Checking callbacks from Android apps
I am following the following tutorial to protect my recreation services.
But I have a problem with the Check token fields step , first of all, I don't know if my dependencies match:
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client</artifactId>
<version>1.13.1-beta</version>
</dependency>
<dependency>
<groupId>com.google.http-client</groupId>
<artifactId>google-http-client-gson</artifactId>
<version>1.13.1-beta</version>
</dependency>
Secondly, when I used the Checker class, as in the example, Verifier.verify(token)
it returns false in the call , this is because the GoogleIdTokenVerifier
clientIds is empty in the Set class . I gradually follow the instructions, I completely lost
Thanks everyone.
EDIT: This is the code I'm currently using and it seems to work:
public class Checker {
private final String mAudience;
private final Lock lock = new ReentrantLock();
private final GoogleIdTokenVerifier mVerifier;
private final JsonFactory mJFactory;
private String mProblem = "Verification failed. (Time-out?)";
private final List<String> mClientIDs;
private List<PublicKey> publicKeys;
private final Clock clock;
NetHttpTransport transport;
private long expirationTimeMilliseconds;
public Checker(String[] clientIDs, String audience) {
mClientIDs = Arrays.asList(clientIDs);
mAudience = audience;
transport = new NetHttpTransport();
mJFactory = new GsonFactory();
mVerifier = new GoogleIdTokenVerifier(transport, mJFactory);
clock = Clock.SYSTEM;
}
public GoogleIdToken.Payload check(String tokenString) {
GoogleIdToken.Payload payload = null;
try {
GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString);
if (checkSignature(mClientIDs.get(0), token)) {
GoogleIdToken.Payload tempPayload = token.getPayload();
if (!tempPayload.getAudience().equals(mAudience))
mProblem = "Audience mismatch";
else if (!mClientIDs.contains(tempPayload.getIssuee()))
mProblem = "Client ID mismatch";
else
payload = tempPayload;
}
} catch (GeneralSecurityException e) {
mProblem = "Security issue: " + e.getLocalizedMessage();
} catch (IOException e) {
mProblem = "Network problem: " + e.getLocalizedMessage();
} catch (Exception e) {
mProblem = "Problem: " + e.getLocalizedMessage();
}
return payload;
}
public String problem() {
return mProblem;
}
boolean checkSignature(String clientIds, GoogleIdToken idToken)
throws GeneralSecurityException, IOException {
JsonWebSignature.Header header = idToken.getHeader();
String algorithm = header.getAlgorithm();
if (algorithm.equals("RS256")) {
lock.lock();
try {
if (publicKeys == null
|| clock.currentTimeMillis() + 300000 > expirationTimeMilliseconds) {
mVerifier.loadPublicCerts();
publicKeys = mVerifier.getPublicKeys();
expirationTimeMilliseconds = mVerifier
.getExpirationTimeMilliseconds();
}
Signature signer = Signature.getInstance("SHA256withRSA");
for (PublicKey publicKey : publicKeys) {
signer.initVerify(publicKey);
signer.update(idToken.getSignedContentBytes());
if (signer.verify(idToken.getSignatureBytes())) {
return true;
}
}
} finally {
lock.unlock();
}
}
return false;
}
}
source to share
Don't know about your addictions; is it Maven? Im maven moron.
As with your clientIDs, the code assumes that you go to the list of clientIDs because you want to make sure you know which client you are going to talk to. If you don't want to do this, I see two obvious options:
-
just remove the clientIds argument to the constructor, the mClientIDs member variable, and the if (! mClientIDs.contains () call in the check () method.
-
change your code to skip validation if mClientIDs is null
source to share