重要提示:自
2024 年 5 月 1 日起,对于使用常用 SDK(包括 GoogleSignIn-iOS)的 iOS 应用,Apple
要求提供隐私权清单和签名。请在 2024 年 5 月 1 日之前升级到 GoogleSignIn-iOS v7.1.0 及更高版本。按照
我们的升级指南操作。
从您的应用后端访问 Google API
使用集合让一切井井有条
根据您的偏好保存内容并对其进行分类。
如果您希望服务器能够
代表用户调用 Google API,或在用户离线时调用 Google API。
准备工作
您必须完成基本的 Google 登录功能集成。
为应用启用服务器端 API 访问权限
在在 iOS 应用中访问 Google API 页面上
页面上,您的应用仅在客户端对用户进行身份验证;在本例中
您的应用只能在用户正在使用
。
按照本页介绍的程序,您的服务器就可以将 Google API
在用户离线时代表用户进行通话。例如,照片应用可以
通过在后端进行处理,增强用户 Google 相册影集中的照片
并将结果上传到其他影集。为此,您的服务器
需要访问令牌和刷新令牌。
要获取服务器的访问令牌和刷新令牌,您可以执行以下操作:
请求您的服务器用来交换的一次性授权代码
生成这两个词元。成功登录后,您会发现一次性代码为
GIDSignInResult 的 serverAuthCode 属性。
获取服务器客户端 ID(如果尚未获取)
并在应用的 Info.plist 文件中(位于 OAuth 客户端 ID 下方)进行指定。
<key>GIDServerClientID</key>
<string>YOUR_SERVER_CLIENT_ID</string>
在您的登录回调中,检索一次性授权代码:
Swift
GIDSignIn.sharedInstance.signIn(withPresenting: self) { signInResult, error in
guard error == nil else { return }
guard let signInResult = signInResult else { return }
let authCode = signInResult.serverAuthCode
}
Objective-C
[GIDSignIn.sharedInstance
signInWithPresentingViewController:self
completion:^(GIDSignInResult * _Nullable signInResult,
NSError * _Nullable error) {
if (error) { return; }
if (signInResult == nil) { return; }
NSString *authCode = signInResult.serverAuthCode;
}];
使用 HTTPS POST 将 serverAuthCode 字符串安全地传递到您的服务器。
在应用的后端服务器上,使用授权代码获取访问权限并刷新
词元。使用访问令牌以用户的名义调用 Google API;
存储刷新令牌,以便在
访问令牌到期。
例如:
Java
// (Receive authCode via HTTPS POST)
if (request.getHeader("X-Requested-With") == null) {
// Without the `X-Requested-With` header, this request could be forged. Aborts.
}
// Set path to the Web application client_secret_*.json file you downloaded from the
// Google API Console: https://console.cloud.google.com/apis/credentials
// You can also find your Web application client ID and client secret from the
// console and specify them directly when you create the GoogleAuthorizationCodeTokenRequest
// object.
String CLIENT_SECRET_FILE = "/path/to/client_secret.json";
// Exchange auth code for access token
GoogleClientSecrets clientSecrets =
GoogleClientSecrets.load(
JacksonFactory.getDefaultInstance(), new FileReader(CLIENT_SECRET_FILE));
GoogleTokenResponse tokenResponse =
new GoogleAuthorizationCodeTokenRequest(
new NetHttpTransport(),
JacksonFactory.getDefaultInstance(),
"https://oauth2.googleapis.com/token",
clientSecrets.getDetails().getClientId(),
clientSecrets.getDetails().getClientSecret(),
authCode,
REDIRECT_URI) // Specify the same redirect URI that you use with your web
// app. If you don't have a web version of your app, you can
// specify an empty string.
.execute();
String accessToken = tokenResponse.getAccessToken();
// Use access token to call API
GoogleCredential credential = new GoogleCredential().setAccessToken(accessToken);
Drive drive =
new Drive.Builder(new NetHttpTransport(), JacksonFactory.getDefaultInstance(), credential)
.setApplicationName("Auth Code Exchange Demo")
.build();
File file = drive.files().get("appfolder").execute();
// Get profile info from ID token
GoogleIdToken idToken = tokenResponse.parseIdToken();
GoogleIdToken.Payload payload = idToken.getPayload();
String userId = payload.getSubject(); // Use this value as a key to identify a user.
