How can I verify a Google authentication API access token?
How can I verify a Google authentication access token?
I need to somehow query Google and ask: Is [given access token] valid for the [exampl
-
Here's an example using Guzzle:
/** * @param string $accessToken JSON-encoded access token as returned by \Google_Client->getAccessToken() or raw access token * @return array|false False if token is invalid or array in the form * * array ( * 'issued_to' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com', * 'audience' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com', * 'scope' => 'https://www.googleapis.com/auth/calendar', * 'expires_in' => 3350, * 'access_type' => 'offline', * ) */ public static function tokenInfo($accessToken) { if(!strlen($accessToken)) { return false; } if($accessToken[0] === '{') { $accessToken = json_decode($accessToken)->access_token; } $guzzle = new \GuzzleHttp\Client(); try { $resp = $guzzle->get('https://www.googleapis.com/oauth2/v1/tokeninfo', [ 'query' => ['access_token' => $accessToken], ]); } catch(ClientException $ex) { return false; } return $resp->json(); }讨论(0) -
An arbitrary OAuth access token can't be used for authentication, because the meaning of the token is outside of the OAuth Core spec. It could be intended for a single use or narrow expiration window, or it could provide access which the user doesn't want to give. It's also opaque, and the OAuth consumer which obtained it might never have seen any type of user identifier.
An OAuth service provider and one or more consumers could easily use OAuth to provide a verifiable authentication token, and there are proposals and ideas to do this out there, but an arbitrary service provider speaking only OAuth Core can't provide this without other co-ordination with a consumer. The Google-specific AuthSubTokenInfo REST method, along with the user's identifier, is close, but it isn't suitable, either, since it could invalidate the token, or the token could be expired.
If your Google ID is an OpenId identifier, and your 'public interface' is either a web app or can call up the user's browser, then you should probably use Google's OpenID OP.
OpenID consists of just sending the user to the OP and getting a signed assertion back. The interaction is solely for the benefit of the RP. There is no long-lived token or other user-specific handle which could be used to indicate that a RP has successfully authenticated a user with an OP.
One way to verify a previous authentication against an OpenID identifier is to just perform authentication again, assuming the same user-agent is being used. The OP should be able to return a positive assertion without user interaction (by verifying a cookie or client cert, for example). The OP is free to require another user interaction, and probably will if the authentication request is coming from another domain (my OP gives me the option to re-authenticate this particular RP without interacting in the future). And in Google's case, the UI that the user went through to get the OAuth token might not use the same session identifier, so the user will have to re-authenticate. But in any case, you'll be able to assert the identity.
讨论(0) -
Try making an OAuth-authenticated request using your token to https://www.google.com/accounts/AuthSubTokenInfo. This is only documented to work for AuthSub, but it works for OAuth too. It won't tell you which user the token is for, but it will tell you which services it's valid for, and the request will fail if the token is invalid or has been revoked.
讨论(0) -
you can verify a Google authentication access token by using this endpoint:
https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=<access_token>This is Google V3 OAuth AccessToken validating endpoint, you can refer from google document below: (In
OAUTH 2.0 ENDPOINTSTab)https://developers.google.com/identity/protocols/OAuth2UserAgent#validate-access-token
讨论(0)
加载中...
- 热议问题