7

我的目标是为我的 android 应用程序构建简单的应用程序引擎后端。这个后端的目的只是为了验证 android 客户端调用,并提供密码,该密码将用于与我的服务器进行进一步的 https 通信。所以我开始根据这篇http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html文章。客户端看起来像:

GoogleAuthUtil.getToken(MainActivityy.this, "my.email@gmail.com", "audience:server:client_id:my_Client_ID_for_web_applications.apps.googleusercontent.com");

此方法返回如下所示的令牌:

eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMWIyZTllNGU2NGE0MmIzM2U3YjMxMDQwNzUyMzIxYmVlMmJkYmEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiZW1haWwiOiJtYXRvLnBldHJ1bGFrQGdtYWlsLmNvbSIsInZlcmlmaWVkX2VtYWlsIjoidHJ1ZSIsImVtYWlsX3ZlcmlmaWVkIjoidHJ1ZSIsImNpZCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF6cCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjU0ODk4MTY3NzkzMC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImlkIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwic3ViIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwiaWF0IjoxMzY4NzExODk0LCJleHAiOjEzNjg3MTU3OTR9.oN5ncz6MEAZBW8NXDhc4O-Y82C2mma675lbw9ZZA-1bs8zM9FKQG1K97PfNfxJFImiPMY8UYIjhqDIkHpErjaV0KDJpLv8NkmsdADOFjt5eQkFGWf92fufL7QEIkWqLL1fKxG7f8-OR59O5AOAVchdgtqDt4DhEH7oHfAZqf3wU

现在我想在后端验证这个令牌。所以我使用谷歌插件为 eclpise 创建了新的 Web 应用程序项目。它会生成一些示例项目。在这个项目中,我从我上面提到的文章中添加了 Checker 类。看起来像这样:

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Logger;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;

public class Checker {

private final List mClientIDs;
private final String mAudience;
private final GoogleIdTokenVerifier mVerifier;
private final JsonFactory mJFactory;
private String mProblem = "Verification failed. (Time-out?)";

private  Logger log ;

public Checker(String[] clientIDs, String audience) {
    mClientIDs = Arrays.asList(clientIDs);
    mAudience = audience;
    NetHttpTransport transport = new NetHttpTransport();
    mJFactory = new GsonFactory();
    mVerifier = new GoogleIdTokenVerifier(transport, mJFactory);
   log = Logger.getLogger(Checker.class.getName()); 
   log.severe("CHECKER CRETAED");
}

public GoogleIdToken.Payload check(String tokenString) {
    GoogleIdToken.Payload payload = null;
    log.severe("CHECK START");
    try {
        log.severe("CHECK 1");
        GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString);
        log.severe("CHECK 2");
        if (mVerifier.verify(token)) {
            log.severe("CHECK 3");
            GoogleIdToken.Payload tempPayload = token.getPayload();
            log.severe("CHECK4");
            if (!tempPayload.getAudience().equals(mAudience)){
                mProblem = "Audience mismatch";
                log.severe("Audience mismatch");
            }
            else if (!mClientIDs.contains(tempPayload.getIssuee())){
                mProblem = "Client ID mismatch";
                log.severe("Client ID mismatch");
            }
            else{
                payload = tempPayload;
                log.severe(payload.getEmail().toString());
                log.severe("CHECK 5");
            }
        }
    } catch (GeneralSecurityException e) {
        log.severe("Security issue: " + e.getLocalizedMessage());
        mProblem = "Security issue: " + e.getLocalizedMessage();
    } catch (IOException e) {
        log.severe("Network problem: " + e.getLocalizedMessage());
        mProblem = "Network problem: " + e.getLocalizedMessage();
    }
    log.severe("CHECK END");
    return payload;
}

public String problem() {
    return mProblem;
}

}

现在我做这样的事情来验证 android 客户端提供的令牌。

String [] clinetidS  = new String [] {"xxxxxxxxxxxxx-plqjav9ih8e80btegic84bg2r9q7c02.apps.googleusercontent.com"};  //Client ID for installed applications
Checker checker = new Checker(clinetidS, "my_project_at_appspot.appspot.com");  
   checker.check("eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMWIyZTllNGU2NGE0MmIzM2U3YjMxMDQwNzUyMzIxYmVlMmJkYmEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiZW1haWwiOiJtYXRvLnBldHJ1bGFrQGdtYWlsLmNvbSIsInZlcmlmaWVkX2VtYWlsIjoidHJ1ZSIsImVtYWlsX3ZlcmlmaWVkIjoidHJ1ZSIsImNpZCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF6cCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjU0ODk4MTY3NzkzMC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImlkIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwic3ViIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwiaWF0IjoxMzY4NzExODk0LCJleHAiOjEzNjg3MTU3OTR9.oN5ncz6MEAZBW8NXDhc4O-Y82C2mma675lbw9ZZA-1bs8zM9FKQG1K97PfNfxJFImiPMY8UYIjhqDIkHpErjaV0KDJpLv8NkmsdADOFjt5eQkFGWf92fufL7QEIkWqLL1fKxG7f8-OR59O5AOAVchdgtqDt4DhEH7oHfAZqf3wU");

现在的问题是 Checker 类从未通过此检查:

if (mVerifier.verify(token))

有什么方法可以在线检查android令牌吗?有任何想法吗??或者哪里有问题?

4

3 回答 3

8

您始终可以使用 curl 以交互方式检查令牌

curl https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=<your-id-token-here >

mVerifier.verify 的异常/问题是什么?

于 2013-05-21T17:38:47.067 回答
3

这是一个较老的问题,我想您已经找到了答案。但以防万一:单击此链接并向下滚动。基本上它告诉你下载并包含这个库并编写这段代码:

import java.io.IOException;
import java.security.GeneralSecurityException;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;

public class Checker {

private final List mClientIDs;
private final String mAudience;
private final GoogleIdTokenVerifier mVerifier;
private final JsonFactory mJFactory;
private String mProblem = "Verification failed. (Time-out?)";

public Checker(String[] clientIDs, String audience) {
    mClientIDs = Arrays.asList(clientIDs);
    mAudience = audience;
    NetHttpTransport transport = new NetHttpTransport();
    mJFactory = new GsonFactory();
    mVerifier = new GoogleIdTokenVerifier(transport, mJFactory);
}

public GoogleIdToken.Payload check(String tokenString) {
    GoogleIdToken.Payload payload = null;
    try {
        GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString);
        if (mVerifier.verify(token)) {
            GoogleIdToken.Payload tempPayload = token.getPayload();
            if (!tempPayload.getAudience().equals(mAudience))
                mProblem = "Audience mismatch";
            else if (!mClientIDs.contains(tempPayload.getIssuee()))
                mProblem = "Client ID mismatch";
            else
                payload = tempPayload;
        }
    } catch (GeneralSecurityException e) {
        mProblem = "Security issue: " + e.getLocalizedMessage();
    } catch (IOException e) {
        mProblem = "Network problem: " + e.getLocalizedMessage();
    }
    return payload;
}

public String problem() {
    return mProblem;
}
}
于 2013-10-12T16:25:47.110 回答
0

她是一个有用的代码来检查来自谷歌的令牌的身份验证。我使用的是 Java EE,所以如果您使用的是普通 Java,它可能会略有不同:

public JsonObject authenticateFromToken(String token) {
       JsonObject jsonst = null;
        JsonReader p = null;
        try {
            p = Json.createReader(new URL("https://www.googleapis.com/oauth2/v1/tokeninfo?access_token="+token).openStream());
            jsonst = (JsonObject) p.read();
        } catch (FileNotFoundException e2) {
            e2.printStackTrace();
        } catch (MalformedURLException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        }
        return jsonst;
    }

拥有 后JsonObject,您可以从中获取信息,如下所示:

jsonObject.getString("user_id");

或者

jsonObject.getString("email");

ETC...

于 2016-10-14T19:29:39.343 回答