java后端-海外登录(谷歌/FaceBook/苹果)

前言

        由于最近公司的项目要在海外运行,因此需要对接海外的登录,目前就是谷歌和facebook两种,后面支付也是需要的,后续再进行书写

谷歌登录

        这个相对比较容易,而且只提供给安卓即可,废话就不多说了,直接贴解决方案

引入maven依赖

<dependency>
    <groupId>com.google.api-client</groupId>
    <artifactId>google-api-client</artifactId>
    <version>1.35.2</version>
</dependency>
<dependency>
    <groupId>com.google.api-client</groupId>
    <artifactId>google-api-client-android</artifactId>
    <version>1.35.2</version>
</dependency>
<dependency>
    <groupId>com.google.oauth-client</groupId>
    <artifactId>google-oauth-client-java6</artifactId>
    <version>1.33.0</version>
</dependency>
<dependency>
    <groupId>com.google.oauth-client</groupId>
    <artifactId>google-oauth-client-jetty</artifactId>
    <version>1.33.0</version>
    <scope>runtime</scope>
</dependency>
<dependency>
    <groupId>com.google.apis</groupId>
    <artifactId>google-api-services-oauth2</artifactId>
    <version>v2-rev20200213-2.0.0</version>
</dependency>

工具类

@Slf4j
public class IdTokenVerifier {//安卓信息private static final String CLIENT_ID = Constants.GOOGLE_APPLE_ID; // 替换为你的 Android 客户端 IDpublic static GoogleIdToken.Payload verifyToken(String idTokenString) throws GeneralSecurityException, IOException {NetHttpTransport transport = new NetHttpTransport();GsonFactory jsonFactory = new GsonFactory();GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory).setAudience(Collections.singletonList(CLIENT_ID)).build();GoogleIdToken idToken = verifier.verify(idTokenString);if (idToken != null) {log.info("verifyToken-返回的数据为{}", JsonUtils.Object2Json(idToken));return idToken.getPayload();} else {// 无效的 ID tokenlog.info("verifyToken-返回的数据为null");return null;}}public static boolean checkNonce(String nonce, GoogleIdToken.Payload payload) {if(payload == null) {return false;}Object object = payload.get("nonce");if(object == null) {return false;}String requestNonce = (String) object;boolean equals = Objects.equals(nonce, requestNonce);log.info("checkNonce-检验结果为{}", equals);return equals;}public static void main(String[] args) throws GeneralSecurityException, IOException {// 示例用法：String receivedIdToken = "eyJfN5g"; // 替换为实际接收到的 idTokenGoogleIdToken.Payload payload = verifyToken(receivedIdToken);
//        GoogleIdToken.Payload payload = (GoogleIdToken.Payload) JsonUtils.string2Object(payloadString, GoogleIdToken.Payload.class);System.out.println(JsonUtils.Object2Json(payload));if (payload != null) {String userId = payload.getSubject();String email = payload.getEmail();boolean emailVerified = Boolean.valueOf(payload.getEmailVerified());String name = (String) payload.get("name");String pictureUrl = (String) payload.get("picture");String givenName = (String) payload.get("given_name");String familyName = (String) payload.get("family_name");String locale = (String) payload.get("locale");System.out.println("User ID: " + userId);System.out.println("Email: " + email);System.out.println("Email Verified: " + emailVerified);System.out.println("Name: " + name);System.out.println("Picture URL: " + pictureUrl);System.out.println("Given Name: " + givenName);System.out.println("Family Name: " + familyName);System.out.println("Locale: " + locale);} else {System.out.println("Invalid ID token.");}}

只需要替换CLIENT_ID 为安卓的id,token也是安卓传给你的,就可以了,是不是很简单?

FaceBook登录

        这个其实也不复杂,主要是IOS有两种情况,老版本的方式跟安卓的方式是一样的,下面先说老的方式

IOS旧版/安卓

参考文章:   第三方登录（Facebook） java验证-CSDN博客   可行,但是有乱码问题,而且要自己写,麻烦点,没使用

我用的是工具包,也不复杂, 还是直接说做法

引入maven依赖

<dependency>
        <groupId>com.restfb</groupId>
        <artifactId>restfb</artifactId>
        <version>2024.11.0</version>
</dependency>

工具类

 public static void main(String[] args) throws Exception{token = "EAAVMz9Vc1BgBO8iE8yMgNza4ZCdnBDqZCMJRoGHJaykZAOIwLetZAluFdUEng31WUexZA16LpXQ2YWEYY2dj6TTPnv7Cq8DjXKANAZAy1WCpntLeykZCqnSy0Cy7S4ZCASVZA1cAVIlaGtw7mhV0NCvi0pKiTlej4C9fYbZA0yAlZBee999ZCZBa2Uf5dB12ZAG2jcKfmJg6gZDZD";
//                checkLoginWithToken(token);DefaultFacebookClient defaultFacebookClient = new DefaultFacebookClient(token, Version.VERSION_11_0);User re = defaultFacebookClient.fetchObject("me.permissions ", User.class, Parameter.with("fields", Parameter.with("fields", "id,cover,email,gender")));System.out.println(re.getName());System.out.println(re.getEmail());System.out.println(re.getFirstName());System.out.println(re.getBirthday());}

注: 其实就是两句话,底层都封装好了,

Parameter.with("fields", "id,cover,email,gender") 这个要输入一些，需要哪些就指定哪些

IOS新版

已经找到方案了，验证JWT的信息，还是直接说步骤

引入maven依赖

<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.10.3</version>
</dependency>

<dependency>
<groupId>com.auth0</groupId>
<artifactId>jwks-rsa</artifactId>
<version>0.22.1</version>
</dependency>

