如何验证google的auth gapi.auth.signIn响应

How to verify Google's auth gapi.auth.signIn response?

本文关键字:auth gapi signIn 响应 google 何验证 验证      更新时间:2023-09-26

我有一个数据库与用户,我想让用户连接他的网站帐户与他的谷歌帐户。我希望能够让用户登录与他的谷歌帐户太,也许以后能够与他的谷歌+帐户等进行交互

用户登录到网站上,他通过点击一个按钮来启动这个过程,该按钮的操作如下:

// user initiates the process
$('#google-connect').on(function() {
    gapi.auth.signIn({
        'callback': function(data) {
        if(data['status']['signed_in'])
            console.log("Signed in", data, gapi.auth.getToken());
            // just get some additional user's data
            gapi.client.load('oauth2', 'v2', function() {
                gapi.client.oauth2.userinfo.get().execute(function(resp) {
                    console.log("OAuth", resp);
                    data.userID = resp.id;
                    // tell server to add google account to user's account
                    $.post('/add/google', data, function(data) {
                        console.log("Connected", "data");
                    });
                });
            });
        },
        'clientid': GOOGLE_CLIENT_ID,
        'cookiepolicy': 'single_host_origin',
        'requestvisibleactions': 'http://schemas.google.com/AddActivity',
        'approvalprompt':'force',
        'scope': 'https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email'
        //'scope': 'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/plus.me'
    });
    return false;
});
// load libs
(function() {
    var po = document.createElement('script');
    po.type = 'text/javascript'; po.async = true;
    po.src = 'https://apis.google.com/js/client:plusone.js';
    var s = document.getElementsByTagName('script')[0];
    s.parentNode.insertBefore(po, s);
})();

它基本上没有问题,但我不确定这是安全的,如何验证答案从谷歌服务器。例如,Facebook登录返回"signedRequest",我可以使用hash_hmac (php)运行验证来验证响应。

Google回答我的gapi.auth.signIn()请求:

access_token: "ya29.KgDiGDMeEpOEFxoAAAD2dV1eldwT_ZCcr-ODNR_LBKWbam7bOwZ0pplZ33hG3A"
authuser: "0"
client_id: "...."
code: "4/iqLG-akrpp_BGWGGx2b_RAqTSj29.AuyFPmgozMATOl05ti8ZT3bxU6v2jAI"
cookie_policy: "single_host_origin"
expires_at: "1402232030"
expires_in: "3600"
g-oauth-window: Window
g_user_cookie_policy: "single_host_origin"
id_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjgxNDBjNWYxYzlkMGM3MzhjMWI2MzI4NTI4ZjdhYjFmNjcyZjViYTAifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTExNTQ2NTQxNjExMzkyOTAzMTYzIiwiYXpwIjoiOTMyNjIxNDU0NTUxLThrNW8yOXY0djEyZmN2cG1tNWFqYXZsbW9ic2x1NzQwLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJtaXJ6YS5jd0BnbWFpbC5jb20iLCJhdF9oYXNoIjoiTUNERVJkZjJpaUo0eUZ4ZHU1RUdpUSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdWQiOiI5MzI2MjE0NTQ1NTEtOGs1bzI5djR2MTJmY3ZwbW01YWphdmxtb2JzbHU3NDAuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJjX2hhc2giOiJXMXY4UUhkUndLM3FQbGhMZE1XY1Z3IiwiaWF0IjoxNDAyMjI4MTMwLCJleHAiOjE0MDIyMzIwMzB9.Fil-uV6oFdeiRrO_vHFr5oVOnzVIfa2DvneDYaFF_eo3HOdOmD2wElD5UOjXxTLcNHtxyXg-zInyB9wDn1aQaZpYTSgG3Q-PN7oXcmUECyX5UJ7Aga0xgjAH6j57XBTx_BVdeiq1xLTPSMq9J2hZ1jGIkv-1qPedng7bRVGuRgQ"
issued_at: "1402228430"
num_sessions: "1"
prompt: "consent"
response_type: "code token id_token gsession"
scope: "https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/plus.moments.write https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/plus.profile.agerange.read https://www.googleapis.com/auth/plus.profile.language.read https://www.googleapis.com/auth/plus.circles.members.read https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.profile.emails.read"
session_state: "14f90adcf0c130936b1545ec15dbd8fe1515b4dc..0c9b"
state: ""
status: Object
token_type: "Bearer"

我没有找到任何如何验证响应的信息。没有签名或其他东西,除了"id_token",这可能是某种签名。

是否有一种方法来验证谷歌的答案,以确保信息是正确的,没有MITM?还是我太担心了?

有:

你读过ID令牌验证(PHP库)吗?

我猜,你也可以在JavaScript中使用:

$.get("https://www.googleapis.com/oauth2/v1/tokeninfo",{
    "id_token" : authResult["id_token"]},function(data){
    //Handle data...
});
相关文章: