我们正尝试从OpenID 2.0迁移到OAuth 2.0登录(OpenID Connect)
我们正在进行google docs OpenID 2.0 (Migration)
我们遇到的问题是ID令牌请求中的 openid_id 是 not returned .
首次认证请求:
https://accounts.google.com/o/oauth2/auth?client_id=xxxxxxxxxxxxxxx.apps.googleusercontent.com&response_type=code&scope=openid+email&redirect_uri=http://domain.local/customer/auth-callback&openid.realm=http://domain.local/customer&state=secrettoken
当用户被重定向回来时,我们得到以下参数:
'state' => 'secrettoken',
'code' => 'codeforexchange',
'authuser' => '0',
'num_sessions' => '1',
'session_state' => 'absasd951d57fcc1148f59b6b455ec86045a731c..1de3',
'prompt' => 'none',
然后我们在 https://accounts.google.com/o/oauth2/token 上交换一个令牌,我们收到以下信息:
'access_token' => 'accesstoken',
'token_type' => 'Bearer',
'expires_in' => 3594,
'id_token' => 'idtoken'
当我们尝试解析 https://www.googleapis.com/oauth2/v1/tokeninfo 上的令牌信息时, openid_id 或者总和不存在docs - Step 3: Map OpenID 2.0 identifiers to OpenID Connect identifiers中所述
响应只是(ID令牌):
"issuer": "accounts.google.com",
"issued_to": "xxxxxxxxx-xxxxxxx.apps.googleusercontent.com",
"audience": "xxxxxxxxx-xxxxxxx.apps.googleusercontent.com",
"user_id": "user_id",
"expires_in": 3594,
"issued_at": 1404741485,
"email": "someone@google.com",
"email_verified": true
谁知道为什么?
注意:此“domain.local”之前用于通过OpenId 2.0登录,因此我希望应返回openid_id(以便能够将用户标识符从openid 2.0迁移到OpenidConnect)
有些类似的问题遗憾地解决了我的问题 .
2 回答
获得id_token后,你必须解码它才能找到openid_id . https://www.googleapis.com/oauth2/v1/tokeninfo不会返回openid_id以响应openid_id是否包含在编码的请求数据中 . 要验证,您可以在此处解码您的id_token; https://developers.google.com/wallet/digital/docs/jwtdecoder
According to this子包含在ID令牌中 . 我假设openid_id也在那里 .