前言
由于最近公司的项目要在海外运行,因此需要对接海外的登录,目前就是谷歌和facebook两种,后面支付也是需要的,后续再进行书写
谷歌登录
这个相对比较容易,而且只提供给安卓即可,废话就不多说了,直接贴解决方案
引入maven依赖
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client</artifactId>
<version>1.35.2</version>
</dependency>
<dependency>
<groupId>com.google.api-client</groupId>
<artifactId>google-api-client-android</artifactId>
<version>1.35.2</version>
</dependency>
<dependency>
<groupId>com.google.oauth-client</groupId>
<artifactId>google-oauth-client-java6</artifactId>
<version>1.33.0</version>
</dependency>
<dependency>
<groupId>com.google.oauth-client</groupId>
<artifactId>google-oauth-client-jetty</artifactId>
<version>1.33.0</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>com.google.apis</groupId>
<artifactId>google-api-services-oauth2</artifactId>
<version>v2-rev20200213-2.0.0</version>
</dependency>
工具类
@Slf4j
public class IdTokenVerifier {
//安卓信息
private static final String CLIENT_ID = Constants.GOOGLE_APPLE_ID; // 替换为你的 Android 客户端 ID
public static GoogleIdToken.Payload verifyToken(String idTokenString) throws GeneralSecurityException, IOException {
NetHttpTransport transport = new NetHttpTransport();
GsonFactory jsonFactory = new GsonFactory();
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
.setAudience(Collections.singletonList(CLIENT_ID))
.build();
GoogleIdToken idToken = verifier.verify(idTokenString);
if (idToken != null) {
log.info("verifyToken-返回的数据为{}", JsonUtils.Object2Json(idToken));
return idToken.getPayload();
} else {
// 无效的 ID token
log.info("verifyToken-返回的数据为null");
return null;
}
}
public static boolean checkNonce(String nonce, GoogleIdToken.Payload payload) {
if(payload == null) {
return false;
}
Object object = payload.get("nonce");
if(object == null) {
return false;
}
String requestNonce = (String) object;
boolean equals = Objects.equals(nonce, requestNonce);
log.info("checkNonce-检验结果为{}", equals);
return equals;
}
public static void main(String[] args) throws GeneralSecurityException, IOException {
// 示例用法:
String receivedIdToken = "eyJfN5g"; // 替换为实际接收到的 idToken
GoogleIdToken.Payload payload = verifyToken(receivedIdToken);
// GoogleIdToken.Payload payload = (GoogleIdToken.Payload) JsonUtils.string2Object(payloadString, GoogleIdToken.Payload.class);
System.out.println(JsonUtils.Object2Json(payload));
if (payload != null) {
String userId = payload.getSubject();
String email = payload.getEmail();
boolean emailVerified = Boolean.valueOf(payload.getEmailVerified());
String name = (String) payload.get("name");
String pictureUrl = (String) payload.get("picture");
String givenName = (String) payload.get("given_name");
String familyName = (String) payload.get("family_name");
String locale = (String) payload.get("locale");
System.out.println("User ID: " + userId);
System.out.println("Email: " + email);
System.out.println("Email Verified: " + emailVerified);
System.out.println("Name: " + name);
System.out.println("Picture URL: " + pictureUrl);
System.out.println("Given Name: " + givenName);
System.out.println("Family Name: " + familyName);
System.out.println("Locale: " + locale);
} else {
System.out.println("Invalid ID token.");
}
}只需要替换CLIENT_ID 为安卓的id,token也是安卓传给你的,就可以了,是不是很简单?
