Google+登录 - 服务器端流程 - Python - Google App Engine

时间:2014-04-07 13:12:43

标签: python google-app-engine oauth-2.0 google-plus

我正在使用Flask在Google App Engine上构建应用。我正在https://developers.google.com/+/web/signin/server-side-flow中描述的服务器端流程中实施Google+登录。在切换到App Engine之前,我的流程非常相似。也许从那以后我引入了一个错误。或者这可能是我在App Engine中实现的问题。

我相信Google登录流程重定向的网址应该设置GET参数" gplus_id"但是,我没有收到此参数。

我有一个由以下人员创建的登录按钮:

(function() {
  var po = document.createElement('script');
  po.type = 'text/javascript'; po.async = true;
  po.src = 'https://plus.google.com/js/client:plusone.js?onload=render';
  var s = document.getElementsByTagName('script')[0];
  s.parentNode.insertBefore(po, s);
})();

function render() {
  gapi.signin.render('gplusBtn', {
    'callback': 'onSignInCallback',
    'clientid': '{{ CLIENT_ID }}',
    'cookiepolicy': 'single_host_origin',
    'requestvisibleactions': 'http://schemas.google.com/AddActivity',
    'scope': 'https://www.googleapis.com/auth/plus.login',
    'accesstype': 'offline',
    'width': 'iconOnly'
  });
}

在页面的javascript代码中,我有一个启动流程的功能:

var helper = (function() {
  var authResult = undefined;

  return {
    onSignInCallback: function(authResult) {
      if (authResult['access_token']) {
        // The user is signed in
        this.authResult = authResult;
        helper.connectServer();
      } else if (authResult['error']) {
        // There was an error, which means the user is not signed in.
        // As an example, you can troubleshoot by writing to the console:
        console.log('GPlus: There was an error: ' + authResult['error']);
      }
      console.log('authResult', authResult);
    },
    connectServer: function() {
      $.ajax({
        type: 'POST',
        url: window.location.protocol + '//' + window.location.host + '/connect?state={{ STATE }}',
        contentType: 'application/octet-stream; charset=utf-8',
        success: function(result) {
          // After we load the Google+ API, send login data.
          gapi.client.load('plus','v1',helper.otherLogin);
        },
        processData: false,
        data: this.authResult.code,
        error: function(e) {
          console.log("connectServer: error: ", e);
        }
      });
    }
  }
})();

/**
 * Calls the helper method that handles the authentication flow.
 *
 * @param {Object} authResult An Object which contains the access token and
 *   other authentication information.
 */
function onSignInCallback(authResult) {
  helper.onSignInCallback(authResult);
}

这将启动" / connect" (参见the above doc中引用的第8步):

@app.route('/connect', methods=['GET', 'POST'])
def connect():
    # Ensure that this is no request forgery going on, and that the user
    # sending us this connect request is the user that was supposed to.
    if request.args.get('state', '') != session.get('state', ''):
        response = make_response(json.dumps('Invalid state parameter.'), 401)
        response.headers['Content-Type'] = 'application/json'
        return response

    # Normally the state would be a one-time use token, however in our
    # simple case, we want a user to be able to connect and disconnect
    # without reloading the page.  Thus, for demonstration, we don't
    # implement this best practice.
    session.pop('state')

    gplus_id = request.args.get('gplus_id')
    code = request.data

    try:
        # Upgrade the authorization code into a credentials object
        oauth_flow = client.flow_from_clientsecrets('client_secrets.json', scope='')
        oauth_flow.redirect_uri = 'postmessage'
        credentials = oauth_flow.step2_exchange(code)
    except client.FlowExchangeError:
        app.logger.debug("connect: Failed to upgrade the authorization code")
        response = make_response(
            json.dumps('Failed to upgrade the authorization code.'), 401)
        response.headers['Content-Type'] = 'application/json'
        return response

    # Check that the access token is valid.
    access_token = credentials.access_token
    url = ('https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=%s'
           % access_token)
    h = httplib2.Http()
    result = json.loads(h.request(url, 'GET')[1])
    # If there was an error in the access token info, abort.
    if result.get('error') is not None:
        response = make_response(json.dumps(result.get('error')), 500)
        response.headers['Content-Type'] = 'application/json'
        return response
    # Verify that the access token is used for the intended user.
    if result['user_id'] != gplus_id:
        response = make_response(
            json.dumps("Token's user ID doesn't match given user ID."), 401)
        response.headers['Content-Type'] = 'application/json'
        return response
    ...

但是,流程在if result['user_id'] != gplus_id:处停止,说"令牌的用户ID与给定的用户ID不匹配。"。 result['user_id']是有效的用户ID,但gplus_id为无。

gplus_id = request.args.get('gplus_id')期望GET参数包含' gplus_id',但它们只包含' state'。这是我的javascript connectServer函数的问题吗?我应该包括' gplus_id'那里?当然,我当时并不知道。或其他什么?

1 个答案:

答案 0 :(得分:6)

this question类似,我认为这是一个不完整/不是最新/不一致的文档的问题。

https://developers.google.com/+/web/signin/server-side-flow建议在GET参数中返回gplus_id,但我所使用的流程并非如此。

我在https://github.com/googleplus/gplus-quickstart-python/blob/master/signin.py找到了答案,其中包含以下代码段:

# An ID Token is a cryptographically-signed JSON object encoded in base 64.
# Normally, it is critical that you validate an ID Token before you use it,
# but since you are communicating directly with Google over an
# intermediary-free HTTPS channel and using your Client Secret to
# authenticate yourself to Google, you can be confident that the token you
# receive really comes from Google and is valid. If your server passes the
# ID Token to other components of your app, it is extremely important that
# the other components validate the token before using it.
gplus_id = credentials.id_token['sub']
相关问题
最新问题