如何将范围 API 与 (GSI) Google 身份服务配合使用 [英] How to use scoped APIs with (GSI) Google Identity Services
问题描述
Google 最近给我发送了一封电子邮件,内容如下:
Google recently sent me an email with the following:
您的一个或多个网络应用程序使用旧版 Google Sign-In JavaScript 库.请在 2023 年 3 月 31 日之前将您的项目迁移到新的 Google 身份服务 SDK
One or more of your web applications uses the legacy Google Sign-In JavaScript library. Please migrate your project(s) to the new Google Identity Services SDK before March 31, 2023
有问题的项目使用 Google Drive API 以及现在的旧身份验证客户端.
The project in question uses the Google Drive API alongside the now legacy authentication client.
迁移页面上的表格 (https://developers.google.com/identity/gsi/web/guides/migration) 说:
The table on the migration page (https://developers.google.com/identity/gsi/web/guides/migration) says:
| 旧 | 新 | 注意事项 |
|---|---|---|
| JavaScript 库 | ||
| apis.google.com/js/platform.js | accounts.google.com/gsi/client | 以新换旧. |
| apis.google.com/js/api.js | accounts.google.com/gsi/client | 以新换旧. |
我目前在前端使用 gapi 来执行从 apis.google.com/js/api.js 加载的授权.根据表格,我需要用新库替换它.
I was currently using gapi on the front-end to perform authorization which is loaded from apis.google.com/js/api.js. According to the table I would need to replace it with the new library.
我已经尝试了以下方法来验证和授权,就像我过去对 gapi 所做的一样:
I've tried the following to authenticate and authorize in the same manner that I used to do with gapi:
window.google.accounts.id.initialize({
client_id: GOOGLE_CLIENT_ID,
callback: console.log,
scope: "https://www.googleapis.com/auth/drive.file",
discoveryDocs: ["https://www.googleapis.com/discovery/v1/apis/drive/v3/rest"],
});
window.google.accounts.id.renderButton(ref.current, {
size: "medium",
type: "standard",
});
但是,当我尝试使用 Google 登录按钮进行身份验证时,scope 字段不受重视,并且不会要求用户授权请求的范围.它也不会在回调的凭据响应中返回任何形式的访问令牌.
However, when I try to authenticate with the Google Sign In button, the scope field is not respected and it does not ask the user to authorize the requested scopes. It also doesn't return any form of access token in the Credential Response in the callback.
我不知道如何授权使用新库.
I'm not sure how else to authorize using the new library.
推荐答案
在新的Gooogle Identity Services中,认证时刻和授权时刻是分开的.这意味着,GIS 为网站提供了不同的 API 来调用这两个不同的时刻.您不能再将它们组合在一个 API 调用(和 UX 流程)中.
In the new Gooogle Identity Services, the authentication moment and the authorization moment are separated. This means, GIS provides different APIs for websites to call on these two different moments. You cannot combine them together in one API call (and UX flow) any more.
在身份验证阶段,用户只需登录或注册您的网站(利用 Google 共享的信息).用户需要做出的唯一决定是他们是否要登录(或注册).此时无需做出与授权相关的决定.
In the authenction moment, users just sign in or sign up into your website (by leveraging the information shared by Google). The only decision users need to make is whether they want to sign in (or sign-up). No authorization-related decison need to make at this point.
在身份验证阶段,用户将在所有网站上看到一致的一键"或按钮用户体验(因为隐式请求相同的范围).一致性导致更流畅的用户体验,这可能会进一步导致更多的使用.借助一致且经过优化的身份验证用户体验(跨所有网站),用户将获得更好的联合登录体验.
In the authentication moment, users will see consistent One Tap or button UX across all websites (since the same scopes are requested implicitly). Consistence leads to more smoothly UX, which may further lead to more usage. With the consitent and optimized authentication UX (across all websites), users will have a better experience with federated sign-in.
用户登录后,当您确实想从 Google 数据服务加载某些数据时,您可以调用 GIS 授权 API 来触发 UX 流程,以允许最终用户授予权限.这就是授权时刻.
After users sign-in, when you really want to load some data from a Google data service, you can call GIS authorization API to trigger an UX flow to allow end users to grant the permission. That's the authorization moment.
目前(2021 年 8 月),仅发布了身份验证 API.如果您的网站只关心身份验证,您现在可以迁移到 GIS.如果您还需要授权API,请等待进一步通知.
Currently (August 2021), only authentication API has been published. If your website only cares about authentication, you can migrate to GIS now. If you also need the authorization API, you have to wait for further notice.
这篇关于如何将范围 API 与 (GSI) Google 身份服务配合使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