FaceBook登录
这个其实也不复杂,主要是IOS有两种情况,老版本的方式跟安卓的方式是一样的,下面先说老的方式
IOS旧版/安卓
参考文章: 第三方登录(Facebook) java验证-CSDN博客 可行,但是有乱码问题,而且要自己写,麻烦点,没使用
我用的是工具包,也不复杂, 还是直接说做法
引入maven依赖
<dependency>
<groupId>com.restfb</groupId>
<artifactId>restfb</artifactId>
<version>2024.11.0</version>
</dependency>
工具类
public static void main(String[] args) throws Exception{
token = "EAAVMz9Vc1BgBO8iE8yMgNza4ZCdnBDqZCMJRoGHJaykZAOIwLetZAluFdUEng31WUexZA16LpXQ2YWEYY2dj6TTPnv7Cq8DjXKANAZAy1WCpntLeykZCqnSy0Cy7S4ZCASVZA1cAVIlaGtw7mhV0NCvi0pKiTlej4C9fYbZA0yAlZBee999ZCZBa2Uf5dB12ZAG2jcKfmJg6gZDZD";
// checkLoginWithToken(token);
DefaultFacebookClient defaultFacebookClient = new DefaultFacebookClient(token, Version.VERSION_11_0);
User re = defaultFacebookClient.fetchObject("me.permissions ", User.class, Parameter.with("fields", Parameter.with("fields", "id,cover,email,gender")));
System.out.println(re.getName());
System.out.println(re.getEmail());
System.out.println(re.getFirstName());
System.out.println(re.getBirthday());
}注: 其实就是两句话,底层都封装好了,
Parameter.with("fields", "id,cover,email,gender") 这个要输入一些,需要哪些就指定哪些
IOS新版
已经找到方案了,验证JWT的信息,还是直接说步骤
引入maven依赖
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.10.3</version>
</dependency>
<dependency>
<groupId>com.auth0</groupId>
<artifactId>jwks-rsa</artifactId>
<version>0.22.1</version>
</dependency>
工具类
import com.auth0.jwk.Jwk;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwk.UrlJwkProvider;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.JWTVerifier;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import java.security.interfaces.RSAPublicKey;
public class FacebookTokenValidator {
private static final String FACEBOOK_APP_ID = "your-facebook-app-id"; // 替换为你的 App ID
private static final String FACEBOOK_APP_SECRET = "your-facebook-app-secret"; // 替换为你的 App Secret
private static final String JWKS_URL = "https://www.facebook.com/.well-known/oauth/openid/jwks";
private static final String ISSUER = "https://www.facebook.com";
private static final String GRAPH_API_URL = "https://graph.facebook.com";
// 区分并验证 token
public static FacebookUser validateToken(String token) throws Exception {
// 步骤 1:检查 token 是否包含 .,初步判断是否为 JWT
if (token.contains(".")) {
try {
// 尝试作为 Limited Login token 验证
return validateLimitedLoginToken(token);
} catch (JWTDecodeException | JWTVerificationException e) {
// JWT 解析或验证失败,尝试作为 Classic Login token
return validateClassicLoginToken(token);
}
} else {
// 无 .,直接作为 Classic Login token 验证
return validateClassicLoginToken(token);
}
}
// 验证 Limited Login token (JWT)
private static FacebookUser validateLimitedLoginToken(String token) throws Exception {
try {
// JwkProvider provider = new UrlJwkProvider(JWKS_URL); 这种有问题,点进去看源码就知道了
JwkProvider provider = new UrlJwkProvider(new URL(JWKS_URL)); //这样就正常了
DecodedJWT jwt = JWT.decode(token);
Jwk jwk = provider.get(jwt.getKeyId());
RSAPublicKey publicKey = (RSAPublicKey) jwk.getPublicKey();
Algorithm algorithm = Algorithm.RSA256(publicKey, null);
JWTVerifier verifier = JWT.require(algorithm)
.withIssuer(ISSUER)
.withAudience(FACEBOOK_APP_ID)
.build();
DecodedJWT verifiedJwt = verifier.verify(token);
String userId = verifiedJwt.getSubject();
String userName = verifiedJwt.getClaim("name").asString();
return new FacebookUser(userId, userName, "Limited Login");
