[英]How to reset omniauth-google-oauth2 access_token when user account has been removed
We have this ROR application that uses omniauth-google-oauth2
with devise
to sign in users. 我们使用此RoR应用程序
omniauth-google-oauth2
与devise
在用户登录。 We are encountering an issue where if the user's account has been deleted from system after the user already granted access to the application from his google account, the authentication just goes in an endless loop of authentication. 我们遇到的问题是,如果在用户已经从他的Google帐户授予对该应用程序的访问权限后,用户的帐户已从系统中删除,则身份验证只会进行无限循环的身份验证。
The scenario goes something like: 场景如下:
The user can actually get out of this loop by logging out of first. 用户实际上可以通过先退出来退出此循环。 But that's not really obvious to the average user so is not an ideal solution.
但这对普通用户来说并不是很明显,因此不是一个理想的解决方案。
Ideally, the solution would be to invalidate the access_token or revoke the application authorization in the callback phase so that when the user tries to sign in again they can switch accounts. 理想情况下,解决方案是在回调阶段使access_token无效或撤消应用程序授权,以便当用户再次尝试登录时,他们可以切换帐户。
It is possible to override the approval_prompt in the sign_in url, so you can set it to "force" and thereby getting the user out of the catch-22, even though the google_oauth2 devise configuration has it set to "auto" (default). 可以覆盖sign_in网址中的approval_prompt,因此您可以将其设置为“强制”,从而让用户退出catch-22,即使google_oauth2设计配置将其设置为“自动”(默认)。
The trick is to communicate that this is what is needed from within the OmniauthCallbacksController. 诀窍是在OmniauthCallbacksController中传达这是需要的。 One simple and unobtrusive way is to simply set a temporary cookie:
一种简单且不显眼的方法是简单地设置一个临时cookie:
class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
def google_oauth2
if user = User.find_for_google_oauth2(request.env["omniauth.auth"])
cookies.delete :google_oauth2_approval_prompt
flash[:notice] = I18n.t( "devise.omniauth_callbacks.success", kind: "Google")
sign_in_and_redirect user, event: :authentication
else
# we are not supporting self-service registration, so although
# user has authenticated at Google and given consent to the app,
# we are not going to allow the user in
cookies[:google_oauth2_approval_prompt] = "force"
flash[:error] = I18n.t( "devise.omniauth_callbacks.failure", kind: "Google", reason: "account not provisioned")
redirect_to root_url
end
end
end
Then in the view that renders the Google login, conditionally append the approval_prompt: 然后在呈现Google登录信息的视图中,有条件地附加approval_prompt:
:ruby
extra_params = if approval_prompt = cookies[:google_oauth2_approval_prompt]
{approval_prompt: approval_prompt}
else
{}
end
= link_to "Sign-in with Google",
user_omniauth_authorize_path(:google_oauth2,extra_params)
So with all that in place, if a user first tries with a Google account that the application decides it is not going to accept, the user will have the chance to switch accounts when they try to login again (because they'll be sent via the force-approval workflow). 因此,如果用户首先尝试使用应用程序决定不接受的Google帐户,则用户在尝试重新登录时将有机会切换帐户(因为他们将通过强制批准工作流程)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.