堆栈内存溢出
  简体   繁体   English

通过Android应用安全地将Google Plus登录到Web应用程序中

[英]Secure Google Plus Sign-in into Web App via Android App

 原文  2013-07-11 21:06:04       android/ google-plus

问题描述

I'm developing an Android app and I want users to sign-in to my app using Google+ Sign-In. 我正在开发Android应用,我希望用户使用Google+登录登录我的应用。

At the moment, I pass the user's name which I get from Google+ within a PHP login script. 目前,我在PHP登录脚本中传递了我从Google+获得的用户名。 The script loads a new session with the user's ID. 该脚本使用用户的ID加载新会话。

Currently, the site is highly insecure: anyone who knows another user's username can potentially login as them. 目前,该网站非常不安全:知道其他用户的用户名的任何人都可能以其身份登录。

What is a secure way to do this? 有什么安全的方法可以做到这一点?

How do I authorize a user against my server? 如何针对我的服务器授权用户?

It looks like to me, Google+ was purely a social networking API... 对我来说,Google +纯粹是一个社交网络API ......

2 个解决方案

解决方案1
 18 已采纳  2013-07-12 09:33:03

Google+ Sign-In uses OAuth 2.0 - which means the user does not authenticate directly with your server. Google+登录使用OAuth 2.0 - 这意味着用户不会直接对您的服务器进行身份验证。 Instead they authenticate with Google and obtain a token signed by Google. 相反,他们会与Google进行身份验证,并获取由Google签名的令牌。 Your app gets that token (from Google Play services on Android) and can pass it to your servers as proof that the user authenticated with Google. 您的应用获取该令牌(来自Android上的Google Play服务),并可将其传递给您的服务器,作为用户通过Google验证的证明。 You then associate the users Google+ ID with a new or existing user ID on your own servers. 然后,您可以将用户Google+ ID与您自己服务器上的新用户ID或现有用户ID相关联。 So whenever a user can prove that they authenticated with Google for a specific Google+ user ID, you treat them as authenticated on your own server. 因此,只要用户可以证明他们通过Google针对特定的Google+用户ID进行了身份验证,您就可以将其视为在您自己的服务器上进行身份验证。

To implement, you have a few options depending on how you architect your system: 要实现,您可以根据架构系统的方式选择一些选项:

  1. When you simply want to authenticate your user to your own servers : On an Android device your user is very often already authenticated with Google because they have a Google account in the account manager. 当您只想向自己的服务器验证用户身份时 :在Android设备上,您的用户通常已经过Google验证,因为他们在客户经理中拥有Google帐户。 Your app can take advantage of this and obtain a token for a user in the account manager without them having to type any passwords. 您的应用可以利用此功能,并在帐户管理器中为用户获取令牌,而无需键入任何密码。 After the user clicks 'Sign in with Google' in your app, you can fetch an ID token for them using GoogleAuthUtils.getToken() and pass it to your server. 用户在您的应用中点击“使用Google登录”后,您可以使用GoogleAuthUtils.getToken()为其获取ID令牌,并将其传递给您的服务器。 Your server, after verifying the Google signature, can then safely associate the users session with the appropriate user account and permissions (ie. treat the session as authenticated). 验证Google签名后,您的服务器可以安全地将用户会话与相应的用户帐户和权限相关联(即将会话视为已通过身份验证)。 The process of getting the token and verifying it is discussed by Tim Bray here and by Ian Barber here . Tim Bray在这里Ian Barber在这里讨论了获取令牌并验证令牌的过程。
  2. If you want to authenticate the user to your own servers and make Google+ API calls from your servers : Then you should take a look at the server side flow documentation on developers.google.com. 如果您要向自己的服务器验证用户身份并通过服务器进行Google+ API调用 :那么您应该查看developers.google.com上的服务器端流程文档。 This takes the same approach as option one, but in addition, when the users signs in for the very first time the Android app requests an authorization code instead of an ID token. 这采用与选项一相同的方法,但此外,当用户第一次登录时,Android应用程序请求授权代码而不是ID令牌。 This can be exchanged by the server for an access token and refresh token - which, in turn, can be used by your server to make API calls on behalf of the user, for example, by using the PHP client library . 这可以由服务器交换访问令牌和刷新令牌 - 服务器可以使用它来代表用户进行API调用,例如,使用PHP客户端库
  3. If you want to authenticate the user to your own servers, but also make Google API calls from the Android device : Then you should use the PlusClient provided by Google Play services to make Google API calls in addition to the steps you take to authenticate the user with your own server. 如果您要向自己的服务器验证用户身份,还要通过Android设备拨打Google API电话 :那么您应该使用 Google Play服务提供的PlusClient进行Google API调用以及您对用户进行身份验证所采取的步骤用你自己的服务器。

You probably want to make Google API calls in your client or on your server so that you can pre-populate your registration form with data from the users Google+ profile, for example. 您可能希望在客户端或服务器上进行Google API调用,以便您可以使用用户Google+个人资料中的数据预先填充注册表单。

解决方案2
 0  2013-07-11 21:26:25

Google Plus uses OAuth 2.0 https://developers.google.com/+/api/oauth Google Plus使用OAuth 2.0 https://developers.google.com/+/api/oauth

It has auth token. 它有身份验证令牌。 You can use auth token to access Google Plus from Android or server. 您可以使用身份验证令牌从Android或服务器访问Google Plus。 On server you can verify token by accessing Google with that token. 在服务器上,您可以通过使用该令牌访问Google来验证令牌。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Google登录Android应用 - Google sign-in for android app Google登录Android应用 - Google sign-in in android app 使用Google Plus登录Android应用 - Sign in with google plus in android app 将Google登录功能集成到Android应用中 - Integrating Google Sign-In into Android App 无法在 Android 应用程序中使用 Google 登录 - Unable to sign-in using Google in Android App Android应用中的Google登录现在无法正常工作 - Google Sign-in in android app not working now App Bundle 上的 Android Google 登录失败 - Android Google Sign-In fails on App Bundles Android:Google plus登录,错误= 4 - Android: Google plus sign-in, error = 4 登录后如何关闭谷歌登录窗口 - android 应用程序 - how close google sign-in window after signing in - android app 将Google登录信息集成到您的Android应用中时出错 - Integrating Google Sign-In into Your Android App Error
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM