【发布时间】:2017-05-18 01:46:54
【问题描述】:
我正在将 Google 登录与 Open ID 集成。文档说我需要创建一个防伪状态令牌。我已经阅读了一些关于 CSRF 的参考资料(Sitepoint、StackOverflow、Shiflett)等等。我无法完全理解我应该如何实施此解决方案。
我很确定我没有正确理解这个概念,但我正在努力。这是我到目前为止编写的过程:
<?php session_start();
//INCLUDE PHP CLIENT LIBRARY
require_once 'vendor/autoload.php';
$scopes = array('email', 'profile');
// Create client object
$client = new Google_Client();
$client->setRedirectUri('http://' . $_SERVER['HTTP_HOST'] . '/index.php');
$client->setAuthConfig("client.json");
$client->addScope($scopes);
$client->setAccessType("offline");
if( isset($_SESSION["access_token"]) && $_SESSION["access_token"]) {
if(isset($_SESSION['tokencsrf']) && $_SESSION['tokencsrf'] !== "") {
$client->setAccessToken($_SESSION["access_token"]);
if ($client->isAccessTokenExpired()) {
$refreshTokenTxt = "refreshToken.txt";
$tokenHandle = fopen($refreshTokenTxt, "r");
$refreshToken = fread($tokenHandle, filesize($refreshTokenTxt));
$client->refreshToken($refreshToken);
$_SESSION['access_token'] = $client->getAccessToken();
$client->setAccessToken($_SESSION["access_token"]);
}
$objOAuthService = new Google_Service_Oauth2($client);
$userData = $objOAuthService->userinfo->get();
var_dump($userData);
} else {
die(" --- INVALID CSRF! ---");
}
} else {
$_SESSION['tokencsrf'] = bin2hex(openssl_random_pseudo_bytes(16));
if( !isset($_GET["code"]) ){
$authUrl = $client->createAuthUrl();
header('Location: ' . filter_var($authUrl, FILTER_SANITIZE_URL));
} else {
$client->authenticate($_GET['code']);
$_SESSION['access_token'] = $client->getAccessToken();
$refreshTokenTxt = "refreshToken.txt";
if (!file_exists($refreshTokenTxt)) {
$tokenHandle = fopen($refreshTokenTxt, "w");
fwrite($tokenHandle, $_SESSION['access_token']["refresh_token"]);
}
$redirect_uri = 'http://' . $_SERVER['HTTP_HOST'] . '/index.php';
header('Location: ' . filter_var($redirect_uri, FILTER_SANITIZE_URL));
}
}
?>
当然,这是一个测试脚本,看看这是否是正确的做法。到目前为止它运作良好,但我不确定这是否是正确的方法。我恳请可以确认是否可以使用或可以建议进行哪些更改的人的支持。非常感谢您的宝贵意见!
【问题讨论】:
标签: php csrf google-api-php-client openid-connect google-openid