我理解通过......收到的令牌
https://accounts.google.com/o/oauth2/auth
...应该在使用前进行验证,以防止类似以下呼叫的混淆代理问题:
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=1/fFBGRNJru1FQd44AzqT3Zg
...正如Google在此处指定的那样:Validating the token
但是,如果令牌来自gapi.auth api,即:
gapi.auth.authorize({ "client_id": CONST.CLIENT_ID, "scope": OAuthScopes, "immediate": true, "include_granted_scopes": true }, handleAuthResult);
function handleAuthResult(authResult) {
if (authResult && !authResult.error) {
theAccessToken = authResult.access_token;
}
}
...已经完成验证步骤了吗?我找不到任何明确说明的Google文档,并且作为安全风险,最好从可靠的来源获取。