Google登录和登录用户
[英]Google Sign-In and logging in users
问题描述
I have an app and I want to let people login using google sign-in. 
我有一个应用程序,我想让人们使用Google登录进行登录。 I need to check in the server what are the permissions of the current logged in user. 我需要在服务器中签入当前登录用户的权限。 (I have a table with email/role) (我的桌子上有电子邮件/角色)
I read the documentation here: https://developers.google.com/identity/sign-in/web/sign-in from what I understand, when a user logs in using google, I get a callback and I can use the email and make calls to my server with it. 我从这里了解了文档: https : //developers.google.com/identity/sign-in/web/sign-in ,据我所知,当用户使用google登录时,我会收到回调并且可以使用电子邮件并以此呼叫我的服务器。
But what I don't understand is how can I make sure a malicious user won't see the javascript code and make a request to my server using any email he wants? 但是我不明白的是,如何确保恶意用户不会看到javascript代码,也不会使用他想要的任何电子邮件向我的服务器发出请求?
In other words, if the entire sign-in is in javascript, how can validate the identity in the server? 换句话说,如果整个登录都在javascript中,那么如何在服务器中验证身份?
1 个解决方案
解决方案1
0 2015-04-15 18:15:40
Assuming that you are doing the following: 假设您正在执行以下操作:
- Signing in from the Web 从网络登录
- Using JavaScript for Sign-in and all data access 使用JavaScript进行登录和所有数据访问
The following measures preventing malicious 3Ps from making API calls using your credentials / other user credentials: 以下措施可防止恶意3P使用您的凭据/其他用户凭据进行API调用:
- API calls are domain-restricted to the authorized origins you configured in the developer console API调用仅限于您在开发人员控制台中配置的授权来源的域
- API calls are restricted to the current credentials (eg only can get current user details / can only get credentials and tokens for the current user) API调用仅限于当前凭据(例如,只能获取当前用户详细信息/只能获取当前用户的凭据和令牌)
That said, let's move on to authN: making sure the user is who they claim to be. 就是说,让我们继续进行authN:确保用户就是他们声称的身份。 On the sign-in callback, you will receive a special token, the ID token, that has: 在登录回调中,您将收到一个特殊令牌,即ID令牌,该令牌具有:
- The audience for the token (your client ID) 令牌的受众(您的客户ID)
- The issuer of the token (user ID from profile) 令牌的发行者(个人资料中的用户ID)
- An issued timestamp 发行的时间戳
- An expiration timestamp 到期时间戳记
- etc.. 等等..
These values are used to prevent forgery and avoid the confused deputy problem . 这些值用于防止伪造和避免混淆的代理问题 。 For example, you use these values to check claims of who the user is, that the issuer of the token was you, and that the token has not expired. 例如,您使用这些值来检查有关用户身份的声明,令牌的发行者是您以及令牌尚未过期。 You also look at the ID token signature and validate it either using JWT functionality or by passing it to the Google verify token endpoint. 您还可以查看ID令牌签名,并使用JWT功能或将其传递给Google验证令牌端点来对其进行验证。
After verifying the user using the ID token, you can set a cookie for establishing a session and avoid having to verify the user on every API call. 使用ID令牌验证用户后,您可以设置用于建立会话的cookie,而不必在每次API调用时都验证用户。
Google provides token verification samples here , for example, the Google+ Token Verification sample in Ruby . Google 在此处提供了令牌验证示例,例如Ruby中的Google+令牌验证示例 。 Additionally, the Google+ quickstart samples demonstrate establishing a client-server session in the "/connect" server endpoints on the server-side languages (Ruby, Python, .NET, etc). 此外, Google +快速入门示例演示了如何在服务器端语言(Ruby,Python,.NET等)的“ / connect”服务器端点中建立客户端-服务器会话。
Additional discussion on the topic is available in the Identity Cookbook . 在Identity Cookbook中可以找到关于该主题的其他讨论。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.