堆栈内存溢出
  简体   繁体   English

Google+登录:验证会话用户

[英]Google+ sign-in: authenticating session users

 原文  2014-04-30 12:40:29       google-plus/ single-sign-on/ google-oauth/ google-authentication

问题描述

I have a doubt on integrating Google+ sign-in button in website. 我对在网站中整合Google+登录按钮有疑问。

My question is, how long is google access token obtained in signinCallback valid? 我的问题是,在signinCallback中获得的google访问令牌有效期有多长? Is this expiry flexible? 这个到期时间是否灵活? Can I use it multiple times to pull out user information from google before expiry? 我可以多次使用它在到期前从谷歌中提取用户信息吗?

My another question is, how should I maintain session during sign-in? 我的另一个问题是,我应该如何在登录期间保持会话? I have already thought of following ways, 我已经想过以下方法,

  1. Using our own session: Get user authenticated from Google, On sign-in callback, set custom application cookies to validate further calls. 使用我们自己的会话:从Google获取用户身份验证,在登录回调时,设置自定义应用程序Cookie以验证进一步的通话。 PROBLEM: If user signs out from other google service like gmail, my session is not terminated. 问题:如果用户从gmail等其他谷歌服务注销,我的会话不会终止。
  2. Use google access token as session key: Authenticate google access token every time any PHP is requested. 使用Google访问令牌作为会话密钥:每次请求任何PHP时,都要验证Google访问令牌。 PROBLEM: I have to make one extra HTTP request to google API to authenticate every PHP call. 问题:我必须向google API发出一个额外的HTTP请求来验证每个PHP调用。 It will make my application bit slow. 它会使我的应用程序有点慢。
  3. Leverage signinCallback in client side in every PHP: In signinCallback function, if user is invalid then deny him to access page. 在每个PHP的客户端利用signinCallback:在signinCallback函数中,如果用户无效,则拒绝他访问页面。 PROBLEM: not 100% secure. 问题:不是100%安全。 User can modify my signinCallback in client-side and bypass google session validation. 用户可以在客户端修改我的signinCallback并绕过谷歌会话验证。 Then he can enjoy session even after signing out from google. 然后即使从谷歌退出后他也可以享受会话。

Is there another right and more secure way? 还有另一种权利和更安全的方式吗? Note that My website is simplistic HTML 4.0 website which performs almost every operation on server-side. 请注意,我的网站是简单的HTML 4.0网站,它几乎执行服务器端的每个操作。 There is almost no Javascript and user i/o is performed by forms. 几乎没有Javascript,用户i / o由表单执行。 So server-side techniques are more appreciated :) 所以服务器端技术更受赞赏:)

2 个解决方案

解决方案1
 5 已采纳  2014-04-30 17:40:30

how long is google access token obtained in signinCallback valid? 在signinCallback中获得的google访问令牌有效期多长?

3600 seconds (1 hour) 3600秒(1小时)

Is this expiry flexible? 这个到期时间是否灵活?

No. The access token will always expire after an hour. 不会。访问令牌将在一小时后过期。 However, you can use a refresh token to replace the expired access token with a fresh token. 但是,您可以使用刷新令牌将过期的访问令牌替换为新令牌。 To do this, you must request offline access on the sign-in button, send the one-time authorization code to your server, and exchange the auth code for an access token and refresh token. 为此,您必须在登录按钮上请求脱机访问,将一次性授权代码发送到您的服务器,并交换授权代码以获取访问令牌和刷新令牌。

Can I use it multiple times to pull out user information from google before expiry? 我可以多次使用它在到期前从谷歌中提取用户信息吗?

Unless the user disconnects from your app, you will be able to get fresh access tokens and make your API calls. 除非用户与您的应用断开连接,否则您将能够获得新的访问权限并进行API调用。

how should I maintain session during sign-in? 登录时如何保持会话?

Use your own site's session to maintain user state for your site. 使用您自己的网站会话来维护您网站的用户状态。 It sounds like you already have sessions working on your site, if the session is present and contains whatever authorization keys are required for your site, the user should be authorized. 听起来您已经在您的网站上有会话,如果会话存在并且包含您的网站所需的任何授权密钥,则应该授权用户。

Use google access token as session key: 使用Google访问令牌作为会话密钥:

Please don't do this, you need to protect your user's access tokens. 请不要这样做,您需要保护用户的访问令牌。 One thing you can do that is marginally safer is to pass the access token from the sign-in callback and then verify it corresponds to the session-cached user on your server. 您可以做的一件事是稍微安全一点,就是从登录回调中传递访问令牌,然后验证它对应于服务器上的会话缓存用户。

A better way 一个更好的方法

Here's really what you should be doing. 这真的是你应该做的。 Use the sign-in button callback to determine that the user is not signed in and invalidate any sessions when they are not. 使用登录按钮回调确定用户未登录,并在用户未登录时使其无效。 Pass an ID token or one-time authorization code from the callback to your server to authenticate your user. 将回拨中的ID令牌或一次性授权码传递给您的服务器,以验证您的用户身份。 The following code shows your average sign-in callback with the error conditions called out: 以下代码显示了您调用错误条件的平均登录回调: 

function onSignInCallback(authResult) {
  if (authResult['access_token']) {
    // User is signed in.
  } else if (authResult['error']) {
    // There was an error, which means the user is not signed in.
    // As an example, you can handle by writing to the console:
    console.log('not signed in, invalidating session');          
  }
  console.log('authResult', authResult);
}

As you're aware, the authResult object contains members access_token and id_token. 如您所知,authResult对象包含成员access_token和id_token。 Sending these tokens to the OAuth.v2.verifytoken endpoint will check the token certificate is valid and the token has not expired. 将这些令牌发送到OAuth.v2.verifytoken端点将检查令牌证书是否有效且令牌是否已过期。 Verifytoken will also return to you a unique identifier for the user that you can use to verify that the user is not using the incorrect session. Verifytoken还将为您返回一个唯一的标识符,您可以使用该标识符来验证用户未使用错误的会话。

The Google+ PHP Quickstart shows you how to send the authorization code to your server, accept and exchange the code, verify the token, and so on in PHP . Google+ PHP快速入门向您展示了如何将授权代码发送到您的服务器,接受并交换代码,验证令牌等等

So, again, what you should be doing is: 所以,你应该做的是:

  1. Pass an OAuth 2 credential to your server on client authentication 在客户端身份验证上将OAuth 2凭据传递给您的服务器
  2. Verify the credential on your server and disconnect the user session if it fails 验证服务器上的凭据,并在用户会话失败时断开连接
  3. Rely on your site session once the user has been authenticated 用户通过身份验证后,依靠您的站点会话
  4. If you want to sign the user out whenever they sign out of Google, retrieve an OAuth 2 credential on every page load and pass the token (ID/access/one time code) on each request and verify it. 如果您想在用户退出Google时签署该用户,请在每次加载页面时检索OAuth 2凭据,并在每个请求上传递令牌(ID /访问/一次性代码)并进行验证。

解决方案2
 0  2017-08-12 22:31:09

Now use either a listener or gapi.auth2.getAuthInstance().currentUser.get().reloadAuthResponse() vs the whole process of requesting offline access on the sign-in button, sending the one-time authorization code to your server, and exchanging the auth code for an access token and refresh token. 现在使用侦听器或gapi.auth2.getAuthInstance()。currentUser.get()。reloadAuthResponse()与登录按钮请求脱机访问的整个过程,将一次性授权代码发送到您的服务器,以及交换访问令牌的auth代码并刷新令牌。

See https://developers.google.com/identity/sign-in/web/listeners and https://developers.google.com/identity/sign-in/web/reference#googleuserreloadauthresponse . 请参阅https://developers.google.com/identity/sign-in/web/listenershttps://developers.google.com/identity/sign-in/web/reference#googleuserreloadauthresponse

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 适用于没有Google+个人资料的用户的Google+登录 - Google+ Sign-In for users without a Google+ profile Google+登录-该页面仅适用于已登录用户 - Google+ Sign-In - Page accessible for logged in users only 通过Turbolinks登录Google+ - Google+ sign-in with Turbolinks Facebook和Google+登录 - Facebook and Google+ Sign-In 从 google+ 登录迁移到新的 google 登录 - Migrating from google+ sign-in to new google sign-in 使用 Google+ 登录时阻止自动登录 - Preventing automatic sign-in when using Google+ Sign-In 使用 React Native 实现 Google+ 登录 - Implement Google+ Sign-In with React Native 登录后显示google +用户名 - Displaying google+ username after sign-in 如何使用angularjs实现谷歌+登录 - how to implement google+ sign-in with angularjs 适用于Android的Google+登录的要求 - requirements of Google+ sign-in for android
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM