Android(Google登录):如何验证服务器上ID令牌的完整性?
作者:互联网
我使用此方法获取ID令牌:
GoogleSignInAccount acct = googleSignInResult.getSignInAccount();
String toekn_id = acct.getIdToken();
现在,如何验证服务器上ID令牌的完整性?
谷歌:
Warning: Do not accept plain user IDs, such as those you can get with the GoogleSignInAccount.getId() method, on your backend server. A modified client application can send arbitrary user IDs to your server to impersonate users, so you must instead use verifiable ID tokens to securely get the user IDs of signed-in users on the server side.
解决方法:
来自文档:https://developers.google.com/identity/sign-in/web/backend-auth#using-a-google-api-client-library
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
...
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
.setAudience(Arrays.asList(CLIENT_ID))
// If you retrieved the token on Android using the Play Services 8.3 API or newer, set
// the issuer to "https://accounts.google.com". Otherwise, set the issuer to
// "accounts.google.com". If you need to verify tokens from multiple sources, build
// a GoogleIdTokenVerifier for each issuer and try them both.
.setIssuer("https://accounts.google.com")
.build();
// (Receive idTokenString by HTTPS POST)
GoogleIdToken idToken = verifier.verify(idTokenString);
if (idToken != null) {
System.out.println("Valid ID token.");
} else {
System.out.println("Invalid ID token.");
}
要使用这些API,请将以下内容添加到build.gradle中:
repositories {
mavenCentral()
}
dependencies {
compile 'com.google.api-client:google-api-client:1.20.0'
}
标签:google-signin,googlesigninaccount,android 来源: https://codeday.me/bug/20191118/2030025.html