堆栈内存溢出
  简体   繁体   English

我应该验证Android客户端中的OAuth2令牌,还是App Engine本身会根据传递给后端API的凭据对用户进行身份验证?

[英]Should I verify the OAuth2 token in the Android client or will App Engine itself authenticate user based on the credential passed to the backend API?

 原文  2014-04-29 19:09:43       android/ google-app-engine/ authentication/ oauth/ google-cloud-endpoints

问题描述

I am creating an Android app with an App Engine backend and am trying to use OAuth2 to authenticate users through their Google Account on the Android device, but am not able to figure out if I need to carry out all of the following steps or whether just step 1 would suffice. 我正在使用App Engine后端创建一个Android应用程序,并尝试使用OAuth2通过Android设备上的Google帐户对用户进行身份验证,但我无法确定是否需要执行以下所有步骤或是否只是第1步就足够了。

Step 1: In this tutorial by Google, they have created a GoogleAccountCredential using the Google account found on the device and passed it to the backend API hosted on App Engine. 第1步:在Google的本教程中 ,他们使用设备上的Google帐户创建了GoogleAccountCredential,并将其传递给App Engine上托管的后端API。

Step 2: In this other tutorial , they have passed this credential only if getting an OAuth2 access token in the Android app returns no error. 第2步:在其他教程中 ,只有在Android应用中获取OAuth2访问令牌没有返回错误时,他们才会传递此凭据。

Step 3: In yet another tutorial , it has been advised that the backend should check the token sent by the Android client to verify that Google generated this token and that the device that asked for the token matches the audience value in the backend. 第3步:在另一个教程中 ,已建议后端应检查Android客户端发送的令牌,以验证Google是否生成了此令牌,以及请求令牌的设备是否与后端的受众值相匹配。

So my question is: do we really need steps 2 and 3 in an Android app whose backend is hosted on App Engine or does App Engine take care of 2 and 3 if we pass a credential created for the Google Account found on the phone to the backend API? 所以我的问题是:我们是否真的需要Android应用程序中的第2步和第3步,其后端托管在App Engine上,或者如果我们将为手机上找到的Google帐户创建的凭据传递给App Engine,则App Engine会处理2和3后端API?

Another thing is how often and where in my code should I authenticate the app user: 1. Is it required before each endpoint call? 另一件事是我的代码中应该经常和在哪里验证应用程序用户:1。在每个端点调用之前是否需要它? 2. Or is it enough to just run the authentication code just when the app launches? 2.或者仅在应用程序启动时运行身份验证代码就足够了? 3. Or better yet, if it is enough to authenticate based on just step 1, would it be okay if I get the user's Google email address from the AccountManager, store it with SharedPreferences and create a GoogleAccountCredential based on the stored email whenever I make an endpoint call until the user explicitly asks to sign out or switch account? 3.或者更好的是,如果仅基于步骤1进行身份验证就足够了,如果我从AccountManager获取用户的Google电子邮件地址,将其与SharedPreferences一起存储并根据存储的电子邮件创建GoogleAccountCredential就可以了一个端点呼叫,直到用户明确要求退出或切换帐户?

Please help me decide which approach would make most sense. 请帮我决定哪种方法最有意义。 Like always, thanks so much for helping out! 像往常一样,非常感谢帮助! :) :)

3 个解决方案

解决方案1
 2  2014-06-11 23:13:09

Tim's article (step 3) above is correct. 蒂姆的文章(第3步)是正确的。 When a server receives a token it must verify that it was intended for them. 当服务器收到令牌时,它必须验证它是否适合它们。 This is something that Google Cloud Endpoints will do for you, by configuring the client IDs / audience fields such as per the example here: https://developers.google.com/appengine/docs/java/endpoints/auth 这是Google Cloud Endpoints将为您做的事情,方法是配置客户ID /受众群体字段,例如以下示例: https//developers.google.com/appengine/docs/java/endpoints/auth

解决方案2
 1  2014-05-11 14:23:17

I ended up passing the GoogleAccountCredential created with the account name found on the phone to the endpoint builder. 我最终将使用手机上找到的帐户名创建的GoogleAccountCredential传递给端点构建器。 Then, in the endpoint API method, I added a User parameter which was automatically populated by App Engine after authenticating the user based on the credential passed to the endpoint builder. 然后,在端点API方法中,我添加了一个User参数,该参数在根据传递给端点构建器的凭据对用户进行身份验证后由App Engine自动填充。 As a final check, I compared whether User.email was giving the same email address that I used to create the GoogleAccountCredential. 作为最后的检查,我比较了User.email是否提供了我用来创建GoogleAccountCredential的电子邮件地址。

解决方案3
 0 已采纳  2014-04-29 21:24:38

For sure authenticate on the back end. 确保在后端进行身份验证。 If you pass them in in the standard way GAE should automatically use that as your credentials. 如果您以标准方式传递它们,GAE应自动将其用作您的凭据。 The UserService should give you the user details with no effort on your part on the server side. UserService应该为您提供用户详细信息,而无需您在服务器端进行操作。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用OAuth2令牌对Google App Engine上托管的API进行身份验证? - Using OAuth2 token to authenticate to an API hosted on Google App Engine? 验证Gmail OAuth2令牌和客户端欺骗 - Verify Gmail OAuth2 token and client spoof 如何验证App Engine后端上的Android ID令牌 - How to verify Android id token on App Engine backend 基于Java的Google App Engine,Android和身份验证oauth2 - Java based Google App Engine, Android and authentication oauth2 在Android上使用Google API Java客户端,POST请求似乎不会使用OAuth通过Google App Engine应用进行身份验证 - Using Google API Java Client on Android, a POST request does not seem to authenticate with Google App Engine app using OAuth 我有一个OAuth后端,用于存储Android应用程序的刷新令牌-如果用户卸载了该应用程序,则无法删除其刷新令牌 - I have an OAuth backend that stores refresh tokens for an Android app - if the user uninstalls the app I have no way of deleting their refresh token 我们是否应该生成OAuth2凭据web_client_id进行开发? - Should we generate OAuth2 Credential web_client_id for development? 如何使用OAuth 2对App Engine服务器上的Android应用进行身份验证/验证? - How do I authenticate/validate an Android app on an App Engine Server with OAuth 2? 将android客户端与后端应用程序引擎模块连接 - Connect android client with backend app engine module 从Android客户端获取django OAuth2 Toolkit访问令牌 - Get django OAuth2 Toolkit access token from android client
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM