我正在跟踪this guide来对后端的GET
POST
和PUT
请求进行身份验证。在我的前端,用户登录Google。每当他们想要访问后端api时,他们都必须发送标头,其中Authorization
是前端Google User对象(googleUser.getAuthResponse().id_token
)上的令牌。然后,我的flask应用程序确保每个请求都具有有效的令牌:
@BP.before_app_request
def default_login_required():
if not request.endpoint or request.endpoint.rsplit(".", 1)[-1] == "static":
return
view = current_app.view_functions[request.endpoint]
if getattr(view, "login_exempt", False):
return
valid, idinfo = token_verified(request.headers.get("Authorization"))
if valid:
return
msg = json.dumps(idinfo)
return Response(msg, mimetype="application/json", status=401)
def token_verified(token) -> Tuple[bool, Union[dict, str]]:
try:
idinfo = id_token.verify_oauth2_token(
token, requests.Request(), OAUTH2_CLIENT_ID
)
if idinfo["iss"] not in [
"accounts.google.com",
"https://accounts.google.com",
]:
raise ValueError("Wrong issuer.")
# If auth request is from a G Suite domain:
if idinfo["hd"] != "mycompany.com":
raise ValueError("Wrong hosted domain.")
logging.info(f"User {idinfo['email']} validated")
return True, idinfo
except ValueError as e:
msg = f"User is not validated, {str(e)}"
logging.info(msg)
return False, msg
但是,我希望可以在某个地方使用客户端密码来验证此请求。不需要吗?我是否正确完成了授权?