Geek asks and answers

Authentication of G + users on the server side, after logging in on the client side

I’m trying to set up a Login button with Google , which will allow people to buy things on my website.

Client-side validation looks pretty simple, but I'm trying to understand how server-side authentication works. In the sample code, they transmit on the client side a β€œcode” on the client side, where it can be exchanged for an access token, which can then be used to view the user's friends list.

But I do not want to see the user's friend list. I just want to make sure that the client is actually what they call themselves.

After retrieving the token, the example code places the token in the session and apparently uses the presence of the token to authenticate the user. Is this correct / safe? Should my (non) my server re-check the token in some way (how?), When is the time to make a purchase? Do I have to constantly check the token with Google for every request? (I hope not?)

+5
source share
1 answer

, , , , . , , .

. , ​​ Google Commerce .

, OAuth2 v2 , . , , . , , , .

:

  • , - , . , , .
  • , , , .

, Google+ , .

HTML/JS , userId (, "me" ) , Google+:

  var request = gapi.client.plus.people.get( {'userId' : 'me'} );
  request.execute( function(profile) {
      $('#profile').empty();
      if (profile.error) {
        $('#profile').append(profile.error);
        return;
      }
      helper.connectServer(profile.id);
      $('#profile').append(
          $('<p><img src=\"' + profile.image.url + '\"></p>'));
      $('#profile').append(
          $('<p>Hello ' + profile.displayName + '!<br />Tagline: ' +
          profile.tagline + '<br />About: ' + profile.aboutMe + '</p>'));
      if (profile.cover && profile.coverPhoto) {
        $('#profile').append(
            $('<p><img src=\"' + profile.cover.coverPhoto.url + '\"></p>'));
      }
    });

... Google+.

connectServer: function(gplusId) {
  console.log(this.authResult.code);
  $.ajax({
    type: 'POST',
    url: window.location.href + '/connect?state={{ STATE }}&gplus_id=' +
        gplusId,
    contentType: 'application/octet-stream; charset=utf-8',
    success: function(result) {
      console.log(result);
      helper.people();
    },
    processData: false,
    data: this.authResult.code
  });
}

, Java, :

      // Check that the token is valid.
      Oauth2 oauth2 = new Oauth2.Builder(
          TRANSPORT, JSON_FACTORY, credential).build();
      Tokeninfo tokenInfo = oauth2.tokeninfo()
          .setAccessToken(credential.getAccessToken()).execute();
      // If there was an error in the token info, abort.
      if (tokenInfo.containsKey("error")) {
        response.status(401);
        return GSON.toJson(tokenInfo.get("error").toString());
      }
      // Make sure the token we got is for the intended user.
      if (!tokenInfo.getUserId().equals(gPlusId)) {
        response.status(401);
        return GSON.toJson("Token user ID doesn't match given user ID.");
      }
      // Make sure the token we got is for our app.
      if (!tokenInfo.getIssuedTo().equals(CLIENT_ID)) {
        response.status(401);
        return GSON.toJson("Token client ID does not match app's.");
      }
      // Store the token in the session for later use.
      request.session().attribute("token", tokenResponse.toString());
      return GSON.toJson("Successfully connected user.");
    } catch (TokenResponseException e) {
      response.status(500);
      return GSON.toJson("Failed to upgrade the authorization code.");
    } catch (IOException e) {
      response.status(500);
      return GSON.toJson("Failed to read token data from Google. " +
          e.getMessage());
    }

ClientID Google API .

+2

More articles:


All Articles