如何在Google动作,移动应用,后端服务器和Firebase身份验证之间链接用户帐户?
不确定是否是该问题的正确答案.这不是必须的100%编码问题,但也不是编码问题.无论如何,这里是
Not sure if this is the right place for this question. This is not necessary 100% coding problem but it is not not a coding problem either. Anyway, here is
故事:我想创建一个购物系统.用户可以使用网站或移动应用程序或Google助手来获取产品信息并从该购物系统进行购买.我面临的问题是如何在这3个客户端之间关联用户.更具体地适用于Google助手/操作.
The Story: I want to create a shopping system. The user can use the website or the mobile application or the google assistant to get product information and make purchases from this shopping system. The problem I am facing is how can I associate the user among these 3 clients. More specifically for the google assistant/actions.
我所做的事情:使用 firebase身份验证对用户进行身份验证并将其登录到网站或移动应用程序上.在对用户进行身份验证之后,网站或移动应用可以使用Firebase访问令牌.网站或移动应用可以将Firebase访问令牌发送到后端服务器,后端服务器可以通过 google动作/助手引入游戏.
Things I have done: Using firebase auth for authenticate and login users onto the website or the mobile applications. After the user is authenticated and a firebase access token is available for the website or mobile app to use. The website or the mobile app can send the firebase access token to the backend server, and the backend server can verify this accessToken through firebase admin sdk. Everything is working as expected until I want to introduce the google actions/assistant into play.
对于Google助手/操作:我遵循了此和此,用于将用户登录到Google Actions应用.此时,如果用户使用自己的google帐户登录了google action应用,我就能获得用户的基本个人资料信息.
For google assistant/actions: I followed this and this for logging the user into the google actions app. At this point, I am able to get user basic profile information if the user logged into the google actions app using their google account.
问题:
- 从google操作登录名中获取用户个人资料(例如用户ID,电子邮件等)后,然后我在后端服务器上查询数据库,如果我找到了具有此ID或电子邮件的用户,则此为有效和经过身份验证的用户,我将允许该用户通过Google助手进行购买.这种方法在确定Google动作/助手上的用户时是否安全可靠?
- 假设以上方法是安全可靠的,如果用户帐户是使用其他电子邮件帐户而不是Google帐户创建的,该怎么办?即用户最初在网站或移动应用程序上注册通过Firebase身份验证使用非Google电子邮件或其他Oauth2(fb,twitter等).在这种情况下,我的后端数据库将没有该用户的Google帐户信息,并且如果该用户使用google帐户登录到我的google action应用程序,则我将无法在现有的用户数据库中识别该用户.
- 是否可以通过firebase auth对用户进行身份验证/登录到google action应用,并在google action的
- After I get the user profile such as user id, email, etc, from the google action login, then I query the database on the backend server and if I find a user with this id or email, then this is a valid and authenticated user, and I will allow the user to make purchases through google assistant. Is this approach safe and sound for identifying the user on google actions/assistant?
- Assume the above approach is safe and sound, what can I do if the user account was created using other email account instead of google account? i.e. The user initially registered either on the website or mobile application using a non-google email or other Oauth2(fb, twitter, etc) through the firebase auth. In this case, my backend database won't have google account information for the user, and if the user log onto my google actions app using a google account, I will have no way to identify this user in the existing user database.
- Is there a way to authenticate/login the user onto the google action app through firebase auth and obtain a firebase access token on the google actions' fulfillment backend server? If there is a way to do this, I suppose the previous problem will not exist because I will be able to use this firbase token to verify the user no matter if the user account was created using google account or other email accounts or other Oauth2 providers.
- If all of the above failed, is dumping firebase auth and creating my Oauth 2 service an option and is it going to be the only backup plan available for me?
您的问题的一些答案:
-
如果ID或电子邮件匹配-这是否标识用户?
是的,是的,不是.
如果ID匹配,则表明您已验证登录帐户的Google ID与您记录的Google帐户匹配.伟大的!这是安全的,您可以信任它.
If the IDs match, then you have verified that the Google ID for the account that logged in matches the Google account you have on record. Great! This is secure and you can trust it.
如果电子邮件匹配...好吧……信心要低得多.尽管Google确实进行了选择加入检查,但这似乎仍在冒险.电子邮件地址做随时间而变化.
If the email matches... well... a much lower degree of confidence. While Google does do opt-in checking, this still seems like you're taking a risk. Email addresses do change over time.
如果他们通过其他方式进行了身份验证怎么办?
我是否正确总结了这个问题?
Did I summarize that question correctly?
我想我不确定在任何其他情况下您将如何处理此问题.如果他们使用与网络使用的帐户(而不是电子邮件,帐户)不同的帐户(而不是电子邮件帐户)登录到您的Assistant应用,那么他们希望两者不同吗?
I guess I'm not sure how you would handle this in any other case. If they're logging into your Assistant app using a different account (not email, account) than they used for the web... they want the two to be different?
他们可以使用不同于设置设备所用的Google帐户登录您的操作.有一些流程鼓励他们使用相同的流程,但不必这样做,如果您没有记录默认使用的帐户,则可以退回到其他流程.
And they can log into your Action using a different Google account than the one they used to setup their device. There are flows that encourage them to use the same one, but they don't have to, and you can fall back to those other flows if you don't have an account on record for the one they use by default.
我不能只使用Firebase Auth吗?
嗯...不,是的.
否,没有办法告诉助手向您提供Firebase身份验证令牌,而不是它想要向您提供的令牌.
No, there is no way to just tell the Assistant to hand you a Firebase auth token instead of the token it wants to hand you.
但是,如果您愿意设置自己的OAuth2服务器,则可以 使用Firebase Auth.上面的*问题的链接只是试图解决必须自己设置OAuth2服务器的问题.如果您设置了一个,则可以让他们使用Firebase登录登录,生成令牌并将其存储在他们的Firebase ID中,然后将该令牌发布给Assistant客户端.取回令牌后,您可以轻松地将其与Firebase ID关联起来.
However, you can use Firebase Auth if you're willing to setup your own OAuth2 server. The link to the * question above was just trying to work around having to setup an OAuth2 server yourself. If you set one up you can have them login using Firebase Sign-In, generate the token and store it against their Firebase ID, and issue that token to the Assistant client. When you get that token back, you can easily associate it back to the Firebase ID.
但是,您需要完成这项工作.Firebase和Assistant都不会为您这样做.
BUT You need to do that work. Neither Firebase nor the Assistant will do it for you.
(Fireho和Google Cloud错失良机,恕我直言.但是...)
(A missed opportunity for Firebase and Google Cloud, imho. But...)
您已经看到了有关如何构建最小的OAuth2服务器的页面.
You've already seen the page for how to build a minimal OAuth2 server.
我是否应该转储Firebase Auth?
没有必要.您可以将Firebase Auth与设置自己的OAuth2服务器结合使用.这是一个很好的基础!我个人将Firebase Auth和Firebase登录(以及Firebase托管和Firebase函数)用作我的OAuth2实现的基础.
There is no need to. You can use Firebase Auth in conjunction with setting up your own OAuth2 server. It is a great base for it! I, personally, use Firebase Auth and Firebase Sign-In (and Firebase Hosting and Firebase Functions) as the basis for my OAuth2 implementation.