问题
I am developing a web application that uses OAuth2 to login the users with their Google Accounts. I am also accessing some Google Data APIs so I am asking for refresh tokens and offline access too( in case that it makes a difference ).
My problem is the following : after the app's user first comes to login, does OAuth and I save the tokens/user id in the database, I need to have in place a system that identifies the user on subsequent visits.
I do this by saving the Google user ID (obtained by a call to the 'userinfo' endpoint) in a Session variable. This works fine until the user logs out of their Google Account and possibly logs in with another account( to Google, not my app ). At this point my app does not have the correct logged in user anymore and can show data that does not belong to the right user.
Does anyone know how I can identify in an efficient way the logged in Google Account user?
I suppose I can always call the userinfo endpoint, but doing this on every page of my application seems overkill to me and would like a more efficient approach.
I am programming in PHP and using 'google-api-php-client' library for development.
Thank you in advance for your help.
回答1:
You're right. Currently the most efficient way to do this is to query the userinfo endpoint.
However, depending on what your UI looks like, we've found that giving the option to change identities is a good compromise. A small link like "not you?" on the signed-in button is an option. There is a very new api that is not fully documented that lets you force a user to select another account. See this answer: Force google account chooser
We hope to make this more seamless and efficient for websites but have nothing more to announce at this moment.
来源:https://stackoverflow.com/questions/14648098/identify-logged-in-google-account-user-with-oauth2-0