[英]Should I verify the OAuth2 token in the Android client or will App Engine itself authenticate user based on the credential passed to the backend API?
I am creating an Android app with an App Engine backend and am trying to use OAuth2 to authenticate users through their Google Account on the Android device, but am not able to figure out if I need to carry out all of the following steps or whether just step 1 would suffice. 我正在使用App Engine后端创建一个Android应用程序,并尝试使用OAuth2通过Android设备上的Google帐户对用户进行身份验证,但我无法确定是否需要执行以下所有步骤或是否只是第1步就足够了。
Step 1: In this tutorial by Google, they have created a GoogleAccountCredential using the Google account found on the device and passed it to the backend API hosted on App Engine. 第1步:在Google的本教程中 ,他们使用设备上的Google帐户创建了GoogleAccountCredential,并将其传递给App Engine上托管的后端API。
Step 2: In this other tutorial , they have passed this credential only if getting an OAuth2 access token in the Android app returns no error. 第2步:在其他教程中 ,只有在Android应用中获取OAuth2访问令牌没有返回错误时,他们才会传递此凭据。
Step 3: In yet another tutorial , it has been advised that the backend should check the token sent by the Android client to verify that Google generated this token and that the device that asked for the token matches the audience value in the backend. 第3步:在另一个教程中 ,已建议后端应检查Android客户端发送的令牌,以验证Google是否生成了此令牌,以及请求令牌的设备是否与后端的受众值相匹配。
So my question is: do we really need steps 2 and 3 in an Android app whose backend is hosted on App Engine or does App Engine take care of 2 and 3 if we pass a credential created for the Google Account found on the phone to the backend API? 所以我的问题是:我们是否真的需要Android应用程序中的第2步和第3步,其后端托管在App Engine上,或者如果我们将为手机上找到的Google帐户创建的凭据传递给App Engine,则App Engine会处理2和3后端API?
Another thing is how often and where in my code should I authenticate the app user: 1. Is it required before each endpoint call? 另一件事是我的代码中应该经常和在哪里验证应用程序用户:1。在每个端点调用之前是否需要它? 2. Or is it enough to just run the authentication code just when the app launches? 2.或者仅在应用程序启动时运行身份验证代码就足够了? 3. Or better yet, if it is enough to authenticate based on just step 1, would it be okay if I get the user's Google email address from the AccountManager, store it with SharedPreferences and create a GoogleAccountCredential based on the stored email whenever I make an endpoint call until the user explicitly asks to sign out or switch account? 3.或者更好的是,如果仅基于步骤1进行身份验证就足够了,如果我从AccountManager获取用户的Google电子邮件地址,将其与SharedPreferences一起存储并根据存储的电子邮件创建GoogleAccountCredential就可以了一个端点呼叫,直到用户明确要求退出或切换帐户?
Please help me decide which approach would make most sense. 请帮我决定哪种方法最有意义。 Like always, thanks so much for helping out! 像往常一样,非常感谢帮助! :) :)
Tim's article (step 3) above is correct. 蒂姆的文章(第3步)是正确的。 When a server receives a token it must verify that it was intended for them. 当服务器收到令牌时,它必须验证它是否适合它们。 This is something that Google Cloud Endpoints will do for you, by configuring the client IDs / audience fields such as per the example here: https://developers.google.com/appengine/docs/java/endpoints/auth 这是Google Cloud Endpoints将为您做的事情,方法是配置客户ID /受众群体字段,例如以下示例: https : //developers.google.com/appengine/docs/java/endpoints/auth
I ended up passing the GoogleAccountCredential created with the account name found on the phone to the endpoint builder. 我最终将使用手机上找到的帐户名创建的GoogleAccountCredential传递给端点构建器。 Then, in the endpoint API method, I added a User parameter which was automatically populated by App Engine after authenticating the user based on the credential passed to the endpoint builder. 然后,在端点API方法中,我添加了一个User参数,该参数在根据传递给端点构建器的凭据对用户进行身份验证后由App Engine自动填充。 As a final check, I compared whether User.email was giving the same email address that I used to create the GoogleAccountCredential. 作为最后的检查,我比较了User.email是否提供了我用来创建GoogleAccountCredential的电子邮件地址。
For sure authenticate on the back end. 确保在后端进行身份验证。 If you pass them in in the standard way GAE should automatically use that as your credentials. 如果您以标准方式传递它们,GAE应自动将其用作您的凭据。 The UserService should give you the user details with no effort on your part on the server side. UserService应该为您提供用户详细信息,而无需您在服务器端进行操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.