如何在删除用户帐户时重置omniauth-google-oauth2 access_token
[英]How to reset omniauth-google-oauth2 access_token when user account has been removed
问题描述
We have this ROR application that uses omniauth-google-oauth2 with devise to sign in users. 
我们使用此RoR应用程序omniauth-google-oauth2与devise在用户登录。 We are encountering an issue where if the user's account has been deleted from system after the user already granted access to the application from his google account, the authentication just goes in an endless loop of authentication. 我们遇到的问题是,如果在用户已经从他的Google帐户授予对该应用程序的访问权限后,用户的帐户已从系统中删除,则身份验证只会进行无限循环的身份验证。
The scenario goes something like: 场景如下:
- The user authenticates via google and grants access for the application 用户通过谷歌进行身份验证并授予应用程序访问权限
- In the callback, our application determines if the user account is valid - deleted, or not created (our system does not support self service registration 在回调中,我们的应用程序确定用户帐户是否有效 - 已删除或未创建(我们的系统不支持自助服务注册)
- The user is not authorised (and not signed in) which is correct) 用户未经授权(未登录),这是正确的)
- If the user attempts to sign-in via Google again, to try another account, Google transparently authorizes and redirects the user back to our application without giving the user a chance to change accounts. 如果用户再次尝试通过Google登录,尝试使用其他帐户,Google会透明地授权并将用户重定向回我们的应用程序,而不会让用户有机会更改帐户。
The user can actually get out of this loop by logging out of first. 用户实际上可以通过先退出来退出此循环。 But that's not really obvious to the average user so is not an ideal solution. 但这对普通用户来说并不是很明显,因此不是一个理想的解决方案。
Ideally, the solution would be to invalidate the access_token or revoke the application authorization in the callback phase so that when the user tries to sign in again they can switch accounts. 理想情况下,解决方案是在回调阶段使access_token无效或撤消应用程序授权,以便当用户再次尝试登录时,他们可以切换帐户。
1 个解决方案
解决方案1
1 已采纳 2013-02-01 16:22:29
It is possible to override the approval_prompt in the sign_in url, so you can set it to "force" and thereby getting the user out of the catch-22, even though the google_oauth2 devise configuration has it set to "auto" (default). 可以覆盖sign_in网址中的approval_prompt,因此您可以将其设置为“强制”,从而让用户退出catch-22,即使google_oauth2设计配置将其设置为“自动”(默认)。
The trick is to communicate that this is what is needed from within the OmniauthCallbacksController. 诀窍是在OmniauthCallbacksController中传达这是需要的。 One simple and unobtrusive way is to simply set a temporary cookie: 一种简单且不显眼的方法是简单地设置一个临时cookie:
class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
def google_oauth2
if user = User.find_for_google_oauth2(request.env["omniauth.auth"])
cookies.delete :google_oauth2_approval_prompt
flash[:notice] = I18n.t( "devise.omniauth_callbacks.success", kind: "Google")
sign_in_and_redirect user, event: :authentication
else
# we are not supporting self-service registration, so although
# user has authenticated at Google and given consent to the app,
# we are not going to allow the user in
cookies[:google_oauth2_approval_prompt] = "force"
flash[:error] = I18n.t( "devise.omniauth_callbacks.failure", kind: "Google", reason: "account not provisioned")
redirect_to root_url
end
end
end
Then in the view that renders the Google login, conditionally append the approval_prompt: 然后在呈现Google登录信息的视图中,有条件地附加approval_prompt:
:ruby
extra_params = if approval_prompt = cookies[:google_oauth2_approval_prompt]
{approval_prompt: approval_prompt}
else
{}
end
= link_to "Sign-in with Google",
user_omniauth_authorize_path(:google_oauth2,extra_params)
So with all that in place, if a user first tries with a Google account that the application decides it is not going to accept, the user will have the chance to switch accounts when they try to login again (because they'll be sent via the force-approval workflow). 因此,如果用户首先尝试使用应用程序决定不接受的Google帐户,则用户在尝试重新登录时将有机会切换帐户(因为他们将通过强制批准工作流程)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.