[英]Secure Google Plus Sign-in into Web App via Android App
I'm developing an Android app and I want users to sign-in to my app using Google+ Sign-In. 我正在开发Android应用,我希望用户使用Google+登录登录我的应用。
At the moment, I pass the user's name which I get from Google+ within a PHP login script. 目前,我在PHP登录脚本中传递了我从Google+获得的用户名。 The script loads a new session with the user's ID. 该脚本使用用户的ID加载新会话。
Currently, the site is highly insecure: anyone who knows another user's username can potentially login as them. 目前,该网站非常不安全:知道其他用户的用户名的任何人都可能以其身份登录。
What is a secure way to do this? 有什么安全的方法可以做到这一点?
How do I authorize a user against my server? 如何针对我的服务器授权用户?
It looks like to me, Google+ was purely a social networking API... 对我来说,Google +纯粹是一个社交网络API ......
Google+ Sign-In uses OAuth 2.0 - which means the user does not authenticate directly with your server. Google+登录使用OAuth 2.0 - 这意味着用户不会直接对您的服务器进行身份验证。 Instead they authenticate with Google and obtain a token signed by Google. 相反,他们会与Google进行身份验证,并获取由Google签名的令牌。 Your app gets that token (from Google Play services on Android) and can pass it to your servers as proof that the user authenticated with Google. 您的应用获取该令牌(来自Android上的Google Play服务),并可将其传递给您的服务器,作为用户通过Google验证的证明。 You then associate the users Google+ ID with a new or existing user ID on your own servers. 然后,您可以将用户Google+ ID与您自己服务器上的新用户ID或现有用户ID相关联。 So whenever a user can prove that they authenticated with Google for a specific Google+ user ID, you treat them as authenticated on your own server. 因此,只要用户可以证明他们通过Google针对特定的Google+用户ID进行了身份验证,您就可以将其视为在您自己的服务器上进行身份验证。
To implement, you have a few options depending on how you architect your system: 要实现,您可以根据架构系统的方式选择一些选项:
GoogleAuthUtils.getToken()
and pass it to your server. 用户在您的应用中点击“使用Google登录”后,您可以使用GoogleAuthUtils.getToken()
为其获取ID令牌,并将其传递给您的服务器。 Your server, after verifying the Google signature, can then safely associate the users session with the appropriate user account and permissions (ie. treat the session as authenticated). 验证Google签名后,您的服务器可以安全地将用户会话与相应的用户帐户和权限相关联(即将会话视为已通过身份验证)。 The process of getting the token and verifying it is discussed by Tim Bray here and by Ian Barber here . Tim Bray在这里和Ian Barber在这里讨论了获取令牌并验证令牌的过程。 You probably want to make Google API calls in your client or on your server so that you can pre-populate your registration form with data from the users Google+ profile, for example. 您可能希望在客户端或服务器上进行Google API调用,以便您可以使用用户Google+个人资料中的数据预先填充注册表单。
Google Plus uses OAuth 2.0 https://developers.google.com/+/api/oauth Google Plus使用OAuth 2.0 https://developers.google.com/+/api/oauth
It has auth token. 它有身份验证令牌。 You can use auth token to access Google Plus from Android or server. 您可以使用身份验证令牌从Android或服务器访问Google Plus。 On server you can verify token by accessing Google with that token. 在服务器上,您可以通过使用该令牌访问Google来验证令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.