我已经在简化的身份流(https://developers.google.com/actions/identity/oauth2-assertion-flow)中实现了帐户链接
// Get the jwt token from the request
$token = $this->jwt->parse($body['assertion']);
if (null === Client::where('id', $body['client_id'])->where('secret', $body['client_secret'])->first()
&& (false === $this->verifySignature($token) || false === $this->validateData($token))
) {
return response()->json(
[
'error' => 'invalid_grant',
],
Http::UNAUTHORIZED
);
}
$sub = $token->getClaim('sub');
$email = $token->getClaim('email');
$scopes = explode(' ', $body['scope']);
// Check if the user exists in the database or not
$userId = User::findIdByGoogleIds($email, $sub);
\Log::debug($userId);
// If user doesn't exists and intent is get, ask google to send you the create intent with all user info.
if (null === $userId && 'get' === $body['intent']) {
\Log::debug('user not found, ask for a create request');
return response()->json(
[
'error' => 'user_not_found',
],
Http::UNAUTHORIZED
);
// If user doesn't exist and we are in intent create, let's create this user in our database.
} elseif (null === $userId && 'create' === $body['intent']) {
\Log::debug('user not found, create it');
// If user exists bug don't have the google profile associated.
if (null === ($user = User::findByMail($email))) {
$user = new User();
$user->password = Hash::make(str_random(8));
$user->email = $email;
$user->name = $token->getClaim('name');
$user->save();
//Generate a token for the user
static::generateToken($user, $scopes);
}
// Asssociate google profile that user
$profile = new GoogleProfile();
$profile->google_id = $sub;
$user->googleProfiles()->save($profile);
} elseif (null !== $userId) {
\Log::debug('google profile already existing');
$user = User::find($userId->id);
}
JWT令牌包含以下信息:
{
"sub": 1234567890, // The unique ID of the user's Google Account
"iss": "https://accounts.google.com", // The assertion's issuer
"aud": "123-abc.apps.googleusercontent.com", // Your server's client ID
"iat": 233366400, // Unix timestamp of the assertion's creation time
"exp": 233370000, // Unix timestamp of the assertion's expiration time
"name": "Jan Jansen",
"given_name": "Jan",
"family_name": "Jansen",
"email": "jan@gmail.com", // If present, the user's email address
"locale": "en_US"
}
我需要在用户的Google个人资料中填写该电话号码(如果有的话)。
所以我正在考虑使用google + api,所以我正在尝试:
$client = new \Google_Client();
$client->setClientId('my_client_id');
$client->setClientSecret('my_client_secret');
$client->setAccessToken($token->getPayload());
$plus = new Google_Service_Plus($client);
$test = $plus->people->get($sub);
client_id和密钥已在https://console.developers.google.com上创建
响应为:
{
"error": {
"errors": [
{
"domain": "global",
"reason": "authError",
"message": "Invalid Credentials",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Invalid Credentials"
}
}
{"exception":"[object] (Google_Service_Exception(code: 401): {
\"error\": {
\"errors\": [
{
\"domain\": \"global\",
\"reason\": \"authError\",
\"message\": \"Invalid Credentials\",
\"locationType\": \"header\",
\"location\": \"Authorization\"
}
],
\"code\": 401,
\"message\": \"Invalid Credentials\"
}
}
因此,据我了解,帐户链接是OAuth身份验证,因此它应该向我发送有效的令牌访问权限,我可以将其与google api一起使用。 但这告诉我该令牌无效。
我错过了一些东西吗,或者我没有很好地做到这一点? 我是否必须再次进行针对Google api的新身份验证?
答案 0 :(得分:3)
在做自己想做的事情时有很多问题。
首先,您在assertion中获得的令牌是身份令牌,而不是授权令牌。令牌本身不是授权您代表用户执行任何操作的不记名令牌。关于断言流程的指导原则指出,您应该验证令牌,然后使用它从sub字段中获取用户的唯一ID。您应该使用此ID来确定用户是否已在系统中进行身份验证,并使用该用户的Auth令牌和Refresh令牌。
第二,您可能不希望使用Google+ API,因为Google+ People object没有包含电话号码字段。如果是这样,并且如果您想使用“ me”参数来获取有关用户的私人信息,则在用户登录时,您将需要请求https://www.googleapis.com/auth/plus.login或https://www.googleapis.com/auth/plus.me身份验证范围。
相反,您可能要使用People API。 people object包含phone numbers,您可以使用get方法进行检索,但是有一些限制:
https://www.googleapis.com/auth/user.phonenumbers.read范围。