Google HTTP / REST OAuth:授权代码请求具有数据库用户的状态,访问令牌请求没有
[英]Google HTTP/REST OAuth: authorisation code request has state for db user, access token request has none
问题描述
I am using the OAuth server flow for Google. 
我正在使用Google的OAuth服务器流程。 It starts with the user clicking a link that runs javascript to open a popup with the following request in the URI which is all working great: 首先从用户单击运行javascript的链接开始,然后使用URI中的以下请求打开一个弹出窗口,效果很好:
var endpoint = "https://accounts.google.com/o/oauth2/auth";
endpoint = endpoint + "?scope="+encodeURIComponent(googlecalendar.SCOPES);
endpoint = endpoint + "&redirect_uri="+encodeURIComponent("https://myserver/google/");
endpoint = endpoint + "&response_type=code";
endpoint = endpoint + "&access_type=offline";
endpoint = endpoint + "&approval_prompt=force";
endpoint = endpoint + "&client_id="+encodeURIComponent(googlecalendar.CLIENT_ID);
endpoint = endpoint + "&state="+encodeURIComponent(googlecalendar.USER_ID);
On the server side, I get the state which contains the user_id for my DB and the authorisation code. 在服务器端,我得到的状态包含数据库的user_id和授权代码。 Now I want to exchange the authorisation code for access token (and renew token). 现在,我想将访问令牌(和续签)的授权码交换。 This will be a HTTP request with a redirect URI, no state parameter is included. 这将是带有重定向URI的HTTP请求,不包含任何状态参数。
The problem is that when I get those, I will need to store them against a user in my DB, but I don't have any way to check which user the callback is for. 问题是,当我获得这些请求时,我将需要针对用户将它们存储在数据库中,但是我没有任何方法来检查回调所针对的用户。
The best I was able to come up with is using the token to query the google user's identity it belongs to but this still won't help me to find the user in the DB. 我能想到的最好的方法是使用令牌查询它所属的google用户的身份,但这仍然无法帮助我在数据库中找到用户。
Can anyone help me with this flow? 有人可以帮我这个忙吗? There must be some way to do. 必须有一些方法可以做。 I don't want to use client libraries because later when I need to create watchers the PHP client library does not include this for the calendar API. 我不想使用客户端库,因为稍后需要创建观察程序时,PHP客户端库不包括日历API。
1 个解决方案
解决方案1
1 已采纳 2015-08-20 18:57:25
Short Answer 简短答案
Despite the presence of a redirect parameter, the access token will generate a standard 200 response, not a 301 redirect. 尽管存在重定向参数,但访问令牌将生成标准的200响应,而不是301重定向。 Depending on how you issue and handle the request/response, you can preserve your state. 根据发出和处理请求/响应的方式,可以保留状态。
More Detailed Answer 更详细的答案
According to section 4.1.4 of the OAuth 2.0 spec document (RFC 6749), the response to an Access Token Request should be an "HTTP/1.1 200 OK". 根据OAuth 2.0规范文档(RFC 6749)的4.1.4节 ,对访问令牌请求的响应应为“ HTTP / 1.1 200 OK”。
In other words, the server will not perform a redirect, meaning you can issue a request and process the response in the same scope (either in the client or server, whatever your situation), so your database user ID need only be in local memory. 换句话说,服务器将不会执行重定向,这意味着您可以在同一范围内(无论在客户端还是服务器中,无论您遇到什么情况)发出请求并处理响应,因此数据库用户ID只需要在本地内存中即可。 。
This is different from the Authorization Request, which is supposed to result in an "HTTP/1.1 302 Found" (redirect). 这与授权请求不同,授权请求应导致“ HTTP / 1.1 302 Found”(重定向)。 See section 4.1.2 . 参见4.1.2节 。
So why is the redirect_uri parameter required? 那么为什么需要redirect_uri参数呢?
According to section 4.1.3 , the server must: 根据4.1.3节 ,服务器必须:
- ensure that the "redirect_uri" parameter is present if the "redirect_uri" parameter was included in the initial authorization request as described in Section 4.1.1, and if included ensure that their values are identical. 如果如第4.1.1节中所述在初始授权请求中包含“ redirect_uri”参数,请确保存在“ redirect_uri”参数,如果包含,请确保其值相同。
In other words, the redirect_uri acts as a sort of secret or password which the server must use to verify the access token request. 换句话说, redirect_uri充当服务器必须用来验证访问令牌请求的一种秘密或密码。 If the client fails to provide a redirect_uri parameter, or the parameter value is different from the original request, then the server must reject the access token request. 如果客户端无法提供redirect_uri参数,或者该参数值与原始请求不同,则服务器必须拒绝访问令牌请求。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.