使用Google账号进行本机桌面应用与后端的身份验证。

huangapple go评论113阅读模式
英文:

Authentication with google account for native desktop app with backend

问题

我有一个包含后端和前端(使用Java)的应用程序。我需要进行用户身份验证,但我更倾向于不自己处理大部分验证过程。因此,我认为我可以让用户使用他们的Google账号进行身份验证。

后端部分大部分已经实现,并且在浏览器中运行良好:

  1. 我尝试访问服务器的URL,浏览器被重定向到Google登录页面。
  2. 我登录后,浏览器会再次重定向回我的服务器,这次会携带认证信息(一种令牌?),然后我会收到一个响应。

但是,我在尝试从桌面应用程序中设置这一过程时遇到了麻烦。我希望应用程序有一个登录按钮,当按下时,会在系统浏览器中打开Google登录页面,以供用户登录。如果登录成功,桌面客户端可以使用他们的Google账号信息(例如电子邮件地址)来在我的服务器上进行身份标识。

这是我第一次处理这种情况,所以我不确定自己是否在找对方法。我在网上的研究将我引导到了OAuth 2.0,但那似乎更像是授权而不是身份验证。

我查阅了谷歌的OpenID指南,它指引我前往使用OAuth 2.0进行安装应用程序的开发,这是否适用于我的用例?或者那是针对仅具有前端并且所有数据保存在桌面应用程序中的应用?

英文:

I have an application that has both a backend and a frontend (in java). I need to have user authentication but I would prefer not to handle most of it myself. So I thought I could have users authenticate with their google accounts.

The backend part is mostly implemented, and it works fine from the browser:

  1. I try to navigate to a URL of my server, and the browser is redirected to the google login page.
  2. I login, and the browser is redirected back to my server, this time with auth info (some kind of token?) and I get a response.

But I'm having trouble figuring out how to set this up from a desktop app. I would like for the app to have a login button that when pressed, opens the google login page in the system browser for the user to login. If the login is successful, the desktop client can use the info from their google account (e.g. the email address) to identify itself with my server.

It's the first time I'm working on something like this, so I don't know if I'm looking in the right place. My research online leads me to OAuth2.0, but that seems more like authorization than authentication.

I looked at google's OpenID guide and it directed me to using OAuth2 for installed applications, is that the right solution for my use case? Or is that for applications that only have a frontend and all data is kept in the desktop app?

答案1

得分: 0

我不完全确定它是否安全,以及它是否符合最佳实践,但我找到了一个解决方案。我以我自己的方式使用了 环回重定向 URI 的思路。

  1. 我在桌面应用上启动一个随机可用端口的 http 监听器,假设端口号是54321。
  2. 我想要将一个 URL 发送到我的服务器。在那个 URL 中,我将环回端口作为查询参数添加进去。所以这个 URL 可能类似于 https://myserver.org:8443/signin?loopback_port=54321
  3. 我使用这个 URL 启动系统浏览器。由于服务器需要身份验证,浏览器会被重定向到 Google 登录页面,并提供授权,以便该应用程序可以访问我的 Google 帐户数据。
  4. 一旦在 Google 上的登录完成,浏览器会被重定向回到最初尝试访问的服务器 URL。由于身份验证已完成,请求现在可以通过。
  5. 我在服务器上更新了 /signin 端点,使其重定向到 /signin2(同样带有 loopback_port 参数)。从 /signin 的重定向将在浏览器中的 cookie 中设置 JSESSIONID,当我们在 /signin2 中收到请求时,我们可以读取该 JSESSIONID
  6. 当我们在 /signin2 中收到请求时,我们使用环回端口和 jsessionid 来构建一个重定向 URL,指向桌面应用上的 http 监听器。jsessionid 将被包含为查询参数。所以浏览器被重定向到 http://localhost:54321/?JSESSIONID=...
  7. 桌面应用上的 http 监听器解析请求,从 cookie 中获取 JSESSIONID,并可以在随后发送到服务器的请求中使用它。有了这个 cookie,服务器将桌面应用的请求与之前完成的身份验证关联起来。
英文:

I am not completely sure whether it is secure, and whether it aligns with best practices, but I found a solution. I used the idea of the loopback redirect uri in my own way.

  1. I start an http listener on the desktop app on a random available port, let's say it's port 54321.
  2. I want to contact a url to my server. In that url I add the loopback port as a query argument. So the url would be something like https://myserver.org:8443/signin?loopback_port=54321
  3. I start the system browser with this url. The server requires authentication, so the browser is redirected to google to login and provide authorization for the application to access my google account data.
  4. Once the login in google is done, the browser is redirected back to the url of my server that it was first trying to reach. Now since the authentication is done, the request goes through.
  5. I updated the /signin endpoint on my server to return redirects to /signin2 (again with the loopback_port param). The redirect from /signin will set the JSESSIONID in a cookie in the browser, and when we get the request in /signin2, we can read that JSESSIONID.
  6. When we get the request in /signin2, we use the loopback port and the jsessionid to build a redirect url to the http listener on the desktop app. The jsessionid will be included as a query argument. So the browser is redirected to http://localhost:54321/?JSESSIONID=....
  7. The http listener on the desktop app parses the request to get the JSESSIONID from the cookie, and it can use that in subsequent requests it sends to the server. Having this cookie, the server associates the desktop app's request with the authentication done earlier.

huangapple
  • 本文由 发表于 2020年4月5日 20:42:00
  • 转载请务必保留本文链接:https://go.coder-hub.com/61042757.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定