我一直在争先恐后地将我的网站(使用基于Go的OpenID服务器端解决方案,这个解决方案可能已经或可能没有在上周一被Google禁用)转换为Google JavaScript oauth库,以使我的用户使用他们的Google帐户登录。我首先问了一个问题,并收到了一些想要帮助的人的评论,但没有得到明确的答案。然后,我决定只是安全地使用它,然后转换为另一种方法,这种方法一开始似乎很顺利,但现在我的用户抱怨他们无法登录,请参阅我的下一个问题此处。现在我的问题是,我已经在不同的api库中遇到过至少四套不同的文档,所有这些文档都在官方的Google网站上,都声称告诉我如何做到这一点。没有特定的顺序:
现在我对于实际的首选方法可能会有些困惑,并想知道我是否可能使用了可能会导致我的问题的过时方法?
任何见解都将不胜感激。
解决方案短版:使用Google登录进行网站管理。从OpenID2迁移: developers.google。 com / identity / sign-in / auth-migration#oid2
如果您必须/强烈倾向于直接使用标准OAuth2:
与客户端的Google Identity Platform Javascript API(Google Sign-In for Websites)的基本集成如下所示:
< html lang =en> < head> < meta name =google-signin-scopecontent =profile email> < meta name =google-signin-client_idcontent =YOURCLIENTID.apps.googleusercontent> < script src =apis.google/js/platform.jsasync defer>< / script> < / head> < body> < div class =g-signin2data-openidrealm =YOUR_REALMdata-onsuccess =onSignIn>< / div> < script> 函数onSignIn(googleUser){ //您客户端脚本的有用数据: var profile = googleUser.getBasicProfile(); console.log(ID:+ profile.getId()); //注意不要直接发送给你的服务器,因为这是不安全的。相反,发送完整的id_token,您的服务器可以使用'sub'值来提取id。 console.log(Name:+ profile.getName()); console.log(Image URL:+ profile.getImageUrl()); console.log(Email:+ profile.getEmail()); //您需要传递给后端的ID令牌: var id_token = googleUser.getAuthResponse()。id_token; console.log(ID Token:+ id_token); }; < / script> < / body> < / html>以上记录了用户,并为您提供了他们的ID令牌。您需要将YOURCLIENTID.apps.googleusercontent替换为您在开发人员中注册的客户端ID控制台(创建项目,然后导航至API和授权 - >证书 - >创建新的客户端ID)。请务必指定您的制作&开发域名在授权JavaScript起源列表中。在这个示例中,将YOUR_REALM替换为您之前的OpenID 2.0领域。
一旦您拥有了id_token,您就可以使用后端进行身份验证。您可以通过将id_token传递给后端,然后使用JWT库对其进行验证和解码。特别是对于OpenID Migration,您需要将来自JWT的openid_id值映射到新的subID。
id_token验证的一些示例代码是此处: 对于测试,您可以使用此工具解码ID令牌以查看数据它包含(它应该包含 openid_id 作为声明)。 关于文档:For Sign In t他更喜欢的方式是Google Sign-in for Websites(#4)。它实现了用于登录的最简单和最新的API。 Google登录是OAuth2 / OpenIDConnect的实现。上面的链接#3描述了使用这种标准流程和全页面重定向。这是一个受支持的流程,但正如链接所述,Google Sign in for Websites is better in possible。 Google API客户端库(#1)使用OAuth引擎盖。它的示例代码描述了一个旧的,传统的认证模型,应该更新。我们很快就会这样做;感谢您的关注。 最后,随着最近推出Google登录网站,Google+平台API(#2)不再是Sign在。我们正在尽快更新文档以避免将来的混淆。 I have been scrambling to convert my website (which was using a server-side, Go-based OpenID solution, which may or may not have been disabled by Google this past Monday) over to a Google JavaScript oauth library to enable my users sign in with their Google account. I first reached out by asking a question here, and received several comments from people trying to help, but could get no definite answers. I then decided to just play it safe and convert to another method, which seemed to go well at first, but I now have some complaints from my users that they cannot get signed in, see my next question here. My problem now is that I have come across at least FOUR different sets of documentation for different api libraries, all on official Google sites, that all claim to tell me how to do this. In no particular order:
I am now thoroughly confused as to what the actual "preferred" method might be, and am wondering if I am possibly using an outdated method that could be causing my problem? I am currently using the method used in the Quick Start guide from option #2 in my list above.
Any insights would be greatly appreciated.
解决方案Short version: Use Google Sign-in for Websites. To migrate from OpenID2: developers.google/identity/sign-in/auth-migration#oid2
If you must/strongly prefer to use standard OAuth2 directly: developers.google/identity/protocols/OpenID2Migration
A basic integration with the Google Identity Platform Javascript API (Google Sign-In for Websites) on the client side looks something like this:
<html lang="en"> <head> <meta name="google-signin-scope" content="profile email"> <meta name="google-signin-client_id" content="YOURCLIENTID.apps.googleusercontent"> <script src="apis.google/js/platform.js" async defer></script> </head> <body> <div class="g-signin2" data-openidrealm="YOUR_REALM" data-onsuccess="onSignIn"></div> <script> function onSignIn(googleUser) { // Useful data for your client-side scripts: var profile = googleUser.getBasicProfile(); console.log("ID: " + profile.getId()); // NB. don't send this directly to your server, as that is insecure. Instead, send the full id_token, which your server can extract the id from using the 'sub' value. console.log("Name: " + profile.getName()); console.log("Image URL: " + profile.getImageUrl()); console.log("Email: " + profile.getEmail()); // The ID token you need to pass to your backend: var id_token = googleUser.getAuthResponse().id_token; console.log("ID Token: " + id_token); }; </script> </body> </html>The above logs the user in, and gives you their ID Token. You'll need to replace "YOURCLIENTID.apps.googleusercontent" with a client ID that you register in the Developers Console (Create a Project, then navigate to APIs & auth -> Credentials -> Create a new Client ID). Be sure to specify your production & development domain in the "Authorized JavaScript origins" list. Also replace "YOUR_REALM" in that sample with your previous OpenID 2.0 realm.
Once you have an "id_token" you can authenticate with your backend. You do this by passing the "id_token" to your backend, then validating and decoding it with a JWT library. For OpenID Migration in particular, you'll need to map the "openid_id" value from the JWT to the new "sub" ID.
Some sample code for id_token validation is here:
- C# / .NET
- Java
- PHP
- Python
- Ruby
For testing, you can decode an ID token using this tool to see the data it contains (it should contain openid_id as a claim).
Regarding documentation: For Sign In the preferred approach is Google Sign-in for Websites (#4). It implements the simplest and best-updated API for Sign In.
Under the hood, Google Sign In is an implementation of OAuth2/OpenIDConnect. Link #3 above describes using this standard flow, with full-page redirect. It is a supported flow, but as noted on the link, Google Sign-in for Websites is preferred where possible.
Google APIs Client Library (#1) uses OAuth under the hood. Its sample code describes an old, legacy authentication model and should be updated. We will do that shortly; thanks for raising attention.
Finally, with the recent launch of Google Sign-in for Websites, the Google+ Platform API (#2) is no longer the preferred approach for Sign In. We are updating docs for this soon as well to avoid future confusion.
更多推荐
实际上,让我的用户使用Google登录的首选JavaScript方法是什么?
发布评论