为什么 Google Oauth2 在通过移动应用程序进行身份验证时拒绝客户端 ID?
[英]Why is Google Oauth2 rejecting client id when authenticating via mobile app?
问题描述
we have a multifaceted application encountering some issues with Google OAuth. There is a Java-based API, along with a React front end and React Native mobile app.
我们有一个多方面的应用程序遇到了谷歌 OAuth 的一些问题。有一个基于 Java 的 API,以及一个 React 前端和 React Native 移动应用程序。
For some time now we have been successfully using OAuth2 to allow Google users to sign in via the React app.一段时间以来,我们已经成功地使用 OAuth2 来允许 Google 用户通过 React 应用程序登录。 We're using the offline/code approach so we first request an authorization code, which gets sent to our API and is then exchanged for a token via Googles servers.我们使用离线/代码方法,因此我们首先请求授权代码,该代码被发送到我们的 API,然后通过 Google 服务器交换令牌。 The API is responsible for additional checks and account setup. API 负责额外的检查和帐户设置。
We're hitting problems however in the mobile app (React native).然而,我们在移动应用程序(React native)中遇到了问题。 The app 'appears' to be behaving correctly in that it's obtaining an authorization code, however, when we send this to our API and the API attempts to exchange the code for a token, the response we get back is该应用程序“似乎”表现正常,因为它正在获取授权代码,但是,当我们将其发送到我们的 API 并且 API 尝试将代码交换为令牌时,我们得到的响应是
{
"error": "unauthorized_client",
"error_description": "Unauthorized"
}
We can see in our logs, the request looks good.我们可以在日志中看到,请求看起来不错。 If we compare the post body of this failing request, with the body of a working request we can see content is identical except for the authorization code.如果我们将这个失败请求的帖子正文与工作请求的正文进行比较,我们可以看到除了授权代码之外内容是相同的。 Which is expected.这是预期的。 So the unauthorized_client error is somewhat misleading.所以 unauthorized_client 错误有点误导。
On the Google Oauth side, both the Android credentials and the Web credentials(used by API) are under the same project, so my understanding is, although they have different client ids, there should not be a problem as Google OAuth supports Cross Client Identity .在谷歌 Oauth 端,Android 凭证和 Web 凭证(由 API 使用)都在同一个项目下,所以我的理解是,虽然它们具有不同的客户端 ID,但应该没有问题,因为谷歌 OAuth 支持跨客户端身份.
Has anyone encountered a similar situation and understands what our problem really is?有没有人遇到过类似情况并了解我们的问题到底是什么?
1 个解决方案
解决方案1
0 2022-11-25 11:51:02
The issue can happen if you take a refresh token that was created on a web application and then try to use it on an installed application it wont work as that client id was not the one that was used to create the refresh token.如果您采用在 web 应用程序上创建的刷新令牌,然后尝试在已安装的应用程序上使用它,则可能会发生此问题,因为该客户端 ID 不是用于创建刷新令牌的客户端 ID。
There is however a single exception that i am aware of.但是,我知道有一个例外。 A mobile app client can use the tokens created by other client types with in the same project, this does not work the other way though.移动应用程序客户端可以在同一项目中使用其他客户端类型创建的令牌,但反之则不行。 Web and installed clients can not use tokens created by mobile app clients. Web 和已安装的客户端不能使用移动应用程序客户端创建的令牌。 There is something inside mobile clients that is not in the web and installed clients.移动客户端中有些东西不在 web 和已安装的客户端中。
hence unauthorized_client meaning that this client id was not authorized by the user.因此 unauthorized_client 意味着这个客户端 id 没有被用户授权。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.