如何验证Google身份服务的响应

发布于 2025-02-11 19:36:44 字数 620 浏览 1 评论 0原文

我正在尝试使用Google登录用户，并且正在使用他们的身份服务，我在客户端使用以下代码。

google.accounts.id.initialize({
      client_id:
        "*********.apps.googleusercontent.com",
      callback: handleCallback,
    });

我得到的响应极为有限，因为在我获得

clientId
recertential
select_by

中，在解码凭据之后，我将使用

获得基本用户信息，我不知道这些是什么。因此，当我将这些信息发送到服务器时，我可以轻松存储它们并生成一个ID，以将其发送回客户端以使用Cookie记录它们。但是，当用户登录并恢复原状时，如何在服务器中不做多个条目？如何在数据库中检查新用户已经拥有一个帐户。我认为我无法将传入的电子邮件地址与数据库中存储的电子邮件地址匹配，因为那将是安全风险。我如何实际验证对服务器的请求？

原文

I'm trying to log user in with google and I'm using their Identity Services, I used the following code in client side.

google.accounts.id.initialize({
      client_id:
        "*********.apps.googleusercontent.com",
      callback: handleCallback,
    });

The response I get is extremely limited as in I get

clientId
credential
select_by

and after decoding the credentials I get basic user info with

I have no idea what these are.
So when I send these information to my server, I can easily store them and generate a id to be sent back to the client to log them in using cookie. But when user logs out and logs back in how do I not make multiple entries in my server? How do I check in my database that the new user already has an account. I don't think I could match the incoming email address to the one stored in my database since that would be a security risk. How do I actually verify the request to my server?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

墨落成白 2025-02-18 19:36:44

您应该阅读 verify ID iD token 在您使用哪个客户库的情况下，应该有一种可以调用的方法来验证它。

例如，java

GoogleIdToken idToken = verifier.verify(idTokenString);
if (idToken != null) {
  Payload payload = idToken.getPayload();

  // Print user identifier
  String userId = payload.getSubject();
  System.out.println("User ID: " + userId);

  // Get profile information from payload
  String email = payload.getEmail();
  boolean emailVerified = Boolean.valueOf(payload.getEmailVerified());
  String name = (String) payload.get("name");
  String pictureUrl = (String) payload.get("picture");
  String locale = (String) payload.get("locale");
  String familyName = (String) payload.get("family_name");
  String givenName = (String) payload.get("given_name");

在RFC rfc7519> rfc7519> rfc7519>

“ sub”（主题）索赔 - 用户Google内部ID
“ aud”（受众）索赔 - 令牌是谁。
“ EXP”（到期时间）索赔 - 何时到期
“ NBF”（不是之前）索赔 - 当它从
“ IAT”（iat''（在）索赔中发行）时 - 何时发出
“ JTI”（JWT ID）（JWT ID）索赔 - ID此索赔集。
“ AZP”。授权政党 - 发行ID令牌的政党

是您的魔术主张。这将告诉您用户内部Google ID，因此，如果您将其与系统中的用户帐户一起存储在系统中。您将始终能够链接它们。这称为帐户链接。

You should read though Verify id token Depending upon which client library you are using there should be a method that you can call to verify it.

Java for example

GoogleIdToken idToken = verifier.verify(idTokenString);
if (idToken != null) {
  Payload payload = idToken.getPayload();

  // Print user identifier
  String userId = payload.getSubject();
  System.out.println("User ID: " + userId);

  // Get profile information from payload
  String email = payload.getEmail();
  boolean emailVerified = Boolean.valueOf(payload.getEmailVerified());
  String name = (String) payload.get("name");
  String pictureUrl = (String) payload.get("picture");
  String locale = (String) payload.get("locale");
  String familyName = (String) payload.get("family_name");
  String givenName = (String) payload.get("given_name");

As for the claims have a look in the RFC rfc7519#section-4.1

"sub" (Subject) Claim - Users google internal id
"aud" (Audience) Claim - Who the token was intended for.
"exp" (Expiration Time) Claim - when it will expire
"nbf" (Not Before) Claim - when it was good from
"iat" (Issued At) Claim - when it was issued
"jti" (JWT ID) Claim - Id of this claimset.
"azp". Authorized party - the party to which the ID Token was issued

Sub is your magic claim. This will tell you the users internal google id so if you store this in your system along with the users account on your system. You will always be able to link them. This is called account linking.

回复收藏 0 原文

~没有更多了~