Question

我有一个用户数据库，我想让用户将他的网站帐户与他的谷歌帐户连接。我希望能够让用户使用他的谷歌帐户登录，也许以后可以与他的谷歌+帐户等进行互动。

用户已在网站上登录，只需按一下按钮即可启动此过程：

// user initiates the process
$('#google-connect').on(function() {
    gapi.auth.signIn({
        'callback': function(data) {
        if(data['status']['signed_in'])
            console.log("Signed in", data, gapi.auth.getToken());

            // just get some additional user's data
            gapi.client.load('oauth2', 'v2', function() {
                gapi.client.oauth2.userinfo.get().execute(function(resp) {
                    console.log("OAuth", resp);

                    data.userID = resp.id;

                    // tell server to add google account to user's account
                    $.post('/add/google', data, function(data) {
                        console.log("Connected", "data");
                    });
                });
            });
        },
        'clientid': GOOGLE_CLIENT_ID,
        'cookiepolicy': 'single_host_origin',
        'requestvisibleactions': 'http://schemas.google.com/AddActivity',
        'approvalprompt':'force',
        'scope': 'https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email'
        //'scope': 'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/plus.me'
    });
    return false;
});
// load libs
(function() {
    var po = document.createElement('script');
    po.type = 'text/javascript'; po.async = true;
    po.src = 'https://apis.google.com/js/client:plusone.js';
    var s = document.getElementsByTagName('script')[0];
    s.parentNode.insertBefore(po, s);
})();

它基本上没有问题，但我不确定这是否安全以及如何从谷歌服务器验证答案。例如，Facebook登录返回“signedRequest”，我可以使用hash_hmac（php）运行验证来验证响应。

Google在我的gapi.auth.signIn（）请求中回答这个问题：

access_token: "ya29.KgDiGDMeEpOEFxoAAAD2dV1eldwT_ZCcr-ODNR_LBKWbam7bOwZ0pplZ33hG3A"
authuser: "0"
client_id: "...."
code: "4/iqLG-akrpp_BGWGGx2b_RAqTSj29.AuyFPmgozMATOl05ti8ZT3bxU6v2jAI"
cookie_policy: "single_host_origin"
expires_at: "1402232030"
expires_in: "3600"
g-oauth-window: Window
g_user_cookie_policy: "single_host_origin"
id_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IjgxNDBjNWYxYzlkMGM3MzhjMWI2MzI4NTI4ZjdhYjFmNjcyZjViYTAifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwic3ViIjoiMTExNTQ2NTQxNjExMzkyOTAzMTYzIiwiYXpwIjoiOTMyNjIxNDU0NTUxLThrNW8yOXY0djEyZmN2cG1tNWFqYXZsbW9ic2x1NzQwLmFwcHMuZ29vZ2xldXNlcmNvbnRlbnQuY29tIiwiZW1haWwiOiJtaXJ6YS5jd0BnbWFpbC5jb20iLCJhdF9oYXNoIjoiTUNERVJkZjJpaUo0eUZ4ZHU1RUdpUSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJhdWQiOiI5MzI2MjE0NTQ1NTEtOGs1bzI5djR2MTJmY3ZwbW01YWphdmxtb2JzbHU3NDAuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJjX2hhc2giOiJXMXY4UUhkUndLM3FQbGhMZE1XY1Z3IiwiaWF0IjoxNDAyMjI4MTMwLCJleHAiOjE0MDIyMzIwMzB9.Fil-uV6oFdeiRrO_vHFr5oVOnzVIfa2DvneDYaFF_eo3HOdOmD2wElD5UOjXxTLcNHtxyXg-zInyB9wDn1aQaZpYTSgG3Q-PN7oXcmUECyX5UJ7Aga0xgjAH6j57XBTx_BVdeiq1xLTPSMq9J2hZ1jGIkv-1qPedng7bRVGuRgQ"
issued_at: "1402228430"
num_sessions: "1"
prompt: "consent"
response_type: "code token id_token gsession"
scope: "https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/plus.moments.write https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/plus.profile.agerange.read https://www.googleapis.com/auth/plus.profile.language.read https://www.googleapis.com/auth/plus.circles.members.read https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.profile.emails.read"
session_state: "14f90adcf0c130936b1545ec15dbd8fe1515b4dc..0c9b"
state: ""
status: Object
token_type: "Bearer"

我没有找到任何有关如何验证响应的信息。除了“id_token”之外没有任何签名或其他东西可能是某种签名。

有没有办法验证谷歌的答案，以确保信息是正确的，没有MITM？或者我只是担心太多？

Answer 1

是的，有：

您是否阅读过ID Token verification(PHP lib)？

我想，你可以在JavaScript中使用：

$.get("https://www.googleapis.com/oauth2/v1/tokeninfo",{
    "id_token" : authResult["id_token"]},function(data){
    //Handle data...
});

如何验证Google的auth gapi.auth.signIn响应？

1 个答案: