问题
I'm writing an Android app that talks to a remote server, and I want to allow app users to log into the server by using the google credentials that reside on their phone, i.e. without requiring the user to enter their google password anywhere in my app. For example, if the user's (Android) phone has been configured with "someguy@gmail.com", and they then install and run my app, my app will present them with a dialog saying "Do you wish to sign in as someguy@gmail.com?", and upon hitting an Ok button they'd have established an id on my server that knows their email address is someguy@gmail.com, as certified by google itself.
I've found widespread and varied partial recipes on how to go about this, including google's own oauth2 documentation, but have not divined an understanding of how to make it all happen.
I do have Android code which uses the AccountManager to figure out which google accounts are on a given phone. I prompt the user as to which google account they'd like to use to sign on, and I then get an authorization token back.
Past that point, I'm pretty much spinning my wheels. The recipes I've looked at seem to call for my doing an http get of this form:
http://<myWebServer>.com/_ah/login?continue=<someUrlIChoose>&auth=<authToken>
... which (a) is dissatisfying in that it appears to be specific to appengine and I want the freedom to run this on any back end of my choice, and (b) even experimenting with appengine, the appengine instance I've set up doesn't seem to be signaled at all, i.e. the logs show now queries to it (I was hoping the someUrlIChoose url would have been called with something)... hence no opportunities to be informed of the validity of the token.
Specific questions would include:
- What do I do with the auth token... do I send it to my server, and somehow have my server contact google to verify the token's validity for the specified account? Or is there some backchannel communication that's supposed to have already (at this stage of the process) originated from the google servers to inform my server that this token is valid (and if so, how do I set that up)? Or something else?
- Am I right to suppose that this process should be doable in the context of any back end (not just appengine)?
- Is oauth2 what I should be using (as opposed to oauth1, or something else)? Everything I read seems to imply that google's support for oauth2 is "experimental"... but I have not ascertained whether such assertions are current or old; and even if current, google has a history of keeping various products in permanent non-final form (e.g. eternal beta), so I don't know what to conclude about this.
- Anything else that's relevant...
回答1:
You must import google-play-services_lib after than you can use this code:
import com.google.android.gms.auth.GoogleAuthUtil;
import com.google.android.gms.auth.UserRecoverableAuthException;
private void gmail_login() {
dialog = ProgressDialog.show(LoginActivity.this, "", getString(R.string.login_loading), true);
AsyncTask task = new AsyncTask() {
@Override
protected Object doInBackground(Object... params) {
getAndUseAuthTokenBlocking();
return null;
}
};
task.execute((Void)null);
}
void getAndUseAuthTokenBlocking() {
try
{
String AUTH_TOKEN_TYPE = "oauth2:https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.email";
AccountManager accountManager = AccountManager.get(this);
Account[] accounts = accountManager.getAccountsByType("com.google");
String token = GoogleAuthUtil.getToken(this, accounts[0].name, AUTH_TOKEN_TYPE);
//token here
}
catch (UserRecoverableAuthException userAuthEx) {
startActivityForResult(userAuthEx.getIntent(), MY_ACTIVITYS_AUTH_REQUEST_CODE);
}catch (Exception e){
DropErrorMsg.drop(this, handler, R.string.connection_error, R.string.error, dialog, false);
}
}
回答2:
Is this what you are loooking for?
Most Android apps have some sort of server-side back end, to persist and share data. Even the most basic game needs to remember its players’ high scores. When you’re building your back end, one problem you have to solve is how the back-end code knows what app it’s talking to and who the person using it is.
You probably have HTTP endpoints for communicating with your client apps, but how can the server-side code be sure who’s sending messages to it? After all, anyone can send HTTP POST requests from anywhere; could they impersonate your users if they could guess their identities?
It’s really user-unfriendly to ask people to type in usernames and passwords on mobile devices. In particular, if someone has installed your app and given it permission to use the Internet and know your identity, they shouldn’t be pestered any more.
It turns out that Google Play services, now available on every compatible device running Android release 2.2 or higher, offers a good solution to this problem, based on the use of Google Accounts.
http://android-developers.blogspot.se/2013/01/verifying-back-end-calls-from-android.html
来源:https://stackoverflow.com/questions/10557478/google-account-authorization-within-an-android-app