从谷歌的OpenID迁移到新的OAuth 2 [英] Migrating from Google OpenID to new OAuth 2
问题描述
我看到有这个已经,但没有,我发现进入任何细节的一些问题。
I see that there are some questions about this already but none that i found goes into any details.
我一直在使用从DotNetOpenAuth我自己的代码之前,但现在我决定切换到微软包装进行身份验证。反正我发现这真的很不错OAuth客户端:
I have using my own code from DotNetOpenAuth before but now i decided to switch over to the Microsoft Wrapper for Authentication. Anyways i found this really good OAuth Client:
HTTPS ://github.com/mj1856/DotNetOpenAuth.GoogleOAuth2
这似乎工作正常,但现在它来到了迁移的一部分。在我目前的登录系统我保存,谷歌的回报是在形式完整的OpenID网址:
It seems to work fine but now it come to the migration part. In my current login system i save the full OpenID URL that Google returns that are in the form of:
的 https://www.google.com/accounts/o8/id?id= ???????????? ????????????????????????
https://www.google.com/accounts/o8/id?id=????????????????????????????????????
据这里的文档的 https://developers.google.com/accounts/docs/OpenID 我应该能够获得一些价值通过新的OAuth系统的方法。
According to the documentation here https://developers.google.com/accounts/docs/OpenID i should be able to get that value in some way via the new OAuth system.
我已经包含在验证请求中的openid.realmparamater。
I have included the "openid.realm" paramater in the Auth request.
return BuildUri(AuthorizationEndpoint, new NameValueCollection
{
{ "response_type", "code" },
{ "client_id", _clientId },
{ "scope", string.Join(" ", scopes) },
{ "redirect_uri", returnUrl.GetLeftPart(UriPartial.Path) },
{ "state", state },
{ "openid.realm", "http://myoldopenidrealm" }
});
而据我所知,应该是所有我需要做的文档。我已经确定,我用我的OpenID 2验证的领域是相同的,它也一样我的返回URL。
And as far as i understand the documentation that should be all i need to do. I have made sure that the Realm i used for my OpenID 2 authentication is the same and it's also the same as my return URL.
我已经做了之后,我做的该令牌请求,并按照我的理解它在这里,我应该看到一个open_id字段,但我可以不知道如何得到它。
After I've done that i do that token request and as i understand it it's here that i should see a "open_id" field but i cannot understand how to get it.
protected override string QueryAccessToken(Uri returnUrl, string authorizationCode) {
var postData = HttpUtility.ParseQueryString(string.Empty);
postData.Add(new NameValueCollection
{
{ "grant_type", "authorization_code" },
{ "code", authorizationCode },
{ "client_id", _clientId },
{ "client_secret", _clientSecret },
{ "redirect_uri", returnUrl.GetLeftPart(UriPartial.Path) },
});
var webRequest = (HttpWebRequest)WebRequest.Create(TokenEndpoint);
webRequest.Method = "POST";
webRequest.ContentType = "application/x-www-form-urlencoded";
using (var s = webRequest.GetRequestStream())
using (var sw = new StreamWriter(s))
sw.Write(postData.ToString());
using (var webResponse = webRequest.GetResponse()) {
var responseStream = webResponse.GetResponseStream();
if (responseStream == null)
return null;
using (var reader = new StreamReader(responseStream)) {
var response = reader.ReadToEnd();
var json = JObject.Parse(response);
var accessToken = json.Value<string>("access_token");
return accessToken;
}
}
}
这是该文件说什么,我不能看到无论是子或openid_id字段。
This is what the documentation says, and i can't see either the "sub" or the "openid_id" field.
*从令牌请求的响应,包括平时的领域(的access_token等。 ),再加上openid_id场和标准OpenID的连接子场。在此情况下需要的字段是openid_id和子:*
*The response from that token request includes the usual fields (access_token, etc.), plus an openid_id field and the standard OpenID Connect sub field. The fields you need in this context are openid_id and sub:*
推荐答案
子和openid_id字段包含在所述的OpenID连接<一HREF =http://openid.net/specs/openid-connect-core-1_0.html#IDToken相对=nofollow> ID令牌,而不是访问令牌。
sub and openid_id fields are contained in the OpenID Connect ID token, rather than the access token.
您可以得到一个ID令牌或者通过(您用来检索访问令牌相同)或者您也可以直接从OpenID的连接验证检索令牌端点要求(通过添加id_token到RESPONSE_TYPE参数,可能挽救一个后端调用令牌端点)。
You can get an ID token either via the token endpoint (same one that you use to retrieve access tokens) or alternatively you can also retrieve it directly from the OpenID Connect authentication request (by adding id_token to the response_type parameter, potentially saving a back-end call to the token endpoint).
希望帮助!
-
如何获得一个ID令牌样品
(使用流生成oauthplayground - 强烈推荐的工具来调试的OAuth2 / OpenID的连接流)
(flows generated using oauthplayground -- highly recommended tool to debug OAuth2/OpenID Connect flows)
- 到 https://developers.google.com/oauthplayground
- 选择(例如)的oauth2 API V2 userinfo.email范围
- 单击授权的API
- 批准的OAuth2要求
- 按交易所为标记按钮授权码。
- Go to https://developers.google.com/oauthplayground
- Select (for instance) Oauth2 API v2 userinfo.email scope
- Click Authorize APIs
- Approve OAuth2 request
- Press the "Exchange authorization code for tokens" button.
您可以看到所有的HTTP请求/响应。有趣的是,在电话上的回应谷歌的令牌API包含
You can see all http requests/responses. Interestingly, the response to the call to Google's token API contains
{
的access_token:ya29.XYZ,
token_type: 旗手,
expires_in:3600,
refresh_token:1 / KgXYZ,
id_token:my.id.token
}
{ "access_token": "ya29.XYZ", "token_type": "Bearer", "expires_in": 3600, "refresh_token": "1/KgXYZ", "id_token": "my.id.token" }
可以底座64解码所得到的ID标记的有效载荷(在这个例子中ID),并获得所有相关的用户信息。要做到基地64解码手动你可以使用任何在线工具(请参见 https://www.base64decode.org/ 例如)。
You can base 64 decode the payload of the obtained ID token (in this example "id") and get all relevant user information. To do base 64 decoding manually you can use any online tools (see https://www.base64decode.org/ for instance).
这篇关于从谷歌的OpenID迁移到新的OAuth 2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
