【问题标题】:Auto-refresh token for app using Google OAuth 2.0 with PHP/JS使用带有 PHP/JS 的 Google OAuth 2.0 的应用程序的自动刷新令牌
【发布时间】:2018-02-06 05:47:25
【问题描述】:

我有一个使用 Google Sign-In for Websites 的应用程序,但只要用户的会话处于活动状态,我就想刷新令牌(例如,他们登录、闲置 2 小时但保持标签打开,然后回来不要必须重新认证)。

根据我的研究,它看起来像 requires setting offline access 类型,但我不确定这是否是正确的方向。

如果这是正确的方向——我不知道如何将它添加到我现有的代码中。

这是我的登录页面代码:

<!doctype html>
<html>
<head>

    <!-- jQuery -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.1/jquery.min.js"></script>

    <!-- Custom -->
    <link href="https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css" rel="stylesheet">
    <link href="https://fonts.googleapis.com/css?family=Roboto" rel="stylesheet">
    <link href="<?php echo $pathTo ?>css/particles.css" rel="stylesheet">
    <link href="<?php echo $pathTo ?>css/style.css" rel="stylesheet">

    <meta name="google-signin-client_id" content="<?php echo GAPI_CLIENTID ?>">

</head>
<body class="loginPage">

    <div class="se-pre-con" style="display: none"></div>

    <div id="particles-js">

        <div id="loginBox">

            <div class="logo"></div>

            <div id="googleSignIn"></div>

            <?php if(isset($message)) { ?>
                <p class="loginMessage"><?php echo $message ?></p>
            <?php } ?>

        </div>

    </div>  

    <script>

    function onSuccess(googleUser) {
        var id_token = googleUser.getAuthResponse().id_token;
        $(".se-pre-con").fadeIn("slow");  
        var authUrl = "auth.php?id_token=" + id_token;
        <?php if(isset($_GET['retUrl'])) { ?>
            authUrl += "&retUrl=<?php echo urlencode($_GET['retUrl']); ?>";
        <?php } ?>
        window.location.href = authUrl;
    }

    function onFailure(error) {
        console.log(error);
    }

    function renderButton() {
        gapi.signin2.render('googleSignIn', {
            'scope': 'profile email',
            'width': 240,
            'height': 50,
            'longtitle': true,
            'theme': 'dark',
            'onsuccess': onSuccess,
            'onfailure': onFailure
        });
    } 

    </script>

    <script src="https://apis.google.com/js/platform.js?onload=renderButton" async defer></script>

    <script src="<?php echo $pathTo ?>js/particles.js"></script>
    <script src="<?php echo $pathTo ?>js/particles/app.js"></script>
    <script src="<?php echo $pathTo ?>js/particles/lib/stats.js"></script>

</body>
</html>

这是我的 auth.php 页面:

<?php

require_once('tool/config/db.php');
require_once('tool/config/global.php');

if(isset($_GET['id_token'])) {
    $id_token   = $_GET['id_token'];
} else {
    $id_token   = "";
}

if(isset($_GET['retUrl'])) {
    $retUrl     = $_GET['retUrl'];
} else {
    $retUrl     = "";
}

if($id_token != "") {

    $url        = "https://www.googleapis.com/oauth2/v3/tokeninfo";

    $params     = "access_type=offline&id_token=".$id_token;

    $curl = curl_init($url);
            curl_setopt($curl, CURLOPT_HEADER, false);
            curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($curl, CURLOPT_POST, true);
            curl_setopt($curl, CURLOPT_POSTFIELDS, $params);

    $json_response = curl_exec($curl);

    $status = curl_getinfo($curl, CURLINFO_HTTP_CODE);

    if ($status != 200) {
        $fail = 1;
        die("Error: call to token URL $token_url failed with status $status, response $json_response, curl_error " . curl_error($curl) . ", curl_errno " . curl_errno($curl));
    }

    curl_close($curl);

    $response = json_decode($json_response, true);

    if(!empty($response)) {

        if(
            //isset($response['exp']) && 
            //$response['exp'] > strtotime(date("Y-m-d H:i:s")) && 
            isset($response['iss']) && 
            ( $response['iss'] == "accounts.google.com" || $response['iss'] == "https://accounts.google.com" ) && 
            isset($response['hd']) && $response['hd'] == "MYDOMAIN.com"
        ) {
            $success = 1;
        } else {
            $success = 0;   
        }

    }

}

## Log the login attempt ##
if(isset($response['email'])) {
    $email      = mysqli_real_escape_string($conn,$response['email']);
} else {
    $email      = "";
}
if(isset($response['name'])) {
    $name       = mysqli_real_escape_string($conn,$response['name']);
} else {
    $name       = "";
}
$id_token   = mysqli_real_escape_string($conn,$id_token);

$sql        = " INSERT INTO logins (loginDate,email,name,id_token,success)
                VALUES ('".date("Y-m-d H:i:s")."','".$email."','".$name."','".$id_token."','".$success."')";

mysqli_query($conn,$sql) or die(mysqli_error($conn));   

## Compre against Users table ##

$sql        = "SELECT * FROM users WHERE emailAddress = '$email' AND active = '1' AND access = '1'";

$userCheck  = mysqli_query($conn,$sql) or die(mysqli_error($conn));

if(mysqli_num_rows($userCheck) == 0) {
    $access = 0;    
} else {
    while($row = mysqli_fetch_assoc($userCheck)) {
        $checkAdmin     = $row['admin'];
        $checkAccess    = $row['access'];
        $checkActive    = $row['active'];
    }
}

## Approve or deny ##
if(isset($success) && $success == 1 && isset($checkAccess) && $checkAccess == 1) {
    session_start();
    $_SESSION['login']  = "authenticated";
    $_SESSION['name']   = $response['name'];
    $_SESSION['email']  = $response['email'];
    $_SESSION['admin']  = $checkAdmin;
    if(isset($_GET['retUrl'])) {
        header('Location: ..'.$_GET['retUrl']);     
    } else {
        header('Location: tool/');
    }
} elseif( (isset($success) && $success == 1) && (!isset($checkAccess) || $checkAccess == 0) ) {
    // reject attempt due to lack of access
    header('Location: logout.php?e=request_access');
} else {
    // reject attempt
    header('Location: logout.php?e=invalid_login');
}

?>

【问题讨论】:

标签: php oauth google-signin google-oauth


【解决方案1】:

从 Google 的角度来看,请求 offline access 会设置 grant_type=refresh_token,它允许您在 access_token 已过期或即将过期时执行刷新。因此,如果这是您的用例,那么是的,这似乎是正确的方法。

这将要求最终用户授权离线访问您的应用程序。

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 2014-05-11
    • 2014-08-06
    • 2015-09-25
    • 2014-10-20
    • 1970-01-01
    • 1970-01-01
    • 2013-04-01
    • 2014-07-30
    相关资源
    最近更新 更多