} catch (Exception e) {
throw new Exception("Limited Login token 验证失败: " + e.getMessage());
}
}
// 验证 Classic Login token (Access Token)
private static FacebookUser validateClassicLoginToken(String token) throws Exception {
OkHttpClient client = new OkHttpClient();
// 使用 /debug_token 端点验证 token
String url = String.format("%s/debug_token?input_token=%s&access_token=%s|%s",
GRAPH_API_URL, token, FACEBOOK_APP_ID, FACEBOOK_APP_SECRET);
Request request = new Request.Builder().url(url).build();
try (Response response = client.newCall(request).execute()) {
if (!response.isSuccessful()) {
throw new Exception("Classic Login token 验证失败: " + response.message());
}
String json = response.body().string();
ObjectMapper mapper = new ObjectMapper();
JsonNode root = mapper.readTree(json);
JsonNode data = root.path("data");
if (!data.path("is_valid").asBoolean()) {
throw new Exception("Classic Login token 无效: " + data.path("error").path("message").asText());
}
String userId = data.path("user_id").asText();
// 获取用户名(需要额外调用 /me 端点)
String userName = getUserNameFromGraphAPI(token);
return new FacebookUser(userId, userName, "Classic Login");
}
}
// 通过 Graph API 获取用户名
private static String getUserNameFromGraphAPI(String token) throws Exception {
OkHttpClient client = new OkHttpClient();
String url = String.format("%s/me?fields=name&access_token=%s", GRAPH_API_URL, token);
Request request = new Request.Builder().url(url).build();
try (Response response = client.newCall(request).execute()) {
if (!response.isSuccessful()) {
throw new Exception("获取用户名失败: " + response.message());
}
String json = response.body().string();
ObjectMapper mapper = new ObjectMapper();
JsonNode root = mapper.readTree(json);
return root.path("name").asText();
}
}
// 用户信息类
public static class FacebookUser {
private final String userId;
private final String userName;
private final String loginType;
public FacebookUser(String userId, String userName, String loginType) {
this.userId = userId;
this.userName = userName;
this.loginType = loginType;
}
public String getUserId() {
return userId;
}
public String getUserName() {
return userName;
}
public String getLoginType() {
return loginType;
}
@Override
public String toString() {
return "FacebookUser{userId='" + userId + "', userName='" + userName + "', loginType='" + loginType + "'}";
}
}
// 测试代码
public static void main(String[] args) {
// 替换为实际的 token
String token = "your-token-here"; // 例如:JWT 或 Access Token
try {
FacebookUser user = validateToken(token);
System.out.println("验证成功: " + user);
} catch (Exception e) {
System.err.println("验证失败: " + e.getMessage());
}
}
}
其中validateClassicLoginToken方法是旧版的,忽略即可,或者自行改为上面的,也可以用他的,我自己后面是改了上面的,还是用工具类好
苹果登录
似乎跟IOS新版的校验是差不多的,晚点对接完再回来写
一些见解
上面的DefaultFacebookClient这个类理论上应该是线程安全的,因为里面涉及到请求时底层其实每发一个http请求都会创建一个新的HttpURLConnection,具体可以看以下方法,进去就看到了 com.restfb.DefaultWebRequestor#execute
部分问题解决
token重放攻击
像谷歌和facebook去调用接口获取时都能获取一个nonce,然后前端也会把这个nonce传输过来,所以可以更为安全,有两个层级
1. 后端单纯对比即可,简单
2. 用完一次以后就把nonce存到redis中一天,然后使用过一次就不能再用了,这样的好处是完全杜绝了可能发生的安全问题
我自己采用的就是第二种,也建议大家采用第二种,只是这样在测试环境一个token就只能用来调试一次了
乱码解决
这是无意中发现的,之前的说不建议的地方产生了乱码,如下
String userRet = HttpUtil.get(userUrl); 直接请求返回的是乱码,也设置了编码UTF8还是不行
但是我没想到的是这个居然能解决乱码
ObjectMapper mapper = new ObjectMapper();
JsonNode root = mapper.readTree(userRet);
从root.path("name") //这样的形式获取数据