我是新手,试图从Google访问我的后端服务器的身份验证令牌,但每次令牌都是无效的。
我正在使用FirebaseUser user await user.getIdToken()给我一个令牌,但是当我尝试使用后端服务器以及https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=mytoken和https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=mytoken来验证该令牌时,它给了我"error_description": "Invalid Value"。
我不确定await user.getIdToken()此方法是否适合获取令牌。
其他人认为一切正常,我正在获取除正确令牌外的所有用户信息。
请让我知道其他方式。
下面是我的代码:
class LoginScreen extends StatefulWidget {
@override
_LoginScreenState createState() => new _LoginScreenState();
}
class _LoginScreenState extends State<LoginScreen> {
final FirebaseAuth auth = FirebaseAuth.instance;
final GoogleSignIn googleSignIn = new GoogleSignIn();
Future<http.Response> socailLogin(String authToken) async {
var url = "http://api.ourdomain.com/user/social/login/google";
final response = await http.post(url,
body: json.encode({"auth_token": authToken}),
headers: {HttpHeaders.CONTENT_TYPE: "application/json"});
return response;
}
Future<FirebaseUser> googleSignin() async {
final GoogleSignInAccount googleSignInAccount = await
googleSignIn.signIn();
final GoogleSignInAuthentication googleSignInAuthentication =
await googleSignInAccount.authentication;
final FirebaseUser firebaseUser = await auth.signInWithGoogle(
accessToken: googleSignInAuthentication.accessToken,
idToken: googleSignInAuthentication.idToken);
return firebaseUser;
}
@override
Widget build(BuildContext context) {
final logo = Hero(
tag: 'hero',
child: CircleAvatar(
backgroundColor: Colors.transparent,
radius: 48.0,
child: Image.asset('assets/logo.png'),
),
);
final googleloginButton = Padding(
padding: EdgeInsets.symmetric(vertical: 5.0),
child: Material(
borderRadius: BorderRadius.circular(30.0),
// shadowColor: Colors.lightBlueAccent.shade100,
// elevation: 5.0,
child: MaterialButton(
minWidth: 200.0,
height: 42.0,
onPressed: () async {
FirebaseUser user = await googleSignin();
String idToken = await user.getIdToken();
if (idToken != null) {
final http.Response response = await socailLogin(idToken);
if (response.statusCode == 200) {
var authToken = json.decode(response.body)['token'];
if (authToken != null) {
storedToken(authToken);
}
} else {
print("Response status: " + response.statusCode.toString());
print("Response body: " + response.body);
print("errror while request");
}
} else {
print("in else part not get token id from google");
}
Navigator.push(
context,
MaterialPageRoute(
builder: (context) => HomeScreen(),
),
);
},
color: Colors.red,
child: Row(
mainAxisAlignment: MainAxisAlignment.center,
mainAxisSize: MainAxisSize.min,
children: <Widget>[
Icon(
Icons.bug_report,
color: Colors.white,
),
Text('Connect with Google',
style: TextStyle(color: Colors.white)),
],
),
),
),
);
return Scaffold(
backgroundColor: Colors.white,
appBar: new AppBar(
centerTitle: true,
title: new Text("Login"),
),
body: Center(
child: ListView(
shrinkWrap: true,
padding: EdgeInsets.only(left: 24.0, right: 24.0),
children: <Widget>[
// logo,
googleloginButton,
facebookloginButton,
],
),
),
);
}
}
请帮助我。
答案 0 :(得分:0)
对于后端服务器端验证,必须使用可验证的ID令牌来安全地获取服务器端已登录用户的用户ID。 参考:https://developers.google.com/identity/sign-in/web/backend-auth
似乎当前使用Google插件的插件不支持获取AuthCode进行后端服务器端OAuth验证。 参考:https://github.com/flutter/flutter/issues/16613
我认为firebaseUser.getIdToken()不能用于Google API。
对于https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=mytoken ,您可能需要传递googleSignInAuthentication.idToken
对于https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=mytoken ,您可能需要传递googleSignInAuthentication.accessToken
获取诸如用户ID之类的用户信息并将其传递到后端服务器端很容易受到黑客的攻击。您应该在Google API客户端库的后端服务器端验证idToken。