Google 登录流程后如何授权调用
[英]How to authorize calls after Google Sign-In flow
问题描述
First things first, I've been trying to find an answer to this topic but most of the questions/answers refer to an already discontinued library Google Sign-In .
首先,我一直在尝试寻找该主题的答案,但大多数问题/答案都涉及已经停产的图书馆Google Sign-In 。
Also, most examples cover the Authentication (sign in, sign up) process, without addressing the User Session and authorization flow.此外,大多数示例都涵盖了身份验证(登录、注册)过程,而没有解决用户 Session 和授权流程。 By this, I mean: After the user signs in with Google, what am I supposed to do and how do I make sure subsequent calls to my server endpoints are authorized?我的意思是:用户登录 Google 后,我应该做什么以及如何确保对我的服务器端点的后续调用获得授权? For example, if the user has not (yet) authenticated with Google, then some endpoints in my server will reject the call with a 401.例如,如果用户(尚未)通过 Google 进行身份验证,那么我服务器中的某些端点将拒绝使用 401 的调用。
I have been experimenting with the new library https://developers.google.com/identity with a Java Spring Boot server component, but the Google service only returns a jwt token with 1hr expiration after signup.我一直在试验新库https://developers.google.com/identity和 Java Spring 引导服务器组件,但 Google 服务仅返回一个jwt令牌,注册后 1 小时过期。 That's not enough for a complete OAuth 2.0 implementation, right?对于完整的 OAuth 2.0 实施来说,这还不够,对吗? (where's the refresh token?) How would I handle User sessions in my server if that token expires, and how to handle calls to my protected endpoints? (刷新令牌在哪里?)如果该令牌过期,我将如何处理服务器中的用户会话,以及如何处理对受保护端点的调用?
Then maybe using Google OAuth2.0 is what I'm looking for.那么也许使用 Google OAuth2.0 就是我正在寻找的。 But I thought this library https://developers.google.com/identity/protocols/oauth2) was only meant to access Google APIs and not for using those tokens to protect my own endpoints.但我认为这个库https://developers.google.com/identity/protocols/oauth2)只是为了访问谷歌 API 而不是为了使用这些令牌来保护我自己的端点。 I think this is where my assumption was wrong.我认为这是我的假设错误的地方。
Can someone help me clarify this?有人可以帮我澄清一下吗? and what's the best approach?最好的方法是什么?
1 个解决方案
解决方案1
1 2021-08-26 18:31:59
I can help with the general pattern, and it feels like your comment about using Google OAuth2 is correct.我可以帮助解决一般模式,感觉您关于使用 Google OAuth2 的评论是正确的。
IDENTITY PROVIDERS身份提供者
There are lots of these - ways to sign in. Google is a good option but you may want others as well.登录方式有很多。Google 是一个不错的选择,但您可能还需要其他方式。
AUTHORIZATION SERVER (AS)授权服务器(AS)
This manages connections to multiple identity providers, and then gives you full control over the tokens issued afterwards, so that you have what you need to protect your data.这会管理与多个身份提供者的连接,然后让您完全控制随后颁发的令牌,以便您拥有保护数据所需的一切。
It is common to choose an AS based on these types of capabilty:通常根据这些类型的功能选择 AS:
CHOOSING AN AUTHORIZATION SERVER选择授权服务器
It feels like you are running into the foreign access token problem, which is common when plugging social login libraries into apps:感觉就像您遇到了foreign access token问题,这在将社交登录库插入应用程序时很常见:
- Tokens from the likes of Facebook are definitely not meant to be used to protect your own APIs.来自 Facebook 之类的令牌绝对不能用于保护您自己的 API。 One indicator of this is if no JWKS or Iintrospection endpoint is provided, meaning APIs have no way of validating access tokens.一个指标是如果没有提供 JWKS 或 Iintrospection 端点,这意味着 API 无法验证访问令牌。
I suspect that your problem might be that your app is using Google Sign In (Identity Provider), whereas Google OAuth2 (Authorization Server) would give you better options.我怀疑您的问题可能是您的应用正在使用 Google Sign In(身份提供者),而 Google OAuth2(授权服务器)会给您更好的选择。 I have not used this provider in a big way myself though, so cannot advise you on Google specifics.我自己并没有大量使用这个提供商,所以不能就谷歌的细节向你提供建议。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.