[英]Google+ sign-in: authenticating session users
I have a doubt on integrating Google+ sign-in button in website. 我对在网站中整合Google+登录按钮有疑问。
My question is, how long is google access token obtained in signinCallback valid? 我的问题是,在signinCallback中获得的google访问令牌有效期有多长? Is this expiry flexible? 这个到期时间是否灵活? Can I use it multiple times to pull out user information from google before expiry? 我可以多次使用它在到期前从谷歌中提取用户信息吗?
My another question is, how should I maintain session during sign-in? 我的另一个问题是,我应该如何在登录期间保持会话? I have already thought of following ways, 我已经想过以下方法,
Is there another right and more secure way? 还有另一种权利和更安全的方式吗? Note that My website is simplistic HTML 4.0 website which performs almost every operation on server-side. 请注意,我的网站是简单的HTML 4.0网站,它几乎执行服务器端的每个操作。 There is almost no Javascript and user i/o is performed by forms. 几乎没有Javascript,用户i / o由表单执行。 So server-side techniques are more appreciated :) 所以服务器端技术更受赞赏:)
how long is google access token obtained in signinCallback valid? 在signinCallback中获得的google访问令牌有效期多长?
3600 seconds (1 hour) 3600秒(1小时)
Is this expiry flexible? 这个到期时间是否灵活?
No. The access token will always expire after an hour. 不会。访问令牌将在一小时后过期。 However, you can use a refresh token to replace the expired access token with a fresh token. 但是,您可以使用刷新令牌将过期的访问令牌替换为新令牌。 To do this, you must request offline access on the sign-in button, send the one-time authorization code to your server, and exchange the auth code for an access token and refresh token. 为此,您必须在登录按钮上请求脱机访问,将一次性授权代码发送到您的服务器,并交换授权代码以获取访问令牌和刷新令牌。
Can I use it multiple times to pull out user information from google before expiry? 我可以多次使用它在到期前从谷歌中提取用户信息吗?
Unless the user disconnects from your app, you will be able to get fresh access tokens and make your API calls. 除非用户与您的应用断开连接,否则您将能够获得新的访问权限并进行API调用。
how should I maintain session during sign-in? 登录时如何保持会话?
Use your own site's session to maintain user state for your site. 使用您自己的网站会话来维护您网站的用户状态。 It sounds like you already have sessions working on your site, if the session is present and contains whatever authorization keys are required for your site, the user should be authorized. 听起来您已经在您的网站上有会话,如果会话存在并且包含您的网站所需的任何授权密钥,则应该授权用户。
Use google access token as session key: 使用Google访问令牌作为会话密钥:
Please don't do this, you need to protect your user's access tokens. 请不要这样做,您需要保护用户的访问令牌。 One thing you can do that is marginally safer is to pass the access token from the sign-in callback and then verify it corresponds to the session-cached user on your server. 您可以做的一件事是稍微安全一点,就是从登录回调中传递访问令牌,然后验证它对应于服务器上的会话缓存用户。
Here's really what you should be doing. 这真的是你应该做的。 Use the sign-in button callback to determine that the user is not signed in and invalidate any sessions when they are not. 使用登录按钮回调确定用户未登录,并在用户未登录时使其无效。 Pass an ID token or one-time authorization code from the callback to your server to authenticate your user. 将回拨中的ID令牌或一次性授权码传递给您的服务器,以验证您的用户身份。 The following code shows your average sign-in callback with the error conditions called out: 以下代码显示了您调用错误条件的平均登录回调:
function onSignInCallback(authResult) {
if (authResult['access_token']) {
// User is signed in.
} else if (authResult['error']) {
// There was an error, which means the user is not signed in.
// As an example, you can handle by writing to the console:
console.log('not signed in, invalidating session');
}
console.log('authResult', authResult);
}
As you're aware, the authResult object contains members access_token and id_token. 如您所知,authResult对象包含成员access_token和id_token。 Sending these tokens to the OAuth.v2.verifytoken endpoint will check the token certificate is valid and the token has not expired. 将这些令牌发送到OAuth.v2.verifytoken端点将检查令牌证书是否有效且令牌是否已过期。 Verifytoken will also return to you a unique identifier for the user that you can use to verify that the user is not using the incorrect session. Verifytoken还将为您返回一个唯一的标识符,您可以使用该标识符来验证用户未使用错误的会话。
The Google+ PHP Quickstart shows you how to send the authorization code to your server, accept and exchange the code, verify the token, and so on in PHP . Google+ PHP快速入门向您展示了如何将授权代码发送到您的服务器,接受并交换代码,验证令牌等等 。
So, again, what you should be doing is: 所以,你应该做的是:
Now use either a listener or gapi.auth2.getAuthInstance().currentUser.get().reloadAuthResponse() vs the whole process of requesting offline access on the sign-in button, sending the one-time authorization code to your server, and exchanging the auth code for an access token and refresh token. 现在使用侦听器或gapi.auth2.getAuthInstance()。currentUser.get()。reloadAuthResponse()与登录按钮请求脱机访问的整个过程,将一次性授权代码发送到您的服务器,以及交换访问令牌的auth代码并刷新令牌。
See https://developers.google.com/identity/sign-in/web/listeners and https://developers.google.com/identity/sign-in/web/reference#googleuserreloadauthresponse . 请参阅https://developers.google.com/identity/sign-in/web/listeners和https://developers.google.com/identity/sign-in/web/reference#googleuserreloadauthresponse 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.