问题
I'm writing an Android application, which uses AccountManager to get the token. From an android app I'm able to interact with Google Picasa - it works fine.
What I would like to achieve is the following: send some text + authToken to my third party server, then check if the token is correct before saving the text. Now the question is: is it possible to determine if the authToken of a particular token is correct solely on the token itself (and maybe email address).
I've already programmed the server part, which accepts the token (send from android application), then issues a request to an URL address:
https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%
What I get back is the following JSON:
{
"error" : "invalid_token"
}
But the link here http://oauthssodemo.appspot.com/step/4 states that if a token is correct I should receive a different JSON response. Can you tell me what I'm doing wrong: I believe that the way to check token's validity really isn't that simple, but I should rather implement the whole openid or something. Even if that is the case, how can I check whether the token send by android app is correct, so I can save the 'text' part of the message.
Thank you.
回答1:
Stop using AccountManager and start using Google Play service’s GoogleAuthUtil class, then it gets easy. See http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html
回答2:
The solution is as follows. You can verify the token via this url:
https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%
But in my case I was trying to validate "Authorization code" and not "Access token" as you can see here: https://code.google.com/oauthplayground/
If you're using Android and OAuth don't use
lh2
but rather use the following as service name:
http://picasaweb.google.com/data/
So you should call getAuthToken as follows
getAuthToken(account, "http://picasaweb.google.com/data/" , true, null, null);
Then you can validate the token received from this call on the URI posted above.
回答3:
read this https://developers.google.com/accounts/docs/OAuth2WebServer
After the web server receives the authorization code, it may exchange the authorization code for an access token and a refresh token. This request is an HTTPs post, and includes the following parameters:
回答4:
I came across passport-google-token passport strategy which perfectly performs the task.
https://www.npmjs.com/package/passport-google-token
More details are present in the above link.
回答5:
Based on information in this answer: What is the proper way to validate google granted OAuth tokens in a node.js server? ,
you might try using id_token instead of access_token in the url to call Google's tokeninfo endpoint.
来源:https://stackoverflow.com/questions/9844694/validating-androids-authtoken-on-third-party-server