问题描述
我正在尝试通过 Google登录获取帐户名,通过GoogleAuthUtil.getToken(getApplicationContext(),app,scopes)获取令牌,然后将令牌发送到我的NodeJS后端服务器进行验证
- www.googleapis.com/oauth2/v1/certs
- www.googleapis.com/oauth2/v2/certs
- www.googleapis.com/oauth2/v3/certs
每个版本的KID都相同,但是内容明显不同.为什么? v2和v3似乎几乎完全相同,只是v2在属性'n'的值的末尾附加了一个"=="
最重要的是,我使用哪个版本?
我认为这些证书称为JSON Web密钥(JWK).我也读过术语"x5c"是什么?
PS:我从Android应用程序进入我的nodejs的令牌是:
{
"iss": "accounts.google.com",
"sub": "SOME_LONG_NUMBER_THAT_I_DONT_KNOW_IF_SHOULD_SHOW",
"azp": "SERVER_CLIENT_ID",
"email": "ANDROID_USER_EMAIL",
"email_verified": "true",
"aud": "ANDROID_CLIENT_ID",
"iat": "SOME_NUMBER",
"exp": "SOME_NUMBER",
"alg": "RS256",
"kid": "e53139984bd36d2c230552441608cc0b5179487a"
}
版本1 似乎是密钥ID到证书字符串的基本JSON映射.我没有任何内部信息,但是我推测这是一种简单的自产"格式,Google的某人将其格式化为分发公钥的简便方法.
您已经注意到,版本2 和 3 以JSON Web密钥(JWK)格式分发.此格式是在正式规范 RFC 7517 中定义的,该规范确切说明了如何构造JSON表示加密密钥的响应.
关于v2和v3之间的区别,看起来好像包含了v2 将等号作为填充填充,而在v3中,他们只是将它们剥离了.
在规范中,"x5c"被定义为一个可选参数,用于指定共同形成链的信任" ,这将允许客户端应用通过依次验证每个证书并遵循链回到已知的,受信任的根证书.
如果可能的话,我建议使用最新版本.但是只要密钥本身是相同的,就没什么大不了了.
I'm trying to authenticate a user on Android via Google Sign-in to get the account name, grab the token via GoogleAuthUtil.getToken(getApplicationContext(), app, scopes), and then send the token to my NodeJS back-end server to verify
I found this great stackoverflow question on how to decode it, cache the key id (KID) so it's not doing a round trip every time, etc. (haven't implemented this part yet, but sort of played around with it) My only question is: what's the difference between the following googleapis certs:
- www.googleapis.com/oauth2/v1/certs
- www.googleapis.com/oauth2/v2/certs
- www.googleapis.com/oauth2/v3/certs
The KID on each version are identical, but the content is overtly different. Why? v2 and v3 seem to be almost identical except that v2 has an "==" appended at the end of the value of property 'n'
Most importantly, which version do I use?
I think these certs are called JSON Web Keys (JWK). I've also read the term 'x5c' What is that?
PS: The token I'm getting on my nodejs from my android app is:
{
"iss": "accounts.google.com",
"sub": "SOME_LONG_NUMBER_THAT_I_DONT_KNOW_IF_SHOULD_SHOW",
"azp": "SERVER_CLIENT_ID",
"email": "ANDROID_USER_EMAIL",
"email_verified": "true",
"aud": "ANDROID_CLIENT_ID",
"iat": "SOME_NUMBER",
"exp": "SOME_NUMBER",
"alg": "RS256",
"kid": "e53139984bd36d2c230552441608cc0b5179487a"
}
Version 1 appears to be a basic JSON mapping of key ids to certificate strings. I don't have any inside information, but I would speculate that this is a simple "home-grown" format that somebody at Google made up as an easy way to distribute their public keys.
As you have noted, versions 2 and 3 are distributed in the JSON Web Key (JWK) format. This format is defined in a formal specification, RFC 7517, which lays out exactly how to structure a JSON response representing cryptographic keys.
As for the difference between v2 and v3, it looks like v2 included trailing equal signs as padding and in v3 they've simply stripped those off.
In the specification, 'x5c' is defined as an optional parameter for specifying a list of cryptographic certificates that together form a "chain of trust" that would allow a client application to validate the key by verifying each certificate in turn and following the chain back to a known, trusted root certificate.
If possible, I would suggest using the most-current version. But as long as the keys themselves are identical, it probably doesn't matter very much.
这篇关于https://www.googleapis.com/oauth2/v3/certs中的v1,v2和v3之间的区别的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!