android – Google总是返回过期的id令牌(JWT)
作者:互联网
If you use the ID token expiry time to determine your session lifetime, you should retrieve a refreshed ID token, by calling silentSignIn prior to each API call to your application server.
我试图通过调用silentSignIn来获取新的令牌.但是,我总是得到相同的过期ID令牌.有人可以帮我指出正确的文档,说明如何强制刷新以获取新令牌.我的代码没什么特别的.它几乎与谷歌样本中的相同.
private void buildGoogleApiClient()
{
// Configure sign-in to request the user's ID, email address, and basic profile. ID and
// basic profile are included in DEFAULT_SIGN_IN.
GoogleSignInOptions gso = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
//.requestServerAuthCode(serverClientId)
.requestIdToken(SERVER_ID)
.requestScopes(new Scope(Scopes.PLUS_LOGIN))
.requestEmail()
.build();
// Build a GoogleApiClient with access to GoogleSignIn.API and the options above.
mGoogleApiClient = new GoogleApiClient.Builder(this)
.enableAutoManage(this, this)
.addApi(Auth.GOOGLE_SIGN_IN_API, gso)
.build();
}
我按上述方法构建了API,当用户点击使用google按钮登录时,我执行以下操作
OptionalPendingResult<GoogleSignInResult> opr = Auth.GoogleSignInApi.silentSignIn(mGoogleApiClient);
if (opr.isDone())
{
// If the user's cached credentials are valid, the OptionalPendingResult will be "done"
// and the GoogleSignInResult will be available instantly.
Timber.d("Got cached sign-in");
GoogleSignInResult result = opr.get();
handleSignInResult(result);
}
else
{
// If the user has not previously signed in on this device or the sign-in has expired,
// this asynchronous branch will attempt to sign in the user silently. Cross-device
// single sign-on will occur in this branch.
Timber.d("Checking if user has already given access to this app on an other device.");
showProgressDialog();
opr.setResultCallback(new ResultCallback<GoogleSignInResult>()
{
@Override
public void onResult(GoogleSignInResult googleSignInResult)
{
hideProgressDialog();
handleSignInResult(googleSignInResult);
}
});
}
handleSignInResult方法将获取id标记为
GoogleSignInAccount acct = result.getSignInAccount();
String idToken = acct.getIdToken();
Timber.d(acct.getIdToken());
编辑1
我有另一个相关的问题.
在我从https://security.google.com/settings/u/1/security/permissions撤销权限后,我仍然能够检索ID令牌(JWT).我们假设此令牌已缓存,Android播放服务从本地副本提供.令牌过期后(60分钟),播放服务应与Google的服务联系以获取最新状态.但是,我没有看到这种情况发生.事实上,我注意到的另一件奇怪的事情是,当我在大约一天之后调用silentSignIn()之后,我在未经用户同意的情况下获得了新的令牌.有人可以测试这个用例,让我知道输出.
如何确保要求用户在撤消用户时再次授予权限.
解决方法:
您将需要使用startActivityForResult(),然后处理onActivityResult()中的登录结果,如Integrating Google Sign-In into Your Android App所述.然后,要验证令牌的真实性,请参阅Google的Google登录Android指南,了解如何Authenticate with a backend server.
一种简单的方法是将令牌传递给Google tokeninfo端点
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123其中XYZ123是您的令牌.
标签:android,google-oauth 来源: https://codeday.me/bug/20191006/1861199.html