题
I've been beating my head against the wall for about two days now, time to ask for help.
I've been trying to get my head around the following:
A mobile app user signs in on the app using one of the following:
I'll focus on Google first, the login works (user consents to permission). The app then retrieves a token: GoogleAuthUtil.getToken(mActivity, mEmail, mScope);
Where the scope will be of the form audience:server:client_id:XXXXXX
And XXXXXXX is the client_id of my webservice.
(The mobile app is also registered on Google Console and it's in the same project as the webserver)
Next the app sends the retrieved token to my webserver where the server can get the payload using $client->verifyIdToken( $id_token );. My server is using the Google API Client.
But I now wish to use this to let the server retrieve userdata from google, without requesting the user for further permissions (because they already gave the app the permissions). So how do I get from the payload to requesting userdata from google?
I'm still entertaining the idea that I might be completely misunderstanding this whole Oauth2.0 / SSO proces, so any pointers are deeply appreciated!
解决方案
The only userdata you get with the audience:server:client_id:XXXXXX scope is the user's email address, which is the email field in the JSON encoded $id_token you've received on your webserver (this blog post has the Java/Ruby equivalents, I assume there's a similar helper function for PHP).
If you need additional userdata outside of their email address, you'll need to requeset an additional scope, such as one of the Google+ API Scopes or the legacy Google Profile API Scope.
https://stackoverflow.com/questions/16172176
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian