问题
I'm following the latest Google+ Sign-in integration for my app (https://developers.google.com/+/mobile/android/sign-in), which says
The Google+ Sign-In button authenticates the user and manages the OAuth 2.0 flow, which simplifies your integration with the Google APIs.
so after the user signs in successfully through google+, (we supposedly don't need to manually manage the tokens and all that?) what is the recommended secure way of hitting your server's authentication endpoint? (e.g. pass user email to your own server's endpoint, and get user info back? are we supposed to pass some token? or session id? that we got back from google+ user data?)
回答1:
If all you need is authentication to your own server (rather than access to any Google hosted information), you can use the Using Google Sign-In with your server techniques, which allows you get tokens with the new Google Sign In API:
GoogleSignInOptions gso =
new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
.requestIdToken(getString(R.string.server_client_id))
.requestEmail()
.build();
Where the server_client_id is a OAuth 2.0 client ID for web applications from the Credentials page. You'll then get the id token from googleSignInResult.getSignInAccount().getIdToken().
You can then verify the id token on your server side and you'll know the user's email address and that the request is coming from your Android app.
The documentation runs through the full workflow, including pointing out the GoogleIdTokenVerifier class which can make verifying the token much easier.
来源:https://stackoverflow.com/questions/27435319/what-is-the-recommended-way-of-authentication-after-google-signin