我的目标是为我的Android应用程序构建简单的应用程序引擎后端。此后端的目的只是验证Android客户端调用,并提供密码,该密码将用于与我的服务器的进一步https通信。 所以我开始根据这篇http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html文章。 客户端看起来像:
GoogleAuthUtil.getToken(MainActivityy.this, "my.email@gmail.com", "audience:server:client_id:my_Client_ID_for_web_applications.apps.googleusercontent.com");
此方法返回如下所示的标记:
eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMWIyZTllNGU2NGE0MmIzM2U3YjMxMDQwNzUyMzIxYmVlMmJkYmEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiZW1haWwiOiJtYXRvLnBldHJ1bGFrQGdtYWlsLmNvbSIsInZlcmlmaWVkX2VtYWlsIjoidHJ1ZSIsImVtYWlsX3ZlcmlmaWVkIjoidHJ1ZSIsImNpZCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF6cCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjU0ODk4MTY3NzkzMC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImlkIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwic3ViIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwiaWF0IjoxMzY4NzExODk0LCJleHAiOjEzNjg3MTU3OTR9.oN5ncz6MEAZBW8NXDhc4O-Y82C2mma675lbw9ZZA-1bs8zM9FKQG1K97PfNfxJFImiPMY8UYIjhqDIkHpErjaV0KDJpLv8NkmsdADOFjt5eQkFGWf92fufL7QEIkWqLL1fKxG7f8-OR59O5AOAVchdgtqDt4DhEH7oHfAZqf3wU
现在我想在后端验证这个令牌。所以我使用谷歌插件为eclpise创建了新的Web应用程序项目。它会生成一些示例项目。对于这个项目,我从上面提到的文章中添加了Checker类。看起来像这样:
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Logger;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;
public class Checker {
private final List mClientIDs;
private final String mAudience;
private final GoogleIdTokenVerifier mVerifier;
private final JsonFactory mJFactory;
private String mProblem = "Verification failed. (Time-out?)";
private Logger log ;
public Checker(String[] clientIDs, String audience) {
mClientIDs = Arrays.asList(clientIDs);
mAudience = audience;
NetHttpTransport transport = new NetHttpTransport();
mJFactory = new GsonFactory();
mVerifier = new GoogleIdTokenVerifier(transport, mJFactory);
log = Logger.getLogger(Checker.class.getName());
log.severe("CHECKER CRETAED");
}
public GoogleIdToken.Payload check(String tokenString) {
GoogleIdToken.Payload payload = null;
log.severe("CHECK START");
try {
log.severe("CHECK 1");
GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString);
log.severe("CHECK 2");
if (mVerifier.verify(token)) {
log.severe("CHECK 3");
GoogleIdToken.Payload tempPayload = token.getPayload();
log.severe("CHECK4");
if (!tempPayload.getAudience().equals(mAudience)){
mProblem = "Audience mismatch";
log.severe("Audience mismatch");
}
else if (!mClientIDs.contains(tempPayload.getIssuee())){
mProblem = "Client ID mismatch";
log.severe("Client ID mismatch");
}
else{
payload = tempPayload;
log.severe(payload.getEmail().toString());
log.severe("CHECK 5");
}
}
} catch (GeneralSecurityException e) {
log.severe("Security issue: " + e.getLocalizedMessage());
mProblem = "Security issue: " + e.getLocalizedMessage();
} catch (IOException e) {
log.severe("Network problem: " + e.getLocalizedMessage());
mProblem = "Network problem: " + e.getLocalizedMessage();
}
log.severe("CHECK END");
return payload;
}
public String problem() {
return mProblem;
}
}
现在我做这样的事情来验证Android客户端提供的令牌。
String [] clinetidS = new String [] {"xxxxxxxxxxxxx-plqjav9ih8e80btegic84bg2r9q7c02.apps.googleusercontent.com"}; //Client ID for installed applications
Checker checker = new Checker(clinetidS, "my_project_at_appspot.appspot.com");
checker.check("eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMWIyZTllNGU2NGE0MmIzM2U3YjMxMDQwNzUyMzIxYmVlMmJkYmEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiZW1haWwiOiJtYXRvLnBldHJ1bGFrQGdtYWlsLmNvbSIsInZlcmlmaWVkX2VtYWlsIjoidHJ1ZSIsImVtYWlsX3ZlcmlmaWVkIjoidHJ1ZSIsImNpZCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF6cCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjU0ODk4MTY3NzkzMC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImlkIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwic3ViIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwiaWF0IjoxMzY4NzExODk0LCJleHAiOjEzNjg3MTU3OTR9.oN5ncz6MEAZBW8NXDhc4O-Y82C2mma675lbw9ZZA-1bs8zM9FKQG1K97PfNfxJFImiPMY8UYIjhqDIkHpErjaV0KDJpLv8NkmsdADOFjt5eQkFGWf92fufL7QEIkWqLL1fKxG7f8-OR59O5AOAVchdgtqDt4DhEH7oHfAZqf3wU");
现在问题是Checker类从未通过此检查:
if (mVerifier.verify(token))
有什么方法可以在线检查android令牌?有任何想法吗?? 或哪里可以成问题?
答案 0 :(得分:7)
您始终可以使用curl查看
以交互方式检查令牌curl https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=<your-id-token-here&gt;
mVerifier.verify的异常/问题是什么?
答案 1 :(得分:3)
这是一个较老的问题,我想你已经找到了答案。但为了以下情况:点击此link并向下滚动。 基本上它告诉你下载并包含this library并写下这段代码:
import java.io.IOException;
import java.security.GeneralSecurityException;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;
public class Checker {
private final List mClientIDs;
private final String mAudience;
private final GoogleIdTokenVerifier mVerifier;
private final JsonFactory mJFactory;
private String mProblem = "Verification failed. (Time-out?)";
public Checker(String[] clientIDs, String audience) {
mClientIDs = Arrays.asList(clientIDs);
mAudience = audience;
NetHttpTransport transport = new NetHttpTransport();
mJFactory = new GsonFactory();
mVerifier = new GoogleIdTokenVerifier(transport, mJFactory);
}
public GoogleIdToken.Payload check(String tokenString) {
GoogleIdToken.Payload payload = null;
try {
GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString);
if (mVerifier.verify(token)) {
GoogleIdToken.Payload tempPayload = token.getPayload();
if (!tempPayload.getAudience().equals(mAudience))
mProblem = "Audience mismatch";
else if (!mClientIDs.contains(tempPayload.getIssuee()))
mProblem = "Client ID mismatch";
else
payload = tempPayload;
}
} catch (GeneralSecurityException e) {
mProblem = "Security issue: " + e.getLocalizedMessage();
} catch (IOException e) {
mProblem = "Network problem: " + e.getLocalizedMessage();
}
return payload;
}
public String problem() {
return mProblem;
}
}
答案 2 :(得分:0)
她是一个有用的代码,用于检查来自Google的令牌身份验证。我正在使用Java EE,因此如果您使用普通的Java可能会略有不同:
public JsonObject authenticateFromToken(String token) {
JsonObject jsonst = null;
JsonReader p = null;
try {
p = Json.createReader(new URL("https://www.googleapis.com/oauth2/v1/tokeninfo?access_token="+token).openStream());
jsonst = (JsonObject) p.read();
} catch (FileNotFoundException e2) {
e2.printStackTrace();
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return jsonst;
}
获得JsonObject后,您可以从中获取信息:
jsonObject.getString("user_id");
或
jsonObject.getString("email");
等...