工具类

import com.auth0.jwk.Jwk;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwk.UrlJwkProvider;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.JWTVerifier;
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;import java.security.interfaces.RSAPublicKey;public class FacebookTokenValidator {private static final String FACEBOOK_APP_ID = "your-facebook-app-id"; // 替换为你的 App IDprivate static final String FACEBOOK_APP_SECRET = "your-facebook-app-secret"; // 替换为你的 App Secretprivate static final String JWKS_URL = "https://www.facebook.com/.well-known/oauth/openid/jwks";private static final String ISSUER = "https://www.facebook.com";private static final String GRAPH_API_URL = "https://graph.facebook.com";// 区分并验证 tokenpublic static FacebookUser validateToken(String token) throws Exception {// 步骤 1：检查 token 是否包含 .，初步判断是否为 JWTif (token.contains(".")) {try {// 尝试作为 Limited Login token 验证return validateLimitedLoginToken(token);} catch (JWTDecodeException | JWTVerificationException e) {// JWT 解析或验证失败，尝试作为 Classic Login tokenreturn validateClassicLoginToken(token);}} else {// 无 .，直接作为 Classic Login token 验证return validateClassicLoginToken(token);}}// 验证 Limited Login token (JWT)private static FacebookUser validateLimitedLoginToken(String token) throws Exception {try {// JwkProvider provider = new UrlJwkProvider(JWKS_URL); 这种有问题，点进去看源码就知道了JwkProvider provider = new UrlJwkProvider(new URL(JWKS_URL)); //这样就正常了DecodedJWT jwt = JWT.decode(token);Jwk jwk = provider.get(jwt.getKeyId());RSAPublicKey publicKey = (RSAPublicKey) jwk.getPublicKey();Algorithm algorithm = Algorithm.RSA256(publicKey, null);JWTVerifier verifier = JWT.require(algorithm).withIssuer(ISSUER).withAudience(FACEBOOK_APP_ID).build();DecodedJWT verifiedJwt = verifier.verify(token);String userId = verifiedJwt.getSubject();String userName = verifiedJwt.getClaim("name").asString();return new FacebookUser(userId, userName, "Limited Login");} catch (Exception e) {throw new Exception("Limited Login token 验证失败: " + e.getMessage());}}// 验证 Classic Login token (Access Token)private static FacebookUser validateClassicLoginToken(String token) throws Exception {OkHttpClient client = new OkHttpClient();// 使用 /debug_token 端点验证 tokenString url = String.format("%s/debug_token?input_token=%s&access_token=%s|%s",GRAPH_API_URL, token, FACEBOOK_APP_ID, FACEBOOK_APP_SECRET);Request request = new Request.Builder().url(url).build();try (Response response = client.newCall(request).execute()) {if (!response.isSuccessful()) {throw new Exception("Classic Login token 验证失败: " + response.message());}String json = response.body().string();ObjectMapper mapper = new ObjectMapper();JsonNode root = mapper.readTree(json);JsonNode data = root.path("data");if (!data.path("is_valid").asBoolean()) {throw new Exception("Classic Login token 无效: " + data.path("error").path("message").asText());}String userId = data.path("user_id").asText();// 获取用户名（需要额外调用 /me 端点）String userName = getUserNameFromGraphAPI(token);return new FacebookUser(userId, userName, "Classic Login");}}// 通过 Graph API 获取用户名private static String getUserNameFromGraphAPI(String token) throws Exception {OkHttpClient client = new OkHttpClient();String url = String.format("%s/me?fields=name&access_token=%s", GRAPH_API_URL, token);Request request = new Request.Builder().url(url).build();try (Response response = client.newCall(request).execute()) {if (!response.isSuccessful()) {throw new Exception("获取用户名失败: " + response.message());}String json = response.body().string();ObjectMapper mapper = new ObjectMapper();JsonNode root = mapper.readTree(json);return root.path("name").asText();}}// 用户信息类public static class FacebookUser {private final String userId;private final String userName;private final String loginType;public FacebookUser(String userId, String userName, String loginType) {this.userId = userId;this.userName = userName;this.loginType = loginType;}public String getUserId() {return userId;}public String getUserName() {return userName;}public String getLoginType() {return loginType;}@Overridepublic String toString() {return "FacebookUser{userId='" + userId + "', userName='" + userName + "', loginType='" + loginType + "'}";}}// 测试代码public static void main(String[] args) {// 替换为实际的 tokenString token = "your-token-here"; // 例如：JWT 或 Access Tokentry {FacebookUser user = validateToken(token);System.out.println("验证成功: " + user);} catch (Exception e) {System.err.println("验证失败: " + e.getMessage());}}
}

其中validateClassicLoginToken方法是旧版的，忽略即可，或者自行改为上面的，也可以用他的，我自己后面是改了上面的，还是用工具类好

苹果登录

似乎跟IOS新版的校验是差不多的，晚点对接完再回来写

一些见解

        上面的DefaultFacebookClient这个类理论上应该是线程安全的，因为里面涉及到请求时底层其实每发一个http请求都会创建一个新的HttpURLConnection，具体可以看以下方法，进去就看到了  com.restfb.DefaultWebRequestor#execute

部分问题解决

token重放攻击

        像谷歌和facebook去调用接口获取时都能获取一个nonce，然后前端也会把这个nonce传输过来，所以可以更为安全，有两个层级

       

      1. 后端单纯对比即可，简单

      2. 用完一次以后就把nonce存到redis中一天，然后使用过一次就不能再用了，这样的好处是完全杜绝了可能发生的安全问题

        我自己采用的就是第二种，也建议大家采用第二种，只是这样在测试环境一个token就只能用来调试一次了