Google始终返回过期的ID令牌(JWT)

时间:2016-05-21 12:54:20

标签: android google-oauth

根据https://developers.google.com/android/reference/com/google/android/gms/auth/api/signin/GoogleSignInApi.html#constant-summary

  

如果使用ID令牌到期时间来确定会话生存期,则应在每次API调用应用程序服务器之前调用silentSignIn来检索刷新的ID令牌。

我试图通过调用silentSignIn来获取新令牌。但是,我总是得到相同的过期ID令牌。有人可以帮我指出正确的文档,说明如何强制刷新以获取新令牌。我的代码没什么特别的。它与谷歌的样本几乎相同。

private void buildGoogleApiClient()
{
    // Configure sign-in to request the user's ID, email address, and basic profile. ID and
    // basic profile are included in DEFAULT_SIGN_IN.
    GoogleSignInOptions gso = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
            //.requestServerAuthCode(serverClientId)
            .requestIdToken(SERVER_ID)
            .requestScopes(new Scope(Scopes.PLUS_LOGIN))
            .requestEmail()
            .build();

    // Build a GoogleApiClient with access to GoogleSignIn.API and the options above.
    mGoogleApiClient = new GoogleApiClient.Builder(this)
            .enableAutoManage(this, this)
            .addApi(Auth.GOOGLE_SIGN_IN_API, gso)
            .build();
} 

我按上述方式构建我的API,当用户点击使用google按钮登录时,我执行以下操作

OptionalPendingResult<GoogleSignInResult> opr = Auth.GoogleSignInApi.silentSignIn(mGoogleApiClient);
        if (opr.isDone())
        {
            // If the user's cached credentials are valid, the OptionalPendingResult will be "done"
            // and the GoogleSignInResult will be available instantly.
            Timber.d("Got cached sign-in");
            GoogleSignInResult result = opr.get();
            handleSignInResult(result);
        }
        else
        {
            // If the user has not previously signed in on this device or the sign-in has expired,
            // this asynchronous branch will attempt to sign in the user silently.  Cross-device
            // single sign-on will occur in this branch.
            Timber.d("Checking if user has already given access to this app on an other device.");
            showProgressDialog();
            opr.setResultCallback(new ResultCallback<GoogleSignInResult>()
            {
                @Override
                public void onResult(GoogleSignInResult googleSignInResult)
                {
                    hideProgressDialog();
                    handleSignInResult(googleSignInResult);
                }
            });
        }

handleSignInResult方法将id标记作为

GoogleSignInAccount acct = result.getSignInAccount();
String idToken = acct.getIdToken();
Timber.d(acct.getIdToken());

编辑1

我有另一个相关的问题。

我撤销https://security.google.com/settings/u/1/security/permissions的权限后,我仍然可以检索ID令牌(JWT)。我们假设此令牌已缓存,Android播放服务正在从本地副本提供此令牌。令牌过期后(60分钟),播放服务应与Google的服务联系以获取最新状态。但是,我没有看到这种情况发生。事实上,我注意到的另一件奇怪的事情就是我在大约一天左右之后调用silentSignIn()时,我得到了一个未经用户同意的新令牌。有人可以测试这个用例,让我知道输出。

如何确保用户在撤销时再次获得许可。

1 个答案:

答案 0 :(得分:1)

您需要使用startActivityForResult(),然后处理onActivityResult()中的登录结果,如Integrating Google Sign-In into Your Android App所述。然后,要验证令牌的真实性,请参阅Google针对Android的Google登录指南,了解如何Authenticate with a backend server

一种简单的方法是将令牌传递给Google tokeninfo端点 https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123其中XYZ123是您的令牌。