Google上的操作-登录和交换UID的访问令牌
[英]Actions on Google - Login and Swapping Access Token for UID
问题描述
I need to check that I have this right. 
我需要检查我是否拥有此权利。 Im building an Action on Google using the Actions-SDK. 我使用Actions-SDK在Google上构建了Action。 For auth, I want to use Google Sign In to keep everything relatively straight forward for the end user. 对于身份验证,我想使用Google登录功能为最终用户保持相对简单的状态。 My Fulfillment will sit on Firebase Functions. 我的成就将坐在Firebase功能上。 My OAUTH server will sit outside of Firebase. 我的OAUTH服务器将位于Firebase之外。
The first thing I note is that much of the front end log in is done in JavaScript. 我要注意的第一件事是,大多数前端登录都是使用JavaScript完成的。
var provider = new firebase.auth.GoogleAuthProvider(); var provider = new firebase.auth.GoogleAuthProvider();
From here, if the user logs in, we can use: 从这里,如果用户登录,我们可以使用:
firebase.auth().getRedirectResult().then(function(result) { } and we have access to result.user.uid firebase.auth().getRedirectResult().then(function(result) { } ,我们可以访问result.user.uid
My first question here is security - because the API Key , DatabaseURL and authDomain are exposed in client side JavaScript, and using a Developer Console in Chrome, the end user has access to their ID and Token. 我的第一个问题是安全性-因为API Key , DatabaseURL和authDomain在客户端JavaScript中公开,并且使用Chrome中的开发人员控制台,最终用户可以访问其ID和令牌。 I was wondering whether to use the uid or id token under result.user.De for some reason, but as it appears you can easily use a JWT Decoder on the internet to extract all the information so it really makes little different from a security point of view - I may as well take the uid here. 我想知道是否出于某种原因在result.user.De下使用uid或id令牌,但是看起来您可以轻松地在Internet上使用JWT解码器提取所有信息,因此与安全点实际上并没有什么不同的观点-我不妨将uid放在这里。
It looks like the admin side of things are available in Node.js and PHP where I can connect to database and validate tokens and create users, but I can't login. 看起来管理方面可以在Node.js和PHP中找到,我可以连接到数据库并验证令牌并创建用户,但无法登录。 So JavaScript seems the way to go. 因此,JavaScript似乎是必经之路。
The next step I gather, is to post my uid back to the oauth server so we know who we're logging in as and we can tie the oauth access token/refresh token/auth code to the uid. 我收集的下一步是将uid重新发布到oauth服务器,以便我们知道以谁身份登录,并且可以将oauth访问令牌/刷新令牌/ auth代码绑定到uid。 And whether we store that link in Firebase or a MySQL database on the Oauth server, it doesn't really matter. 无论我们将链接存储在Firebase还是Oauth服务器上的MySQL数据库中,都没有关系。
Then for fulfilment in Firebase Functions, we then have one userId through: 然后为了实现Firebase Functions,我们通过以下方式获得一个userId:
let ActionsSdkApp = require('actions-on-google').ActionsSdkApp;
const app = new ActionsSdkApp({request: request, response: response});
app.getUser().userId);
But this does not match the uid we retrieved from result... But we do have access to the AccessToken we generated on the Oauth server, so we need to exchange the Access Token for the correct uid - whether we look up from Firebase or from the OAuth MySQL Server I guess doesn't matter. 但这与我们从结果中检索到的uid不匹配...但是我们确实可以访问在Oauth服务器上生成的AccessToken,因此我们需要将Access Token交换为正确的uid-无论是从Firebase还是从Firebase中查找我猜OAuth MySQL Server没关系。
Putting it all together, does this flow all sound correct? 放在一起,这一切听起来是否正确? Or is there something that could be done better? 还是有什么可以做得更好的? I was hoping that there was a better way of identifying the user in Firebase Functions. 我希望在Firebase Functions中有更好的识别用户的方法。 But it doesn't seem possible. 但这似乎不可能。
1 个解决方案
解决方案1
3 已采纳 2017-10-19 11:46:05
I think you have it mostly correct (assuming I follow everything), but a few points to note: 我认为您基本上是正确的(假设我遵循了所有内容),但有几点需要注意:
You should not send just the UserID from the client to your server.
你不应该从客户端只发送用户ID到服务器。 As you noticed, that information is easily available to... well... anyone.
如您所见,任何人都可以轻松获取这些信息。 This means that, unless you're careful, anyone could just send your server a UserID that they got from elsewhere and pretend to be you. 这意味着,除非您小心,否则任何人都可以向您的服务器发送他们从其他地方获得并假装为您的UserID。 Using the JWT Token provides a little more security.
使用JWT令牌可以提供更多的安全性。 Although it contains the UserID, it also contains a signed hash of that information, so you can verify that the information is valid. 尽管它包含UserID,但它也包含该信息的签名哈希,因此您可以验证该信息是否有效。 It also contains an expiration, so you can reject it if it's outside the validity range. 它还包含一个到期时间,因此如果它在有效范围之外,则可以拒绝它。 This makes it much harder for someone to just forge a UserID or re-use one that they've acquired. 这使得某人伪造一个UserID或重复使用他们获得的ID变得更加困难。 There are other precautions along these lines you should be taking as well.
您还应遵循这些预防措施。 We can't really trust the browser, but we can narrow down the opportunity for problems. 我们不能真正信任浏览器,但是可以缩小出现问题的机会。 You're correct, the UserID that is sent by the Assistant has no relation at all to any other UserID anywhere.
没错,助手发送的UserID与任何地方的任何其他UserID都没有任何关系。 It is meant to serve as an anonymous cookie-like reference, so you know if you get the same UserID twice... the person on the other end is likely the same. 它打算用作匿名的类似cookie的引用,因此您知道是否两次获得相同的UserID ...另一端的人可能是相同的。 It is mostly meant for simple use and not real authentication, and certainly not for authorization. 它主要是为了简单使用而不是真正的身份验证,当然也不是为了授权。 Which is why the account linking procedure, your OAuth server, and handing you an auth token is so important if you do want to do authentication and authorization.
这就是为什么连接过程中,您的OAuth服务器,交给你一个身份验证令牌帐户是非常重要的,如果你想要做的认证和授权。 You have this part correct - you need to verify that the token is valid (to help reduce the chance that somebody else isn't pretending to be the Assistant) and use it to determine the ID. 您的部分正确无误-您需要验证令牌是否有效(以帮助减少其他人不假装成为助手的机会)并使用它来确定ID。 Looking it up in a database is one option, but issuing a token as a JWT of your own is another option.
在数据库中查找它是一种选择,但是发行令牌作为您自己的JWT是另一种选择。 Given the setup it sounds like you describe, managing that in a data store of some sort makes the most sense. 听起来像您描述的那样,在某种数据存储中进行管理最有意义。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.