javascript - How to verify Google's auth gapi.auth.signIn response? -

-

i have database users , want let user connect website account google account. want able let user log in google account , maybe later able interact google+ account etc.

user logged in on website , initiates process click on button following:

// user initiates process $('#google-connect').on(function() {     gapi.auth.signin({         'callback': function(data) {         if(data['status']['signed_in'])             console.log("signed in", data, gapi.auth.gettoken());              // additional user's data             gapi.client.load('oauth2', 'v2', function() {                 gapi.client.oauth2.userinfo.get().execute(function(resp) {                     console.log("oauth", resp);                      data.userid = resp.id;                      // tell server add google account user's account                     $.post('/add/google', data, function(data) {                         console.log("connected", "data");                     });                 });             });         },         'clientid': google_client_id,         'cookiepolicy': 'single_host_origin',         'requestvisibleactions': 'http://schemas.google.com/addactivity',         'approvalprompt':'force',         'scope': 'https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email'         //'scope': 'https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/plus.me'     });     return false; }); // load libs (function() {     var po = document.createelement('script');     po.type = 'text/javascript'; po.async = true;     po.src = 'https://apis.google.com/js/client:plusone.js';     var s = document.getelementsbytagname('script')[0];     s.parentnode.insertbefore(po, s); })();

it basicly works without problem not sure secure , how verify answers form google server. example, facebook login returns "signedrequest" , able run verification hash_hmac (php) verify response.

google answers on gapi.auth.signin() request:

access_token: "ya29.kgdigdmeepoefxoaaad2dv1eldwt_zccr-odnr_lbkwbam7bowz0pplz33hg3a" authuser: "0" client_id: "...." code: "4/iqlg-akrpp_bgwggx2b_raqtsj29.auyfpmgozmatol05ti8zt3bxu6v2jai" cookie_policy: "single_host_origin" expires_at: "1402232030" expires_in: "3600" g-oauth-window: window g_user_cookie_policy: "single_host_origin" id_token: "eyjhbgcioijsuzi1niisimtpzci6ijgxndbjnwyxyzlkmgm3mzhjmwi2mzi4nti4zjdhyjfmnjcyzjviytaifq.eyjpc3mioijhy2nvdw50cy5nb29nbguuy29tiiwic3viijoimtexntq2ntqxnjexmzkyotazmtyziiwiyxpwijoiotmynjixndu0ntuxlthrnw8yoxy0djeyzmn2cg1tnwfqyxzsbw9ic2x1nzqwlmfwchmuz29vz2xldxnlcmnvbnrlbnquy29tiiwizw1hawwioijtaxj6ys5jd0bnbwfpbc5jb20ilcjhdf9oyxnoijoitunervjkzjjpauo0euz4zhu1rudpusisimvtywlsx3zlcmlmawvkijp0cnvllcjhdwqioii5mzi2mje0ntq1ntetogs1bzi5djr2mtjmy3zwbw01ywphdmxtb2jzbhu3ndauyxbwcy5nb29nbgv1c2vyy29udgvudc5jb20ilcjjx2hhc2gioijxmxy4uuhkundlm3fqbghmze1xy1z3iiwiawf0ijoxndaymji4mtmwlcjlehaioje0mdiymziwmzb9.fil-uv6ofdeirro_vhfr5ovonzvifa2dvnedyaff_eo3hodomd2weld5uojxxtlcnhtxyxg-zinyb9wdn1aqazpytsgg3q-pn7oxcmuecyx5uj7aga0xgjah6j57xbtx_bvdeiq1xltpsmq9j2hz1jgikv-1qpedng7brvgurgq" issued_at: "1402228430" num_sessions: "1" prompt: "consent" response_type: "code token id_token gsession" scope: "https://www.googleapis.com/auth/plus.login https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/plus.moments.write https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/plus.profile.agerange.read https://www.googleapis.com/auth/plus.profile.language.read https://www.googleapis.com/auth/plus.circles.members.read https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/plus.profile.emails.read" session_state: "14f90adcf0c130936b1545ec15dbd8fe1515b4dc..0c9b" state: "" status: object token_type: "bearer"

i did not find information how verify response. there no signature or else except "id_token" kind of signature.

is there way verify google's answer sure information correct, there no mitm? or worrying much?

yes, there :

have read id token verification(php lib) ?

i guess, same in javascript using : 

$.get("https://www.googleapis.com/oauth2/v1/tokeninfo",{     "id_token" : authresult["id_token"]},function(data){     //handle data... });

Comments

Post a Comment

Popular posts from this blog

C# random value from dictionary and tuple -

-
i have following code, , need random item contains string "region_1" dictionary. public static dictionary<int, tuple<string, int, currencytype>> itemarray = new dictionary<int, tuple<string, int, currencytype>>() { { 0xb3e, new tuple<string, int, currencytype>("region_1", 1500, currencytype.fame) } }; public static int generateitemid(string shopid) { var generateditem = itemarray.elementat(new random().next(0, itemarray.count)).key; } how select this? it's not possible efficiently... first create static random @ class level... prevent non-random behaviour if run query on short period of time... (it's seeded discrete clock) static random rnd = new random(); then: var item = itemarray.values .where(t => t.item1 == shopid) .orderby(_ => rnd.next()) .firstordefault()
Read more

cgi - How do I interpret URLs without extension as files rather than missing directories in nginx? -

-
so i'm trying install zoneminder , have run under nginx, has few compiled files need run using fast-cgi. these files lack extension. if file has extension, there no issue , nginx interprets file , return 404 if can't find it. if has no extension, assume it's directory , return 404 when can't find sort of index page. here have now: # security camera domain. server { listen 888; server_name mydomain.com; root /srv/http/zm; # enable php support. include php.conf; location / { index index.html index.htm index.php; } # enable cgi support. location ~ ^/cgi-bin/(.+)$ { alias /srv/cgi-bin/zm/; fastcgi_pass unix:/run/fcgiwrap.sock; fastcgi_param script_filename $document_root/$1; include fastcgi.conf; } } the idea is, under cgi-bin directory goes through fastcgi pipe. any idea on howi can fix this? upon closer inspection, realized zoneminder has 2 cgi sc...
Read more

.htaccess - htaccess convert request to clean url and add slash at the end of the url -

-
ok , searched more 4 days , more 20 posts here in stach or in websites without kind of success first here htaccess file rewriteengine on rewriterule ^([a-za-z0-9_]+)/?$ index.php?page=$1 [nc] rewriterule ^([a-za-z0-9_]+)\/([a-za-z0-9_]+)\/?$ index.php?page=$1&action=$2 [nc] i tried many codes 1 worked me can call request , works me www.example.com/pagename => www.example.com/index.php?page=pagename here questions , please provide me information "in detail" understand code well 1- how convert request automatically www.example.com/index.php?page=pagename www.example.com/pagename 2- if tried add slash @ end shows me page without images or styling mean www.example.com/pagename => works www.example.com/pagename/ => doesn't work that's :) for first part need 301 rule this: rewritecond %{the_request} /index\.php\?page=([^\s&]+) [nc] rewriterule ^ /%1? [r=301,l] for second part use absolute path in css, js, images files r...
Read more