[英]Retrieve Google Auth tokens from Okta sign-in?
I have an application that relies on access to Google Calendar.我有一个依赖于访问 Google 日历的应用程序。 And, until now, I have authed through a "Sign in with Google" option, requesting the needed Calendar scopes.而且,到目前为止,我已经通过“使用 Google 登录”选项进行身份验证,请求所需的日历范围。
What I'm trying to accomplish: I would like allow Okta customers the ability to authenticate (mostly so I can support the SCIM management).我想要完成的事情:我想让 Okta 客户能够进行身份验证(主要是为了支持 SCIM 管理)。 The trouble is I am not clear on how to retrieve the needed Google auth credentials to access the Google Calendar API.问题是我不清楚如何检索所需的 Google 身份验证凭据以访问 Google Calendar API。
Where I'm at, so far: In my own Okta instance, I have successfully configured Google as an IDP, as well as an Okta app (tile), and can authenticate (OIDC) into Okta with my Google credentials, from my Node app.到目前为止,我所处的位置:在我自己的 Okta 实例中,我已成功将 Google 配置为 IDP 以及 Okta 应用程序(磁贴),并且可以使用我的 Google 凭据从我的节点向 Okta 进行身份验证(OIDC)应用程序。 However, the returned external_id
, access_token
, and refresh_token
are all relevant to Okta, not Google.但是,返回的external_id
、 access_token
和refresh_token
都与 Okta 相关,而不是与 Google 相关。
The Question: Is there a way to get the needed Google authorization elements, both access_token
and refresh_token
, from my handshake with Okta?问题:有没有办法从我与 Okta 的握手中获取所需的 Google 授权元素,包括access_token
和refresh_token
?
The design pattern you need is to use embedded tokens , where the Google access token is embedded as a custom claim inside the Okta access token.您需要的设计模式是使用嵌入式令牌,其中 Google 访问令牌作为自定义声明嵌入到 Okta 访问令牌中。 By doing so, the authenticated user can access both their application resources and also their own Google resources.通过这样做,经过身份验证的用户既可以访问他们的应用程序资源,也可以访问他们自己的 Google 资源。
Unfortunately most providers don't suoport this, though it is a commonly desired extensibility feature.不幸的是,大多数供应商不支持这一点,尽管它是一种普遍需要的可扩展特性。 For Okta I would take a look at the custom claims handling and in particular the Okta Expression Language .对于 Okta,我会看看自定义声明处理,尤其是Okta Expression Language 。 Hopefully you can get the Google access token as an attribute of the Idp User Profile, eg named access_token
, though I don't know for sure if it will work.希望您可以将 Google 访问令牌作为 Idp 用户配置文件的一个属性,例如命名为access_token
,尽管我不确定它是否会起作用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.