[英]How to verify the client token and get the email address of the user
I want to get a valid email from google auth and signup my user simply by clicking sign in with google button so I can get a token including user email like this:我想从 google auth 获得一个有效的电子邮件,并通过点击使用 google 按钮登录来注册我的用户,这样我就可以获得一个令牌,包括这样的用户电子邮件:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="google-signin-client_id" content="203772907695-qd52ou2r1bcsht8f515lh63cpqaateq2.apps.googleusercontent.com">
<script src="https://apis.google.com/js/platform.js" async defer></script>
<title>Login</title>
</head>
<body>
<div class="g-signin2" data-onsuccess="onSignIn"></div>
<script>
function onSignIn(googleUser) {
var id_token = googleUser.getAuthResponse().id_token;
console.log(id_token);
var xhr = new XMLHttpRequest();
xhr.open('POST', '/login');
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.onload = function() {
console.log('Signed in as: ' + xhr.responseText);
if(xhr.responseText == 'success'){
signOut();
location.assign('/profile')
}
};
xhr.send(JSON.stringify({token : id_token}));
}
</script>
</body>
</html>
The code above gets the token
and simply send it to the server right?上面的代码获取
token
并将其发送到服务器,对吗?
Now on server side I can log the client token which we sent successfully using this console.log(token)
:现在在服务器端,我可以使用这个
console.log(token)
记录我们成功发送的客户端令牌:
// Google Auth
const {OAuth2Client} = require('google-auth-library');
const CLIENT_ID = '203772907695-qd52ou2r1bcsht8f515lh63cpqaateq2.apps.googleusercontent.com'
const client = new OAuth2Client(CLIENT_ID);
app.post('/login', (req,res)=>{
let token = req.body.token;
console.log(token); // gets the token successfully
// then we should verify that this token is valid not one sent by a hacker right?
})
The question is how we can verify that this token
is valid and not one sent by a hacker?问题是我们如何验证这个
token
是有效的,而不是由黑客发送的?
Because as you can see a hacker can simply do what we did in the client side and send us a token just like our token...因为正如你所看到的,黑客可以简单地做我们在客户端所做的事情,并像我们的令牌一样向我们发送令牌......
The way I'm doing it right now is to send a post request with the token to this url:我现在的做法是将带有令牌的 post 请求发送到此 url:
const response = await axios.post(`https://oauth2.googleapis.com/tokeninfo?id_token=${token}`);
const email = response.data.email;
But this is not verifying anything anyone can send that token and get the similar result...但这并不能验证任何人都可以发送该令牌并获得类似结果的任何内容......
I want to securely get the user email by verifying the token which is send by the user.我想通过验证用户发送的令牌来安全地获取用户电子邮件。
You can simplyread the documentation which explains how to do that.您可以简单地阅读解释如何执行此操作的文档。 This is the example they show:
这是他们展示的示例:
const {OAuth2Client} = require('google-auth-library');
const client = new OAuth2Client(CLIENT_ID);
async function verify() {
const ticket = await client.verifyIdToken({
idToken: token,
audience: CLIENT_ID, // Specify the CLIENT_ID of the app that accesses the backend
// Or, if multiple clients access the backend:
//[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]
});
const payload = ticket.getPayload();
const userid = payload['sub'];
// If request specified a G Suite domain:
// const domain = payload['hd'];
}
verify().catch(console.error);
The question is how we can verify that this token is valid and not one sent by a hacker?
问题是我们如何验证这个令牌是有效的,而不是由黑客发送的?
A hacker cannot generate a valid token that will fetch the values from Google API.黑客无法生成将从 Google API 获取值的有效令牌。
Google is using OpenID Connect(OAuth2.0) , which is very secure. Google 正在使用OpenID Connect(OAuth2.0) ,这是非常安全的。 The process, in a nutshell, for you
简而言之,为您准备的过程
code=*****
code=*****
code
for access_token/id_tokencode
交换为 access_token/id_token The token is generated so, and no other arbitrary token can access any Google resources using Google API.令牌是这样生成的,其他任意令牌都不能使用 Google API 访问任何 Google 资源。 It will return invalid token error
它将返回无效令牌错误
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.