是否可以从AccountManager获取身份验证令牌而不触发“权限请求”对话框?
[英]Is it possible to get an auth token from AccountManager without triggering the “Permission request” dialog?
问题描述
I'm developing a client-server application and want to offer single sign on for the user where they can sign in with Google. 
我正在开发一个客户端 - 服务器应用程序,并希望为用户提供单点登录,以便他们可以使用Google登录。 I'm planning to do this by getting an access token on the phone using the AccountManager and then sending this token to the server to verify the token and log in the user. 我打算通过使用AccountManager在手机上获取访问令牌,然后将此令牌发送到服务器以验证令牌并登录用户来实现此目的。
When I call the method getAuthToken in the AccountManager a dialog is shown where the user has to allow this, however Chrome on Android allows you to log in and synchronize your browser data with your Google account without this dialog being shown. 当我在AccountManager中调用方法getAuthToken时,会显示一个对话框,其中用户必须允许此操作,但Android上的Chrome允许您登录并将您的浏览器数据与您的Google帐户同步,而不会显示此对话框。 So Chrome seems to be able to get hold of an access token without any dialog being shown to the user and it would be very nice if I could do the same with my app. 因此,Chrome似乎能够获取访问令牌而不向用户显示任何对话框,如果我可以对我的应用程序执行相同操作,那将非常好。
When looking at the source code for Android and the implementation of getAuthToken it seems like access is granted automatically if the application is a preinstalled application or if the applications UID is the same as the UID of the authenticator (of the Google account). 在查看Android的源代码和getAuthToken的实现时,如果应用程序是预安装的应用程序,或者应用程序UID与(Google帐户的)身份验证器的UID相同,则似乎会自动授予访问权限。
Neither my app nor Chrome is preinstalled so that check is false in both cases. 我的应用和Chrome都没有预先安装,因此在这两种情况下检查都是错误的。 My app can of course not share the UID with the Google account authenticator and I assume that there is a possibility that Chrome could share the UID with the authenticator since Google created both of them. 我的应用程序当然不能与Google帐户身份验证器共享UID,并且我认为Chrome可能会与身份验证器共享UID,因为Google创建了这两者。 If that's the case then it would explain why Chrome doesn't show any dialog. 如果是这种情况,则可以解释为什么Chrome不会显示任何对话框。
Is there some other way of not having this dialog being shown to the user when requesting an access token that I might be missing? 在请求我可能缺少的访问令牌时,是否有其他方法未向用户显示此对话框?
1 个解决方案
解决方案1
4 已采纳 2012-11-27 14:11:36
No, it's not possible 不,这是不可能的
After reading the Android source code a bit more carefully I see that the method hasAuthenticatorUid() returns true not only if the UID is the same, but also if the application is signed with the same signature as authenticator is signed with. 在仔细阅读Android源代码之后,我看到方法hasAuthenticatorUid()不仅在UID相同时返回true,而且如果应用程序签名时使用与签名者签名相同的签名。
To verify that this is the case with Chrome I have used the android-apktool on the Chrome apk file to be able to take a look at the manifest.xml for Chrome. 要验证Chrome的情况,我在Chrome apk文件中使用了android-apktool ,以便能够查看Chrome的manifest.xml。 There I could see that Chrome doesn't use a shared UID with the authenticator. 在那里,我可以看到Chrome不使用与身份验证器共享的UID。
After that I re-signed the Chrome apk with my own debug key and installed that apk on my phone. 之后,我用自己的调试密钥重新签名了Chrome apk,并在我的手机上安装了apk。 When I did this and tried to log in to Chrome I got several "Permission request" dialogs. 当我这样做并尝试登录Chrome时,我收到了几个“权限请求”对话框。
Because of this it's obvious that Chrome and the authenticator is signed with the same key and that's how Chrome can get permissions automatically that other third party apps can not get. 因此,很明显Chrome和验证者使用相同的密钥签名,这就是Chrome可以自动获取其他第三方应用无法获取的权限的方式。
So it is not possible for a third party app to get hold of a token for a Google account without showing a dialog to the user asking for permission and it is after all a really good thing. 因此,第三方应用程序无法获取Google帐户的令牌,而无需向用户请求权限请求权限,这毕竟是一件非常好的事情。 I wouldn't want any random app on my phone to be able to get access tokens to my account without my knowledge. 我不希望手机上的任何随机应用程序能够在我不知情的情况下访问我的帐户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.