跨客户端 Google OAuth:在 iOS 上获取身份验证代码并在服务器上获取访问令牌 [英] Cross-client Google OAuth: Get auth code on iOS and access token on server
问题描述
我正在尝试使用我的 iOS 应用和 Rails 网络应用设置 Google OAuth.我在 API 控制台中设置了 2 个单独的客户端(当然具有不同的客户端 ID,但具有相同的前缀).一个用于 iOS 应用程序,另一个用于网络应用程序(它也有一个 client_secret.我想在 iOS 上使用 AppAuth SDK 来获取用户的身份验证代码,然后将其发送到我的网络应用程序,然后将执行访问令牌的交换.
I'm trying to set up Google OAuth with my iOS app and Rails web app. I have 2 separate clients (with of course different client IDs, but with the same prefix) set up in the API Console. One for the iOS app, and the other for the web app (which also has a client_secret. I want to use the AppAuth SDK on iOS to get the user's auth code, then send that to my web app, which will then perform the exchange for the access token.
首先,这听起来是否合理,还是不可能像这样在客户之间拆分交易?
First of all, does this sound like a reasonable thing to do, or is it not possible to split the transaction across clients like that?
我的第一次尝试是仅获取验证码并执行交换,但由于 missing_code_verifier invalid_grant 错误而失败,所以我也通过了相同的 code_verifier AppAuth 用于将身份验证代码发送到我的服务器,并修复了该错误.首先,这个code verifier是不是一定要传给服务器呢?好像有点奇怪.
My first try was to just take the auth code and perform the exchange, but that failed with the missing_code_verifier invalid_grant error, so I also passed the same code_verifier that AppAuth used to get the auth code to my server, and that fixed that error. First of all, is it necessary to pass this code verifier to the server? Seems a little strange.
但现在,它因 unauthorized_client 错误而失败.我的网络应用发出这样的请求:
Now though, it fails with the unauthorized_client error. My web app is making a request like this:
{
"grant_type"=>"authorization_code",
"code"=>"4/XYZ...",
"client_id"=>"WEB_APP_CLIENT_ID_HERE.apps.googleusercontent.com",
"client_secret"=>"WEB_APP_CLIENT_SECRET_HERE",
"redirect_uri"=>"https://www.myapp.com/oauth_callback",
"parse"=>"json",
"code_verifier"=>"CODE_VERIFIER_STRING_HERE"
}
查看以下帖子:
看起来 redirect_uri 可能是这里的问题.我在 iOS 上的 AppAuth 配置将重定向 URI 设置为 com.googleusercontent.apps.iOS_CLIENT_ID_HERE,以及 Info.plist URL 方案.API 控制台中 Web 应用程序的授权重定向 URI"部分有一堆 Web URL,我还向其中添加了 com.google....这个配置不正确?在进行跨客户端身份验证时,redirect_uri 是否重要?
it looks like the redirect_uri might be an issue here. My AppAuth config on iOS has the redirect URI set as com.googleusercontent.apps.iOS_CLIENT_ID_HERE, and the Info.plist URL scheme too. The web app's "Authorized redirect URIs" section in the API Console has a bunch of web URLs, and I added the com.google... to it as well. Is this config incorrect? Is the redirect_uri important when doing cross-client auth?
非常感谢任何帮助!到目前为止,我所有的反复试验都没有结果:(
Any help is greatly appreciated! All my trial-and-error have had no fruition so far :(
推荐答案
我是 AppAuth 的首席维护者,在 Google Identity Platform 上工作;希望我能帮上忙.
I am the lead maintainer of AppAuth, and work on the Google Identity Platform; hopefully I can help.
我想在 iOS 上使用 AppAuth SDK 来获取用户的授权码,然后将其发送到我的网络应用程序,然后该应用程序将执行访问令牌的交换.
I want to use the AppAuth SDK on iOS to get the user's auth code, then send that to my web app, which will then perform the exchange for the access token.
首先,这听起来是否合理,还是不可能像这样在客户之间拆分交易?
First of all, does this sound like a reasonable thing to do, or is it not possible to split the transaction across clients like that?
在您的服务器上交换代码听起来很合理,但我认为您使用的配置可能不正确.如果您在服务器上请求代码进行交换,请在对授权服务器的请求中使用服务器的客户端 ID.从您的描述看来,您的授权服务器请求正在发送您的 iOS 客户端 ID,然后您正在与您的服务器客户端 ID 进行交换,我相信这就是您看到unauthorized_client"的原因.错误.
Exchanging the code on your server sounds reasonable, however I think the configuration you are using is possibly incorrect. If you are requesting a code for exchange on your server, use the server's client id in the request to the authorization server. From your description it sounds like your authorization server request is sending your iOS client ID, and you are then doing the exchange with your server client ID, and I believe this is why you are seeing an "unauthorized_client" error.
这不是很好的文档,对此深表歉意.在离线访问"文档的本部分中提到了这一点.,尽管它纯粹是通过 GoogleApiClient 谈论 Android 使用情况.
This is not terribly well documented, apologies for that. It is alluded to in this section of the documentation on "offline access", though it talks about it purely in terms of Android usage via GoogleApiClient.
是否有必要将这个代码验证器传递给服务器?好像有点奇怪.
is it necessary to pass this code verifier to the server? Seems a little strange.
PKCE 背后的意图是确保发出授权请求的实体与发出代码交换请求的实体相同.code_verifier 在正常情况下不应离开设备.
The intention behind PKCE is to ensure that the entity making the authorization request is the same as the entity making the code exchange request. The code_verifier should not leave the device under normal circumstances.
但是,如果您使用后端控制的客户端密钥交换代码,则没有必要使用 PKCE;对于这种情况,您可以在 AppAuth 中禁用 PKCE.
However, it is not necessary to use PKCE if you are exchanging your code using a client secret controlled by your backend; you can disable PKCE in AppAuth for this scenario.
这篇关于跨客户端 Google OAuth:在 iOS 上获取身份验证代码并在服务器上获取访问令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
