使用Firebase身份验证对Android进行身份验证,并发送令牌以验证后端Django
[英]Authenticating Android with firebase Authentication and send token to verify to backend Django
问题描述
The issue that I will address here is a pretty common, my concern is on one part of it that I will highlight: 
我在这里要解决的问题很普遍,我关注的一部分是我要强调的问题:
My Android App authenticates users using firebase Authentication (either create or verify that exists), then calls various APIs on my django backend. 我的Android应用程序使用Firebase身份验证(创建或确认存在)对用户进行身份验证,然后在我的Django后端上调用各种API。 To call APIs I need to send a token in each request so that I prevent unauthorized requests. 要调用API,我需要在每个请求中发送一个令牌,以防止未经授权的请求。
I was planning first of using Django Authentication, but since I am using firebase Auth, I'm thinking of the following approach: 我最初计划使用Django身份验证,但是由于我使用的是Firebase Auth,因此我在考虑以下方法:
When a user sign-in or log-in to Android device. 用户登录或登录Android设备时。 The Android will generate a custom token (from firebase), store it on the phone and then send it in each API to the backend. Android将生成自定义令牌(来自Firebase),将其存储在手机上,然后将其通过每个API发送到后端。 In backend, I will use firebase API to get the user from firebase (the first time) and store the token in my users model. 在后端,我将使用firebase API(第一次)从firebase获取用户,并将令牌存储在我的用户模型中。 If the token is not found in my database and not available in firebase then I return a non-authorized user. 如果在我的数据库中找不到令牌,并且在Firebase中不可用,那么我将返回未经授权的用户。 For subsequent requests I validate the token with my local users table. 对于后续请求,我使用本地用户表验证令牌。
Please advise if this approach is the best in this case. 请告知这种方法在这种情况下是否最佳。
Thank you 谢谢
1 个解决方案
解决方案1
0 2019-04-10 07:06:09
I can't comment about your approach. 我无法评论您的方法。 But even I want to know the best approach. 但是,即使我也想知道最好的方法。 Here is how I am doing it using the info provided in this page verify-id-tokens 这是我使用此页中提供的信息来执行此操作的方式verify-id-tokens
- User login using firebase sdk. 使用Firebase SDK的用户登录。
I attach the token as header in retrofit http call interceptor.
我将令牌作为标头附加到改造的HTTP调用拦截器中。 Now the id token are only valid for 15-20 mins so you cant save them. 现在,id令牌仅在15-20分钟内有效,因此您无法保存它们。 Just use below code to add the interceptor in retrofit http call 只需使用以下代码在拦截http调用中添加拦截器 public class FirebaseUserIdTokenInterceptor implements Interceptor { // Custom header for passing ID token in request. private static final String X_FIREBASE_ID_TOKEN = "Authorization"; @Override public Response intercept(@NonNull Chain chain) throws IOException { Request request = chain.request(); try { FirebaseUser user = FirebaseAuth.getInstance().getCurrentUser(); if (user == null) { throw new Exception("User is not logged in."); } else { Task<GetTokenResult> task = user.getIdToken(true); GetTokenResult tokenResult = Tasks.await(task); String idToken = tokenResult.getToken(); if (idToken == null) { throw new Exception("idToken is null"); } else { Request modifiedRequest = request.newBuilder() .addHeader(X_FIREBASE_ID_TOKEN, "Bearer ".concat(idToken)) .build(); return chain.proceed(modifiedRequest); } } } catch (Exception e) { throw new IOException(e.getMessage()); } }}
} My node server verifies the id token and response is sent if id token is valid else error message.
我的节点服务器验证id令牌,如果id令牌有效,则发送响应,否则返回错误消息。
Check the warning on the page: 检查页面上的警告:
The ID token verification methods included in the Firebase Admin SDKs are meant to verify ID tokens that come from the client SDKs, not the custom tokens that you create with the Admin SDKs.
Hope this helps!! 希望这可以帮助!!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.