javascript - How to verify Google's auth gapi.auth.signIn response? -

-

i have database users , want let user connect website account google account. want able let user log in google account , maybe later able interact google+ account etc.

user logged in on website , initiates process click on button following:

// user initiates process $('#google-connect').on(function() {     gapi.auth.signin({         'callback': function(data) {         if(data['status']['signed_in'])             console.log("signed in", data, gapi.auth.gettoken());              // additional user's data             gapi.client.load('oauth2', 'v2', function() {                 gapi.client.oauth2.userinfo.get().execute(function(resp) {                     console.log("oauth", resp);                      data.userid = resp.id;                      // tell server add google account user's account                     $.post('/add/google', data, function(data) {                         console.log("connected", "data");                     });                 });             });         },         'clientid': google_client_id,         'cookiepolicy': 'single_host_origin',         'requestvisibleactions': 'http://schemas.google.com/addactivity',         'approvalprompt':'force',         'scope': 'https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email'         //'scope': 'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/plus.me'     });     return false; }); // load libs (function() {     var po = document.createelement('script');     po.type = 'text/javascript'; po.async = true;     po.src = 'https://apis.google.com/js/client:plusone.js';     var s = document.getelementsbytagname('script')[0];     s.parentnode.insertbefore(po, s); })();

it basicly works without problem not sure secure , how verify answers form google server. example, facebook login returns "signedrequest" , able run verification hash_hmac (php) verify response.

google answers on gapi.auth.signin() request:

access_token: "ya29.kgdigdmeepoefxoaaad2dv1eldwt_zccr-odnr_lbkwbam7bowz0pplz33hg3a" authuser: "0" client_id: "...." code: "4/iqlg-akrpp_bgwggx2b_raqtsj29.auyfpmgozmatol05ti8zt3bxu6v2jai" cookie_policy: "single_host_origin" expires_at: "1402232030" expires_in: "3600" g-oauth-window: window g_user_cookie_policy: "single_host_origin" id_token: "eyjhbgcioijsuzi1niisimtpzci6ijgxndbjnwyxyzlkmgm3mzhjmwi2mzi4nti4zjdhyjfmnjcyzjviytaifq.eyjpc3mioijhy2nvdw50cy5nb29nbguuy29tiiwic3viijoimtexntq2ntqxnjexmzkyotazmtyziiwiyxpwijoiotmynjixndu0ntuxlthrnw8yoxy0djeyzmn2cg1tnwfqyxzsbw9ic2x1nzqwlmfwchmuz29vz2xldxnlcmnvbnrlbnquy29tiiwizw1hawwioijtaxj6ys5jd0bnbwfpbc5jb20ilcjhdf9oyxnoijoitunervjkzjjpauo0euz4zhu1rudpusisimvtywlsx3zlcmlmawvkijp0cnvllcjhdwqioii5mzi2mje0ntq1ntetogs1bzi5djr2mtjmy3zwbw01ywphdmxtb2jzbhu3ndauyxbwcy5nb29nbgv1c2vyy29udgvudc5jb20ilcjjx2hhc2gioijxmxy4uuhkundlm3fqbghmze1xy1z3iiwiawf0ijoxndaymji4mtmwlcjlehaioje0mdiymziwmzb9.fil-uv6ofdeirro_vhfr5ovonzvifa2dvnedyaff_eo3hodomd2weld5uojxxtlcnhtxyxg-zinyb9wdn1aqazpytsgg3q-pn7oxcmuecyx5uj7aga0xgjah6j57xbtx_bvdeiq1xltpsmq9j2hz1jgikv-1qpedng7brvgurgq" issued_at: "1402228430" num_sessions: "1" prompt: "consent" response_type: "code token id_token gsession" scope: "https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/plus.moments.write https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/plus.profile.agerange.read https://www.googleapis.com/auth/plus.profile.language.read https://www.googleapis.com/auth/plus.circles.members.read https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.profile.emails.read" session_state: "14f90adcf0c130936b1545ec15dbd8fe1515b4dc..0c9b" state: "" status: object token_type: "bearer"

i did not find information how verify response. there no signature or else except "id_token" kind of signature.

is there way verify google's answer sure information correct, there no mitm? or worrying much?

yes, there :

have read id token verification(php lib) ?

i guess, same in javascript using : 

$.get("https://www.googleapis.com/oauth2/v1/tokeninfo",{     "id_token" : authresult["id_token"]},function(data){     //handle data... });

Comments

Post a Comment

Popular posts from this blog

database - VFP Grid + SQL server 2008 - grid not showing correctly -

-
i having problem, have grid called "gridbasica" , this: thisform.gridbase.recordsource = "sgviemp" sgviemp cursor made executing select sqlserver command sqlexec. when want modify registry, go form , the update there. so, when come form grid, grid isnt grid anymore, big white rectangle. reading around said: delete recordsource , asingt again. thisform.gridbase.recordsource = "" *--i sqlexe here thisform.gridbase.recordsource = "sgviemp" i , works, but, when click button modify again cursos updated modify form doesnt load fields did first time. could me out that? thanks in advance. --------------- edit ------------------ i have been doing recommended: lnselect = select(0) n = sqlexec(thisform.conexion,"select emp_ccodigo codigo, emp_cnombre 'nombre o razon social', emp_cnumrif 'r.i.f' sgviempr","sgviemp1") set echo on suspend select sgviemp zap in sgviemp *-- browse *--zaps correct
Read more

jquery - Set jPicker field to empty value -

-
im using jpicker color selector in form. have clear value set window/icon 'no color selected' state. i've tried following: $(':input[name="color"]').val(''); //access value directly. (does not affect jpicker) 2: $.jpicker.list[0].color.active.val('hex', '', this); //set color black , input value 000000, instead of empty string 3: $.jpicker.list[0].color.active.val(null, '', this); //does nothing none of 3 methods seems behave properly. in advance. this works me :) $.jpicker.list[0].color.active.val('v', null); here example: http://jsfiddle.net/3up7n/
Read more

.htaccess - htaccess convert request to clean url and add slash at the end of the url -

-
ok , searched more 4 days , more 20 posts here in stach or in websites without kind of success first here htaccess file rewriteengine on rewriterule ^([a-za-z0-9_]+)/?$ index.php?page=$1 [nc] rewriterule ^([a-za-z0-9_]+)\/([a-za-z0-9_]+)\/?$ index.php?page=$1&action=$2 [nc] i tried many codes 1 worked me can call request , works me www.example.com/pagename => www.example.com/index.php?page=pagename here questions , please provide me information "in detail" understand code well 1- how convert request automatically www.example.com/index.php?page=pagename www.example.com/pagename 2- if tried add slash @ end shows me page without images or styling mean www.example.com/pagename => works www.example.com/pagename/ => doesn't work that's :) for first part need 301 rule this: rewritecond %{the_request} /index\.php\?page=([^\s&]+) [nc] rewriterule ^ /%1? [r=301,l] for second part use absolute path in css, js, images files r
Read more