Dopo che Google restituisce un token ID, questo viene inviato da una richiesta di metodo HTTP POST
, con il nome parametro credential
, all'endpoint di accesso.
Di seguito è riportato un esempio nel linguaggio Python che mostra i passaggi abituali per convalidare e utilizzare il token ID:
Verificare il token Cross-Site Request Forgery (CSRF). Quando invii le credenziali al tuo endpoint di accesso, utilizziamo il pattern del doppio cookie per impedire gli attacchi CSRF. Prima di ogni invio, generiamo un token. Quindi, il token viene inserito sia nel cookie che nel corpo del post, come mostrato nell'esempio di codice seguente:
csrf_token_cookie = self.request.cookies.get('g_csrf_token') if not csrf_token_cookie: webapp2.abort(400, 'No CSRF token in Cookie.') csrf_token_body = self.request.get('g_csrf_token') if not csrf_token_body: webapp2.abort(400, 'No CSRF token in post body.') if csrf_token_cookie != csrf_token_body: webapp2.abort(400, 'Failed to verify double submit cookie.')
Verificare il token ID.
To verify that the token is valid, ensure that the following criteria are satisfied:
- The ID token is properly signed by Google. Use Google's public keys
(available in
JWK or
PEM format)
to verify the token's signature. These keys are regularly rotated; examine
the
Cache-Control
header in the response to determine when you should retrieve them again. - The value of
aud
in the ID token is equal to one of your app's client IDs. This check is necessary to prevent ID tokens issued to a malicious app being used to access data about the same user on your app's backend server. - The value of
iss
in the ID token is equal toaccounts.google.com
orhttps://accounts.google.com
. - The expiry time (
exp
) of the ID token has not passed. - If you want to restrict access to only members of your G Suite domain,
verify that the ID token has an
hd
claim that matches your G Suite domain name.
Rather than writing your own code to perform these verification steps, we strongly recommend using a Google API client library for your platform, or a general-purpose JWT library. For development and debugging, you can call our
tokeninfo
validation endpoint.Using a Google API Client Library
Using one of the Google API Client Libraries (e.g. Java, Node.js, PHP, Python) is the recommended way to validate Google ID tokens in a production environment.
Java To validate an ID token in Java, use the GoogleIdTokenVerifier object. For example:
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken; import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload; import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier; ... GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory) // Specify the CLIENT_ID of the app that accesses the backend: .setAudience(Collections.singletonList(CLIENT_ID)) // Or, if multiple clients access the backend: //.setAudience(Arrays.asList(CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3)) .build(); // (Receive idTokenString by HTTPS POST) GoogleIdToken idToken = verifier.verify(idTokenString); if (idToken != null) { Payload payload = idToken.getPayload(); // Print user identifier String userId = payload.getSubject(); System.out.println("User ID: " + userId); // Get profile information from payload String email = payload.getEmail(); boolean emailVerified = Boolean.valueOf(payload.getEmailVerified()); String name = (String) payload.get("name"); String pictureUrl = (String) payload.get("picture"); String locale = (String) payload.get("locale"); String familyName = (String) payload.get("family_name"); String givenName = (String) payload.get("given_name"); // Use or store profile information // ... } else { System.out.println("Invalid ID token."); }
The
GoogleIdTokenVerifier.verify()
method verifies the JWT signature, theaud
claim, theiss
claim, and theexp
claim.If you want to restrict access to only members of your G Suite domain, also verify the
hd
claim by checking the domain name returned by thePayload.getHostedDomain()
method.Node.js To validate an ID token in Node.js, use the Google Auth Library for Node.js. Install the library:
npm install google-auth-library --save
Then, call theverifyIdToken()
function. For example:const {OAuth2Client} = require('google-auth-library'); const client = new OAuth2Client(); async function verify() { const ticket = await client.verifyIdToken({ idToken: token, audience: CLIENT_ID, // Specify the CLIENT_ID of the app that accesses the backend // Or, if multiple clients access the backend: //[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3] }); const payload = ticket.getPayload(); const userid = payload['sub']; // If request specified a G Suite domain: // const domain = payload['hd']; } verify().catch(console.error);
The
verifyIdToken
function verifies the JWT signature, theaud
claim, theexp
claim, and theiss
claim.If you want to restrict access to only members of your G Suite domain, also verify the
hd
claim matches your G Suite domain name.PHP To validate an ID token in PHP, use the Google API Client Library for PHP. Install the library (for example, using Composer):
composer require google/apiclient
Then, call theverifyIdToken()
function. For example:require_once 'vendor/autoload.php'; // Get $id_token via HTTPS POST. $client = new Google_Client(['client_id' => $CLIENT_ID]); // Specify the CLIENT_ID of the app that accesses the backend $payload = $client->verifyIdToken($id_token); if ($payload) { $userid = $payload['sub']; // If request specified a G Suite domain: //$domain = $payload['hd']; } else { // Invalid ID token }
The
verifyIdToken
function verifies the JWT signature, theaud
claim, theexp
claim, and theiss
claim.If you want to restrict access to only members of your G Suite domain, also verify the
hd
claim matches your G Suite domain name.Python To validate an ID token in Python, use the verify_oauth2_token function. For example:
from google.oauth2 import id_token from google.auth.transport import requests # (Receive token by HTTPS POST) # ... try: # Specify the CLIENT_ID of the app that accesses the backend: idinfo = id_token.verify_oauth2_token(token, requests.Request(), CLIENT_ID) # Or, if multiple clients access the backend server: # idinfo = id_token.verify_oauth2_token(token, requests.Request()) # if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]: # raise ValueError('Could not verify audience.') # If auth request is from a G Suite domain: # if idinfo['hd'] != GSUITE_DOMAIN_NAME: # raise ValueError('Wrong hosted domain.') # ID token is valid. Get the user's Google Account ID from the decoded token. userid = idinfo['sub'] except ValueError: # Invalid token pass
The
verify_oauth2_token
function verifies the JWT signature, theaud
claim, and theexp
claim. You must also verify thehd
claim (if applicable) by examining the object thatverify_oauth2_token
returns. If multiple clients access the backend server, also manually verify theaud
claim.- The ID token is properly signed by Google. Use Google's public keys
(available in
JWK or
PEM format)
to verify the token's signature. These keys are regularly rotated; examine
the
In base allo stato dell'account correlato per l'indirizzo email nel token ID, puoi reindirizzare l'utente a flussi diversi, come indicato di seguito:
Un indirizzo email non registrato: puoi mostrare un'interfaccia utente (UI) di registrazione che consente all'utente di fornire ulteriori informazioni del profilo, se necessario. Consente inoltre all'utente di creare automaticamente il nuovo account e una sessione utente a cui è stato eseguito l'accesso.
Un account precedente che esiste per l'indirizzo email: puoi mostrare una pagina web che consente all'utente finale di inserire la propria password e di collegare l'account precedente con le sue credenziali Google. per confermare che l'utente abbia accesso all'account esistente.
Un utente federato di ritorno: puoi accedere automaticamente all'utente.