在Android webview上自动登录Google帐户 [英] Automatically sign into Google account on Android webview
问题描述
过去一周,我用链接淹没自己,导致自己在太多的圈子里数数,所以我想我会在这里提出问题。我有一个Android应用显示指向用户必须使用其Google帐户登录才能看到的网址的网页浏览(后端内置于Google App Engine中)。由于最终用户可能会在其Android上登录其Google帐户,因此我希望登录过程是自动的。目前,在用户打开第一个网页视图时,他们会看到Google登录表单和一个非常难看的后续页面,询问您是否允许example.appspot.com使用您的Google帐户?
这个过程对于用户体验来说是可怕的。我在这里和那里都看到了很少的关于自动登录的资源,但我坦白地说,我几乎失去了我想要的东西 - 但不是很能够辨别我应该去的方向。
我还发现这个SO链接,这表明我所需要做的就是将认证令牌(我可能通过Nick的方法获得)传递给每一个webview我加载为一个cookie。
就是这样。他们都是不同的方法,所以我想知道他们中的任何一个实际上是我想要的。或者,如果某个地方真的存在一个合理简单的方法。如果有人知道这个问题的直接答案,我会非常感激。谢谢!
出于安全原因 WebViews 无法访问手机的缓存,cookie存储等,相反,建议您使用新的 Chrome Custom Tabs ,它可以自动登录您的用户。
关于您希望允许example.appspot.com使用您的Google帐户吗?屏幕;这是标准的 OAuth 过程,并要求用户登录并允许您应用程序访问他们的帐户信息。
在您的'example.appspot.com'App Engine应用程序中,如果您使用的是需要用户信息的API,例如Google Calendar API,则需要您特别要求用户批准访问此信息。
获得批准后,您可以将访问并刷新令牌,以代表他们进行未来的API调用,而无需重复用户的同意。您可以看到整个Oauth流程在 OAuth 2.0 Playground 中的工作方式。
即使您自动登录了用户,他们仍然会看到批准页面,请求您的应用程序访问其信息。开发黑客以强制批准代表用户访问用户信息是一项重大安全违规行为。
您可以查看新的 Firebase身份验证流程,轻松管理用户在App Engine应用程序中的Oauth体验。
This past week I've inundated myself with links and led myself in too many circles to count, so I thought I'd pose the question here. I have an Android app that displays webviews pointing to urls which the user must be signed in with their Google account to see (the backend is built in Google App Engine). Since the end user is likely to be signed into their Google account on their Android anyway, I'd like the sign-in process to be automatic. Currently, on the first webview the user opens up they are presented with the Google sign-in form and a really ugly subsequent page asking "would you like to allow example.appspot.com to use your Google account?"
That process is dreadful for user experience. I've seen precious few resources here and there concerning auto-login, but I'm frankly lost in the sea of almost-what-I-want-but-not-quite to be able to discern the direction I ought to be going.
I read through Nick's tutorial on authenticating an app with App Engine, but just having the token doesn't get me the uniquely-assigned user ID associated with every Google account on the backend. On top of that, prior experience has taught me the hard way that an app's webview session is incongruous with the app's HTTPClient session. So even if I could log in with Nick's method it wouldn't help me sign into the webviews.
Then I came across this tutorial, which actually seems really promising, but so far I haven't been able to adapt his code to work with my own.
I also found this SO link which suggests that all I need to do is pass the auth token (which I could presumably obtain via Nick's method) into every webview I load as a cookie.
And that's about it. They are all rather different approaches, so I'm wondering if any of them are actually what I want. Or, if somewhere out there a reasonably simple approach actually exists. I'd really appreciate it if someone knows of a straightforward answer on this one. Thank you!
For security reasons WebViews do not have access to the phone's cache, cookie store etc, it is instead recommended you use the new Chrome Custom Tabs which can auto log in your users.
Concerning the "would you like to allow example.appspot.com to use your Google account?" screen; this is the standard OAuth process and requires that the User sign in and allow your app to access their account information.
In your 'example.appspot.com' App Engine app, if you are using an API that requires user information, like the Google Calendar API, it is required that you specifically request the User for their approval to access this information.
Once you have their approval, you can then save the access and refresh tokens to make future API calls on their behalf without the need for repeated user consent. You can see how the entire Oauth flow works in the OAuth 2.0 Playground.
Even if you automatically logged your user in, they will still see the approval page requesting for your app to have access to their information. To develop a hack to forcefully approve the access to a User's information on their behalf is a major security violation.
You can take a look at the new Firebase Authentication flow to easily manage your user's Oauth experience in your App Engine application.
这篇关于在Android webview上自动登录Google帐户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
