如何验证google的auth gapi.auth.signIn响应
How to verify Google's auth gapi.auth.signIn response?
我有一个数据库与用户,我想让用户连接他的网站帐户与他的谷歌帐户。我希望能够让用户登录与他的谷歌帐户太,也许以后能够与他的谷歌+帐户等进行交互
用户登录到网站上,他通过点击一个按钮来启动这个过程,该按钮的操作如下:
// user initiates the process
$('#google-connect').on(function() {
gapi.auth.signIn({
'callback': function(data) {
if(data['status']['signed_in'])
console.log("Signed in", data, gapi.auth.getToken());
// just get some additional user's data
gapi.client.load('oauth2', 'v2', function() {
gapi.client.oauth2.userinfo.get().execute(function(resp) {
console.log("OAuth", resp);
data.userID = resp.id;
// tell server to add google account to user's account
$.post('/add/google', data, function(data) {
console.log("Connected", "data");
});
});
});
},
'clientid': GOOGLE_CLIENT_ID,
'cookiepolicy': 'single_host_origin',
'requestvisibleactions': 'http://schemas.google.com/AddActivity',
'approvalprompt':'force',
'scope': 'https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email'
//'scope': 'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/plus.me'
});
return false;
});
// load libs
(function() {
var po = document.createElement('script');
po.type = 'text/javascript'; po.async = true;
po.src = 'https://apis.google.com/js/client:plusone.js';
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(po, s);
})();
它基本上没有问题,但我不确定这是安全的,如何验证答案从谷歌服务器。例如,Facebook登录返回"signedRequest",我可以使用hash_hmac (php)运行验证来验证响应。
Google回答我的gapi.auth.signIn()请求:
access_token: "ya29.KgDiGDMeEpOEFxoAAAD2dV1eldwT_ZCcr-ODNR_LBKWbam7bOwZ0pplZ33hG3A"
authuser: "0"
client_id: "...."
code: "4/iqLG-akrpp_BGWGGx2b_RAqTSj29.AuyFPmgozMATOl05ti8ZT3bxU6v2jAI"
cookie_policy: "single_host_origin"
expires_at: "1402232030"
expires_in: "3600"
g-oauth-window: Window
g_user_cookie_policy: "single_host_origin"
id_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjgxNDBjNWYxYzlkMGM3MzhjMWI2MzI4NTI4ZjdhYjFmNjcyZjViYTAifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTExNTQ2NTQxNjExMzkyOTAzMTYzIiwiYXpwIjoiOTMyNjIxNDU0NTUxLThrNW8yOXY0djEyZmN2cG1tNWFqYXZsbW9ic2x1NzQwLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJtaXJ6YS5jd0BnbWFpbC5jb20iLCJhdF9oYXNoIjoiTUNERVJkZjJpaUo0eUZ4ZHU1RUdpUSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdWQiOiI5MzI2MjE0NTQ1NTEtOGs1bzI5djR2MTJmY3ZwbW01YWphdmxtb2JzbHU3NDAuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJjX2hhc2giOiJXMXY4UUhkUndLM3FQbGhMZE1XY1Z3IiwiaWF0IjoxNDAyMjI4MTMwLCJleHAiOjE0MDIyMzIwMzB9.Fil-uV6oFdeiRrO_vHFr5oVOnzVIfa2DvneDYaFF_eo3HOdOmD2wElD5UOjXxTLcNHtxyXg-zInyB9wDn1aQaZpYTSgG3Q-PN7oXcmUECyX5UJ7Aga0xgjAH6j57XBTx_BVdeiq1xLTPSMq9J2hZ1jGIkv-1qPedng7bRVGuRgQ"
issued_at: "1402228430"
num_sessions: "1"
prompt: "consent"
response_type: "code token id_token gsession"
scope: "https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/plus.moments.write https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/plus.profile.agerange.read https://www.googleapis.com/auth/plus.profile.language.read https://www.googleapis.com/auth/plus.circles.members.read https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.profile.emails.read"
session_state: "14f90adcf0c130936b1545ec15dbd8fe1515b4dc..0c9b"
state: ""
status: Object
token_type: "Bearer"
我没有找到任何如何验证响应的信息。没有签名或其他东西,除了"id_token",这可能是某种签名。
是否有一种方法来验证谷歌的答案,以确保信息是正确的,没有MITM?还是我太担心了?
有:
你读过ID令牌验证(PHP库)吗?
我猜,你也可以在JavaScript中使用:
$.get("https://www.googleapis.com/oauth2/v1/tokeninfo",{
"id_token" : authResult["id_token"]},function(data){
//Handle data...
});
相关文章:
- 当达到codeigniter/tank auth会话超时时,在ajax调用中处理php重定向
- GAPI Is Not Defined
- 对auth.logout的Facebook事件订阅仅选择性地将用户重定向到url
- 为什么我会得到一个“;auth失败”;使用正确的凭据连接到MongoDB时出错
- FB.Event.subscribe auth.statusChange未在Angular JS中启动
- “Ember Simple Auth”使组件的会话无效
- Auth$getUser返回null,即使用户已登录(AngularFire,Firebase)
- 在Mocha和SuperTest中设置基本Auth
- Google JS API: gapi.auth.signIn 回调函数问题
- Google OAuth gapi.auth.authorize X-Frame-Options: SAMEORIGIN
- 对于javascript,对api“gapi.auth.authorize”的调用不会执行Google Analytic
- gapi.auth.authorize: TypeError: cv(...) is null
- Google Analytics Embed API gapi.analytics.auth.isAuthorized(
- Gapi.auth.authorize with immediate: true不起作用
- 如何验证google的auth gapi.auth.signIn响应
- 检测用户在使用gapi.auth.authorize时是否关闭了弹出窗口
- 使用gapi.auth.authorize时出现访问拒绝错误
- 让google auth请求gapi.没有弹出窗口的命令
- gapi.auth.signOut ();不要退出
- gapi.auth.authorize回调在node-webkit应用程序上通过谷歌登录时不被调用