我有一个简单的Google App Engine后端和一个简单的Android应用程序,我想要从Android App到服务器进行经过身份验证的请求。我读到了关于Google Cloud Endpoints的内容,即使它是一个非常好的API,我觉得这对我想做的事情有点过分。我只想做一个经过身份验证的HTTP请求并获取响应文本。
GET myappid.appspot.com/api/user
应该回答:
Hello john.doe
如果用户 john.doe@gmail.com 执行请求。
我创建了一个新的App Engine项目:
WEB_CLIENT_ID=123456789012.apps.googleusercontent.com
并注册了Android应用程序(“直接从Android访问API”):
package name : com.myappid
debug SHA1 fingerprint: 3a:e1:05:17:15:54:c6:c7:9b:ef:19:74:ae:5b:f7:0f:c3:d5:45:9d
这创造了
ANDROID_CLIENT_ID=123456789012-9f4sd525df3254s3d5s40s441df705sd.apps.googleusercontent.com
application: myappid
version: 1
runtime: python27
api_version: 1
threadsafe: true
handlers:
- url: /api/.*
secure: always
script: api.APP
libraries:
- name: webapp2
version: latest
- name: pycrypto
version: latest
import webapp2
from google.appengine.api import users
from google.appengine.api import oauth
class GetUser(webapp2.RequestHandler):
def get(self):
user = users.get_current_user()
self.response.headers['Content-Type'] = 'text/plain'
self.response.out.write('Hello, {}\n'.format('None' if user is None else user.nickname()))
try:
user = oauth.get_current_user()
self.response.out.write('Hello OAuth, {}\n'.format('None' if user is None else user.nickname()))
except Exception as e:
self.response.out.write(str(e)+'\n')
class SignIn(webapp2.RequestHandler):
def get(self):
if users.get_current_user() is None:
self.redirect(users.create_login_url(self.request.uri))
APP = webapp2.WSGIApplication([
('/api/user', GetUser),
('/api/signin', SignIn),
], debug = True)
public class MainActivity extends Activity
{
private static final String CLIENT_ID = "123456789012.apps.googleusercontent.com";
private static final String SCOPE = "audience:server:client_id:" + CLIENT_ID;
private static final int AUTH_REQUEST_CODE = 1;
private Account mAccount;
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
mAccount = AccountManager.get(mActivity).getAccountsByType(GoogleAuthUtil.GOOGLE_ACCOUNT_TYPE)[0];
new GetAuthToken().execute(mAccount.name);
}
protected void log(String msg) {
TextView tv = (TextView) mActivity.findViewById(R.id.textView);
tv.setText(tv.getText() + "\n" + msg);
}
@Override
protected void onActivityResult(int requestCode, int resultCode, Intent data) {
if (requestCode == AUTH_REQUEST_CODE) {
if (resultCode == RESULT_OK) {
new GetAuthToken().execute(mAccount.name);
}
}
}
private class GetAuthToken extends AsyncTask<String, Void, String> {
@Override
protected String doInBackground(String... params) {
try {
// Retrieve a token for the given account and scope. It will always return either
// a non-empty String or throw an exception.
String email = params[0];
String token = GoogleAuthUtil.getToken(mActivity, email, SCOPE);
return token;
} catch (GooglePlayServicesAvailabilityException playEx) {
Dialog alert = GooglePlayServicesUtil.getErrorDialog(playEx.getConnectionStatusCode(), mActivity, AUTH_REQUEST_CODE);
return "error - Play Services needed " + playEx;
} catch (UserRecoverableAuthException userAuthEx) {
// Start the user recoverable action using the intent returned by
// getIntent()
mActivity.startActivityForResult(userAuthEx.getIntent(), AUTH_REQUEST_CODE);
return "error - Autorization needed " + userAuthEx;
} catch (IOException transientEx) {
// network or server error, the call is expected to succeed if you try again later.
