I have an Android app, iOS and PHP app. The client logs in via one of the apps and sends the access token to the PHP server so it may retrieve the user information from /me.
The problem is that the PHP server can’t use the mobile app key. I can’t fetch the data in the mobile app and pass it to the server since that can be forged client-side and present a security risk.
How do I fix this? Google has a “Other” OAuth client type that works with both mobile apps and websites using a single key.
Android 애플리케이션, iOS 애플리케이션 및 PHP 서버가 있습니다. 클라이언트는 모바일 애플리케이션에서 인증하고 액세스 토큰을 PHP 서버로 보냅니다.
PHP 서버가 액세스 토큰을 받으면 해당 토큰을 사용하여 "/ me"정보를 요청합니다. 문제는 모바일 앱 키가 PHP 서버에 대한 액세스 권한을 부여하지 않는다는 것입니다.
보안을 위해 모바일 앱에서 직접 응답 데이터를 보낼 수 없습니다. 그렇지 않으면 해당 데이터가 클라이언트 측에서 위조 될 수 있습니다.
이 문제를 어떻게 해결합니까? Google에는 모든 클라이언트 유형에 대한 액세스 권한을 부여하는 "기타"키 유형이 있습니다.
나의 개발자는 영어를 사용하는 국가에 속하여 있습니다.
영어로 답변을 해주실 수 있습니까?
It is not a good idea to invoke it while changing the platform environment, but if you only need to do it in that way, the server will accept me API ortoken infomation API requests with that access token. If you want to issue a separate token for the server, there is a way to do the following.
- It sends the access token, refresh token, and user id it received from the client to the server.
- Request
me or token info API with the corresponding access token.
- Make sure that the user id you received in step 2 is the same as the user id you received from the clone.
-
- passes, you will get a new server access token with a refresh token and a REST API application key.
@michael We have to do it this way. We are doing cross identity login – so the user can log into a webview kakao implementation using their native kakao mobile app. I want to make sure I understand correctly:
- Send the access token, refresh token, and user ID from native app to server
- Request ‘/me’ on server with access token, and verify user id matches with step #1
- The response will contain a one-time REST API application key which I can use as if it were a normal REST API key
Is this correct?
I think you misunderstood 3).
- /v2/user/me will only retrieve user information , not one-time REST API key
- What Michael meant was that you should refresh access token with your REST API key (specified in your app settings next to your native app key) by calling kauth.kakao.com/oauth/token AP for further use.
Step 2 is not necessary if you just use /v2/user/me API on user registration and no further Kakao API call is needed. Just use the token passed from client. However, if you plan to call Kakao API periodically or at some point in the future on behalf of the user, you should refresh user’s access token with her or his refresh token since access token will expire soon (12 hours in case of native environment).
Feel free to reply here if you have any further question or something is not clear.
3개의 좋아요
Normally, refresh tokens are tied to the Client ID (in this case, the native app key). Are you saying that I can use a refresh token from the native app key/Client ID to get a new access token for the REST API Client ID?
1개의 좋아요
Yes, you can use refresh token from native environment on server side.
It is true that refresh tokens are normally tied to client id, but it is usually in cases when client id distinguishes services, not platforms such as web, android, or ios.
Kakao app keys are divided among platforms for better security but naative, javascript, and rest api key all point to the same client application so it is not against OAuth spec in this case.
2개의 좋아요
