我使用此方法获取id token:
GoogleSignInAccount acct = googleSignInResult.getSignInAccount();
String toekn_id = acct.getIdToken();
现在,如何验证服务器上ID令牌的完整性?
谷歌:
警告:不要在后端服务器上接受普通用户ID,例如您可以使用GoogleSignInAccount.getId()方法获得的用户ID。修改后的客户端应用程序可以向服务器发送任意用户ID以模拟用户,因此您必须使用可验证的ID令牌来安全地获取服务器端登录用户的用户ID。
答案 0 :(得分:3)
来自文档:https://developers.google.com/identity/sign-in/web/backend-auth#using-a-google-api-client-library
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
...
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
.setAudience(Arrays.asList(CLIENT_ID))
// If you retrieved the token on Android using the Play Services 8.3 API or newer, set
// the issuer to "https://accounts.google.com". Otherwise, set the issuer to
// "accounts.google.com". If you need to verify tokens from multiple sources, build
// a GoogleIdTokenVerifier for each issuer and try them both.
.setIssuer("https://accounts.google.com")
.build();
// (Receive idTokenString by HTTPS POST)
GoogleIdToken idToken = verifier.verify(idTokenString);
if (idToken != null) {
System.out.println("Valid ID token.");
} else {
System.out.println("Invalid ID token.");
}
要使用API,请将以下内容添加到build.gradle:
repositories {
mavenCentral()
}
dependencies {
compile 'com.google.api-client:google-api-client:1.20.0'
}