寫過網頁程式的話,把它當成 Session來看,就會比較有感覺
上一篇文章提到 AuthSubRequest的認證作法,
1~2的步驟 , 畫面會直接導去 Google的網頁作帳號、密碼的登入。登入成功,並完成一切手續(授權)之後,
3, 會返回「我們自訂的網站(網頁)」並且提供一個 token變數。
現在要用的 AuthSubSessionToken就是把上述的 token保留下來繼續利用。
或許用我個人的話語來表示:我覺得這方法很類似我們寫網頁程式的 Session一樣。(個人觀點,不保證正確)
我們獲得的 token,必須放在HTTP Header裡面,關於這部份的用法:
- HttpResponse.AddHeader(舊方法) -- http://msdn.microsoft.com/zh-tw/library/system.web.httpresponse.addheader.aspx
- HtpResponse.AppendHeader(這是新方法)-- http://msdn.microsoft.com/zh-tw/library/system.web.httpresponse.appendheader.aspx
ASP的設計師,請看:Response.AddHeader方法 -- http://msdn.microsoft.com/en-us/library/ms524327.aspx
先看看 Google的文件,我稍微用中文註解了一下(但,不保證正確)
Call AuthSubSessionToken to exchange a single-use token for a long-lived session token. The single-use token is acquired by calling AuthSubRequest.
AuthSubSessionToken is a programmatic handler. Make an HTTP GET to the following URL: https://www.google.com/accounts/AuthSubSessionToken
. Use an Authorization
header with the following form:
Authorization: AuthSub token="token"
If the token is secure, it must be accompanied by a digital signature. See Signing Requests for instructions and examples.
Parameter | Description |
token | (required) The authentication token received from Google in response to an AuthSubRequest call. 上一篇文章提到,最後一個步驟會返回「我們自訂的網站(網頁)」並且提供一個 token變數。 |
Sample Request
This example shows a request for a non-secure session token.
GET /accounts/AuthSubSessionToken HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: AuthSub token="GD32CMCL25aZ-v____8B"
User-Agent: Java/1.5.0_06
Host: https://www.google.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
AuthSubSessionToken Response
成功的話,會傳回HTTP 2000的訊息。 這個token跟我們常用的 Session一樣,他也會過期(有時效性)
If the request for a session token is successful, Google responds with an HTTP 200 message with a set of key-value pairs in a "key=value" format. These values contain a session token and an expiration date. You can ignore the expiration date, which is not currently used; session tokens effectively do not expire.
Sample Responses
This example illustrates an AuthSub token returned in the response header.
Token=DQAA...7DCTN 註:token變數的「值」
Expiration=20061004T123456Z 註:使用期限
Call AuthSubRevokeToken to revoke a valid session token. Session tokens have no expiration date and remain valid unless revoked. 後續用法都跟上面類似。
AuthSubRevokeToken is a programmatic handler. To revoke a session token, make an HTTP GET to the following URL: https://www.google.com/accounts/AuthSubRevokeToken
. Use an Authorization
header with the following form:
Authorization: AuthSub token="token"
If the token is secure, it must be accompanied by a digital signature. See Signing Requests for instructions and examples.
Parameter | Description |
token | (required) The session token, received in response to an AuthSubSessionToken request, to be revoked. 用法都跟上面類似。上一篇文章提到,最後一個步驟會返回「我們自訂的網站(網頁)」並且提供一個 token變數。 |
Sample Request
This example shows a revocation request for a non-secure session token.
GET /accounts/AuthSubRevokeToken HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: AuthSub token="GD32CMCL25aZ-v____8B"
User-Agent: Java/1.5.0_06
Host: www.google.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
AuthSubRevokeToken Response
成功的話,會傳回HTTP 2000的訊息。
If the request for session token revocation is successful, Google responds with an HTTP 200 message.
AuthSubTokenInfo (重要喔~)
Call AuthSubTokenInfo to test whether a given session token is valid. This method validates the token in the same way that a Google service would; application developers can use this method to verify that their application is getting valid tokens and handling them appropriately without making a call to the real Google service. It can also be used to get information about the token, including next URL, scope, and secure status, as specified in the original token request.
This method can be used for both single-use and session tokens. Keep in mind, however, that if it is called with a single-use token, the call is treated as a valid use. Consequently, the AuthSubTokenInfo response indicates the token is valid, but the token is rendered invalid from that point on.
AuthSubTokenInfo is a programmatic handler. Make an HTTP GET to the following URL: https://www.google.com/accounts/AuthSubTokenInfo
. Use an Authorization
header with the following form:
Authorization: AuthSub token="token"
If the token is secure, it must be accompanied by a digital signature. See Signing Requests for instructions and examples.
Parameter | Description |
token | (required) The authentication token received from Google in response to an AuthSub request.用法都跟上面類似。上一篇文章提到,最後一個步驟會返回「我們自訂的網站(網頁)URL網址」並且提供一個 token變數。 |
Sample Request
This example shows a request for information on a non-secure token.
GET /accounts/AuthSubTokenInfo HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: AuthSub token="GD32CMCL25aZ-v____8B"
User-Agent: Java/1.5.0_06
Host: https://www.google.com
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
AuthSubTokenInfo Response
成功的話,會傳回HTTP 2000的訊息。
If the request is successful, Google responds with an HTTP 200 message with a set of key-value pairs in a "key=value" format. These values identify the target URL, scope, and secure status values, which were specified in the original token request. The target URL is simply the hostname gleaned from the next URL value.
Sample Responses
This example illustrates a response containing a session authentication token.
