我使用此方法获取id token:
GoogleSignInAccount acct = googleSignInResult.getSignInAccount();
String toekn_id = acct.getIdToken();
现在,如何验证服务器上ID令牌的完整性?
谷歌:
警告:不要接受普通的用户ID,例如您可以在后端服务器上使用GoogleSignInAccount.getId()方法获得的用户ID。修改后的客户端应用程序可以向服务器发送任意用户ID来模拟用户,因此必须使用可验证的ID令牌来安全地获取服务器端已登录用户的用户ID。
从文档中:https://developers.google.com/identity/sign-in/web/backend-auth#using-a-google-api-客户端库
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
...
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
.setAudience(Arrays.asList(CLIENT_ID))
// If you retrieved the token on Android using the Play Services 8.3 API or newer, set
// the issuer to "https://accounts.google.com". Otherwise, set the issuer to
// "accounts.google.com". If you need to verify tokens from multiple sources, build
// a GoogleIdTokenVerifier for each issuer and try them both.
.setIssuer("https://accounts.google.com")
.build();
// (Receive idTokenString by HTTPS POST)
GoogleIdToken idToken = verifier.verify(idTokenString);
if (idToken != null) {
System.out.println("Valid ID token.");
} else {
System.out.println("Invalid ID token.");
}
您可以在此处阅读API文档:http://javadoc.google-api-java-client.googlecode.com/hg/1.18.0-rc/com/google/api/client/googleapis/auth/oauth2/GoogleIdTokenVerifier.html
要使用API,请将以下内容添加到您的build.gradle:
repositories {
mavenCentral()
}
dependencies {
compile 'com.google.api-client:google-api-client:1.20.0'
}