id": "<some_long_integer>", "expires_in": 3354, "issued_at": 1406474776, "email": "<email address passed to GaiaAuthUtil>", "verified_email": true }
On your server, you then:
- Verify that the audience and issued_to strings are what you expect
- Verify the userid/email is authorized
then carry on with the request processing.
This solution is a mixture of information from other StackExchange discussions and this tutorial: http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html
Hope this will save someone some time!
这篇关于OAuth2ErrorException invalid_token 在服务器上的 GoogleAuthUtil.getToken() Google+ 上验证令牌时的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