// Don't attempt to call again immediately - the request is likely to
// fail, you'll hit quotas or back-off.
return "error - Network error " + transientEx;
} catch (GoogleAuthException authEx) {
// Failure. The call is not expected to ever succeed so it should not be
// retried.
return "error - Other auth error " + authEx;
}
}
@Override
protected void onPostExecute(String result) {
if (result.startsWith("error -")) {
log(result);
} else {
log("Obtained token : " + result);
new GetAuthedUserName().execute(result);
}
}
}
private class GetAuthedUserName extends AsyncTask<String, Void, String> {
@Override
protected String doInBackground(String... params) {
try {
String token = params[0];
URL url = new URL("https://myappid.appspot.com/api/user");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
//conn.setRequestProperty("Authorization", "Bearer " + token);
conn.addRequestProperty("Authorization", "OAuth " + token);
InputStream istream = conn.getInputStream();
try {
BufferedReader reader = new BufferedReader(new InputStreamReader(istream));
String line;
StringBuilder sb = new StringBuilder();
while ((line = reader.readLine()) != null) {
sb.append(line);
}
return sb.toString();
} catch (IOException e) {
return "error - Unable to read from the connection";
}
} catch (MalformedURLException e) {
return "error - Malformed URL " + e;
} catch (IOException e) {
return "error - IO error " + e;
}
}
@Override
protected void onPostExecute(String result) {
if (result.startsWith("error -")) {
log(result);
} else {
log("Request result : " + result);
}
}
}
}
我可以使用我的浏览器来
https://myappid.appspot.com/api/signin
以John Doe登录,然后
https://myappid.appspot.com/api/user
我得到了
Hello, john.doe
太棒了,这正是我所期待的。
使用Android,我的所有尝试都产生了
Hello, None
正如您在Android代码中看到的那样,我使用GoogleAuthUtil来检索令牌,但我真的不明白我应该用它做什么。
String token = GoogleAuthUtil.getToken(mActivity, email, SCOPE);
然后我建立了请求:
URL url = new URL("https://myappid.appspot.com/api/user");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
并添加“授权”标题:
conn.setRequestProperty("Authorization", "Bearer " + token);
我也尝试过:
conn.addRequestProperty("Authorization", "OAuth " + token);
Android或App Engine后端可能缺少某些东西,但我真的没有得到什么。 是否有一个API简化了这个?
浏览器似乎很简单......
TIA
答案 0 :(得分:8)
可以将访问令牌发送到您的Google App Engine应用程序(或任何其他Web应用程序)(作为持票人令牌,只需转发凭据即可)但Google App Engine不会自动识别“授权“标题并为您设置用户对象(这是端点可以帮助您的东西)。
您可以选择通过请求标头对象自行查找访问令牌:
access_token = self.request.headers['Authorization']
然后将其发送到Google API以验证其有效并获取有关该用户的信息(我认为这包括电子邮件,只要电子邮件是您最初要求获取访问令牌的范围)。
有关如何执行此操作的详细信息,请参阅Get user info via Google API。
您还应该检查是否已向您的应用程序发出访问令牌(https://www.googleapis.com/oauth2/v1/tokeninfo?access_token= {access_token} - 验证响应中的客户端ID) - 如果不这样做,那么另一个应用程序很容易用户的许可,以获取访问令牌以对您的私有API进行调用。
总而言之,另一种机制是从Android获取IDToken,并将其发送到您的Web应用程序 - 更多详细信息可以在这里找到: http://googledevelopers.blogspot.com/2013/05/cross-platform-sso-technology.html 和 https://developers.google.com/accounts/docs/CrossClientAuth
示例显示使用Google API Python客户端获取有关已颁发令牌的信息:
from apiclient.discovery import build
print build('oauth2', 'v1').tokeninfo(access_token=access_token).execute()
# Result
{
'issued_to': 'xxxxxx.apps.googleusercontent.com',
'user_id': 'yyyyyy',
'expires_in': 3457,
'access_type': 'online',
'audience': 'xxxxxx.apps.googleusercontent.com',
'scope': 'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile',
'email': 'xxxxx@yyyyy.com',
'verified_email': True
}