使用oAuth处理多个Google登录用户

我有这个应用程序使用来自gmail帐户的数据。 我已经能够创建一个php网站,用于检索oAuth令牌(在线和离线)以及稍后从邮箱中获取必要的用户信息,所有这些都使用Google php api。 现在我的问题是:</ p>

当辅助用户在以前被授权用户使用的浏览器中登录gmail时,凭据似乎“停留”。 所以第二个(或第三个或第n个用户)可以看到与它们无关的数据,这也是一个安全漏洞。 但最重要的是:每个用户进入gmail只会看到第一个登录用户的数据。</ p>

问题:我有没有办法使用Google PHP API或Google JavaScript API 检索当前gmail会话的用户名?</ p>

这是我用来检索用户数据的当前php代码段:</ p>

< pre> 使用google \ appengine \ api \ users \ User;
use google \ appengine \ api \ users \ UserService;

session_start();

$ user = UserService :: getCurrentUser();
$ userEmail = htmlspecialchars($ user-&gt; getEmail());
</ code> </ pre>

这个想法 应用程序使用当前的gmail用户信息来查询数据库,然后检索该特定用户的数据 - 并且仅检索登录的用户。 如果用户未获得授权,则提示授权窗口并请求许可。</ p>

欢迎任何想法或建议。</ p>

更新(9月) 7,2015):</ p>

我在app.yaml上进行了更改,因此gmail中的每个登录用户都可以从我的应用程序中获得不同的uri。 这很好用。 现在我面临一个新问题:如何使PHPSESSID和SACSID cookie使用特定路径而不是整个域? 这样 - 理论上 - 我可以有几个登录用户,每个用户连接到不同的子文件夹。</ p>

我已经阅读了有关UserService的整个文档,但似乎我只能做 重定向到这个:</ p>

UserService :: createLoginURL($ _ SERVER ['REQUEST_URI']); </ p>

并负责身份验证。 </ p>

问题:我如何重新调整范围以便cookie获得适当的文件夹路径?</ p>
</ div>

展开原文

原文

I have this app that uses data from gmail accounts. I have been able to create a php site that retrieves the oAuth tokens (online and offline) and later the necessary user information from the mailbox, all using the Google php api. Now to my problem:

When a secondary user logs into gmail in a browser that was previously used by an authorized user, the credentials seems to "stay". So the 2nd (or 3rd or nth user) can see data non-related to them, which is also a security hole. But most important: every loged in user into gmail is seeing only the data of the 1st logged in user.

The question: Is there a way I can use Google PHP API or Google JavaScript API to retrieve the user name of the current gmail session?

This is the current php piece of code I've been using to retrieve the user data:

use google\appengine\api\users\User;
use google\appengine\api\users\UserService;

session_start(); 

$user = UserService::getCurrentUser();
$userEmail = htmlspecialchars($user->getEmail());

The idea is that the app uses the current gmail user information to query a database and then retrieve the data for that specific user - and only that logged in user. If the user is not authorized, then prompt for the authorization window and ask for permission.

Any ideas or suggestions are welcome.

UPDATE (Sept 7, 2015):

I have made a change in the app.yaml so every logged in user in gmail gets served a different uri from my app. That works just fine. Now I face a new issue: how can I make the PHPSESSID and SACSID cookies to use an specific path instead of the whole domain? That way - theoretically - I can have several logged in users each and every one connecting to a different subfolder.

I've read the whole documentation about the UserService but it seems all I can do is redirect to this:

UserService::createLoginURL($_SERVER['REQUEST_URI']);

And that takes care of the authentication.

The question: How can I restringe the scope so the cookies gets the appropriate folder path?

dongluoqiu0255
dongluoqiu0255 我也对这个问题的答案感兴趣。
接近 5 年之前 回复
dongzhi7641
dongzhi7641 我已经“阻止”代码到达gmail中的二级登录用户,这更像是止血带而非解决方案。我仍在尝试弄清楚如何阅读addSession(accounts.google.com/AddSession)以获取辅助登录用户信息。对此有任何想法,将非常受欢迎。
大约 5 年之前 回复

1个回答



主要问题是,一旦您登录App Engine(通过UserService),现在已经在您的用户会话中创建了用户会话 App Engine应用程序,因此您在GMail或任何其他Google应用程序中执行的操作并不重要,因为会话已经创建,并且在您的应用程序中保留。 </ p>

App Engine UserService在辅助登录甚至可能之前就已经可用,并且从那时起就没有更新过。 因此,当开发API时,这个用例可能不是一个考虑因素。</ p>
</ div>

展开原文

原文

The main issue is that once you log in to App Engine (via the UserService), that a user session has now been created in your App Engine application, and therefore it doesn't really matter what you do in GMail or any other Google application, as the session has already been created, and persists within your application.

The App Engine UserService was available way before secondary logins were even possible, and it hasn't been updated since. So this use case probably wasn't a consideration when the API as developed.

duanqian3953
duanqian3953 我现在正在做的是阻止代码执行多次。 因此,它始终获得主用户(0)。 如果存在不一致,我会杀死cookie并强制重新登录。 当然,oAuth需要更多的工作。
5 年多之前 回复
douqian2334
douqian2334 也许我的问题应该更新为:有没有办法检测当前用户的任何Gmail会话? 超出App Engine的范围(也许使用JS)?
5 年多之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问