PHP 使用 Google oAuth 将站点集成到 Thingsboard，无需每次都要求用户登录

Question

I am trying to use google oAuth - openid to link Thingsboard (IoT open source) with one another site. I am able to do that successfully once, when I login to google account. But my requirement is to use the auth code / access token next time and get the request authenticated. User should not be asked to login to the google account again.

Code:

<?php
ob_start();
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);
require 'vendor/autoload.php';

$client = new Google_Client();
$client->setApplicationName("My APP");
$client->setClientId('Redacted');
$client->setClientSecret('Redacted');
$client->setRedirectUri('REDIRECT URLS'); //This same page.
$client->setAccessType("offline");
$client->addScope("email");
$client->addScope("profile");
$client->addScope("openid");
$client->setPrompt("consent");
$client->setApprovalPrompt("force");
$strtoken = getToken();//This will get the token from the file, if token exists.

if($strtoken <> '') //If the token exists retrived from the file, no need to ask user to login. 
{​​​​
    $new_token = "";
    $accessToken="";
    echo "strtoken" . $strtoken;
    $accessToken = json_decode(file_get_contents("/home/www/token.txt"), true);
    $ref_token = $accessToken['refresh_token'];
    $access_token= $accessToken['access_token'];

    $client->setAccessToken($accessToken);
    if ($client->isAccessTokenExpired()) {​​​​
        $client->fetchAccessTokenWithRefreshToken($client->getRefreshToken());
        updateToken(json_encode($client->getAccessToken()));
    }​​​​
    header("Location: IOT URL"); //The Thingsboard home page url. 
    die;
}​​​​

if(isset($_GET['code']))
{​​​​
    $client->authenticate($_GET['code']);
    $arrtoken = $client->getAccessToken();
    $access_token = $arrtoken['access_token'];
    $tokens_encoded = json_encode($arrtoken);
    $client->setAccessToken($arrtoken['access_token']);
    updateToken($tokens_encoded);
    header("Location: IOT URL");//The Thingsboard home page url. 
    die();
}​​​​
if($strtoken == "" && !(isset($_GET['code'])))
{​​​​?>
    <a class="login-btn" href="<?php echo $client->createAuthUrl(); ?>">Login</a><br>
<?php}​​​​
function updateToken($token)
{​​​​
    $myfile = fopen("token.txt", "w+");
    fwrite($myfile, $token); 
    fclose($myfile);
}​​​​

function getToken()
{​​​​
    $token = "";
    $filename = "/home/www/token.txt";
    $fh = fopen($filename,'r');
    while ($line = fgets($fh)) 
    {​​​​
      $token  = $line;
    }​​​​
    fclose($fh);    
    return $token;    
}​​​​
?>

Answer 1

I can see from comments that you appear to have a refresh token in that file. That's good now check that the refresh token is in this value $ref_token = $accessToken['refresh_token']; So $ref_token should be the same value thats in the the file.

Once thats done you need to make sure that its set on the client

$client->refreshToken($ref_token);

Once that is set you should be able to use

$client->fetchAccessTokenWithRefreshToken($client->getRefreshToken());

Remember though if you get a expired token at this point its the refresh token thats expired and you need to authorize the user again to request a new one.

clarification.

From comments i think you are a little confused as to what your code is going to allow you to do.

$client->addScope("email");
$client->addScope("profile");
$client->addScope("openid");

What you are doing is requesting authorization of the user to access their profile data. This means that you could use the Google people api to request information of the user. your app has been granted consent to access the users data this is called Authorization.

The following statement from comments

When I redirect the user to Thingsboard dashboard url, it is not recognizing this oauth user and throws to login page.

In order to access a Thingsboard Dashboard, your user needs to be logged into Thingsboard. This is called Authentication or signin you are authenticating that the user behind the machine is in in fact the owner of the account, they have a login and password so they can sign in.

The first thing you need to understand that authorization and authencation are two different things.

Then you need to understand as far as authentication goes. Google and Thingsboard are two different companies. They each have their own authorization server which allow their users to sign in to their applications.

Google can not help you sign in to Thingsboard web app only Thingsboard has access to do that.

So no php code you can create using a Google Oauth is going to allow you to signin to Thingsboard web application.