String email = payload.getEmail();
boolean emailVerified = Boolean.valueOf(payload.getEmailVerified());
String name = (String) payload.get("name");
String pictureUrl = (String) payload.get("picture");
String locale = (String) payload.get("locale");
String familyName = (String) payload.get("family_name");
String givenName = (String) payload.get("given_name");
Python
from apiclient import discovery
import httplib2
from oauth2client import client
# (Receive auth_code by HTTPS POST)
# If this request does not have `X-Requested-With` header, this could be a CSRF
if not request.headers.get('X-Requested-With'):
abort(403)
# Set path to the Web application client_secret_*.json file you downloaded from the
# Google API Console: https://console.cloud.google.com/apis/credentials
CLIENT_SECRET_FILE = '/path/to/client_secret.json'
# Exchange auth code for access token, refresh token, and ID token
credentials = client.credentials_from_clientsecrets_and_code(
CLIENT_SECRET_FILE,
['https://www.googleapis.com/auth/drive.appdata', 'profile', 'email'],
auth_code)
# Call Google API
http_auth = credentials.authorize(httplib2.Http())
drive_service = discovery.build('drive', 'v3', http=http_auth)
appfolder = drive_service.files().get(fileId='appfolder').execute()
# Get profile info from ID token
userid = credentials.id_token['sub']
email = credentials.id_token['email']
如未另行说明,那么本页面中的内容已根据知识共享署名 4.0 许可获得了许可,并且代码示例已根据 Apache 2.0 许可获得了许可。有关详情,请参阅 Google 开发者网站政策。Java 是 Oracle 和/或其关联公司的注册商标。
最后更新时间 (UTC):2025-07-25。
[null,null,["最后更新时间 (UTC):2025-07-25。"],[[["\u003cp\u003eThis guide enables your servers to make Google API calls on behalf of users, even when they're offline.\u003c/p\u003e\n"],["\u003cp\u003eTo achieve this, your server needs an access token and a refresh token, obtained by exchanging a one-time authorization code.\u003c/p\u003e\n"],["\u003cp\u003eYou need to integrate basic Google Sign-In and configure a server client ID in your app's \u003ccode\u003eInfo.plist\u003c/code\u003e file.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves retrieving the authorization code on the client-side, sending it to your server, and exchanging it for tokens on the server.\u003c/p\u003e\n"],["\u003cp\u003eYour server can then use the access token to make API calls and optionally store the refresh token for future use.\u003c/p\u003e\n"]]],[],null,["# Access Google APIs from your app backend\n\nFollow this procedure if you want your servers to be able to make\nGoogle API calls on behalf of users or while they are offline.\n\nBefore you begin\n----------------\n\nYou must complete the [basic Google Sign-In integration](/identity/sign-in/ios/sign-in).\n\nEnable server-side API access for your app\n------------------------------------------\n\nOn the [Access Google APIs in an iOS app](/identity/sign-in/ios/api-access)\npage, your app authenticates the user on the client side only; in that case,\nyour app is able to access Google APIs only while the user is actively using\nyour app.\n\nWith the procedure described on this page, your servers can make Google API\ncalls on behalf of users while they are offline. For example, a photo app could\nenhance a photo in a user's Google Photos album by processing it on a backend\nserver and uploading the result to another album. To do this, your server\nrequires an access token and a refresh token.\n\nTo obtain an access token and refresh token for your server, you can\nrequest a one-time authorization code that your server exchanges for\nthese two tokens. After a successful sign-in, you will find the one-time code as\nthe `serverAuthCode` property of `GIDSignInResult`.\n\n1. If you haven't already, [get a server client ID](/identity/sign-in/ios/start-integrating#server_client_id)\n and specify it in your app's `Info.plist` file, [below your OAuth client ID](/identity/sign-in/ios/start-integrating#add_client_id).\n\n \u003cbr /\u003e\n\n ```scdoc\n \u003ckey\u003eGIDServerClientID\u003c/key\u003e\n \u003cstring\u003eYOUR_SERVER_CLIENT_ID\u003c/string\u003e\n ```\n\n \u003cbr /\u003e\n\n2. In your sign-in callback, retrieve the one-time authorization code:\n\n ### Swift\n\n GIDSignIn.sharedInstance.signIn(withPresenting: self) { signInResult, error in\n guard error == nil else { return }\n guard let signInResult = signInResult else { return }\n\n let authCode = signInResult.serverAuthCode\n }\n\n ### Objective-C\n\n [GIDSignIn.sharedInstance\n signInWithPresentingViewController:self\n completion:^(GIDSignInResult * _Nullable signInResult,\n NSError * _Nullable error) {\n if (error) { return; }\n if (signInResult == nil) { return; }\n\n NSString *authCode = signInResult.serverAuthCode;\n }];\n\n3. Securely pass the `serverAuthCode` string to your server using HTTPS POST.\n\n4. On your app's backend server, exchange the auth code for access and refresh\n tokens. Use the access token to call Google APIs on behalf of the user and,\n optionally, store the refresh token to acquire a new access token when the\n access token expires.\n\n For example: \n\n ##### Java\n\n ```java\n // (Receive authCode via HTTPS POST)\n\n\n if (request.getHeader(\"X-Requested-With\") == null) {\n // Without the `X-Requested-With` header, this request could be forged. Aborts.\n }\n\n // Set path to the Web application client_secret_*.json file you downloaded from the\n // Google API Console: https://console.cloud.google.com/apis/credentials\n // You can also find your Web application client ID and client secret from the\n // console and specify them directly when you create the GoogleAuthorizationCodeTokenRequest\n // object.\n String CLIENT_SECRET_FILE = \"/path/to/client_secret.json\";\n\n // Exchange auth code for access token\n GoogleClientSecrets clientSecrets =\n GoogleClientSecrets.load(\n JacksonFactory.getDefaultInstance(), new FileReader(CLIENT_SECRET_FILE));\n GoogleTokenResponse tokenResponse =\n new GoogleAuthorizationCodeTokenRequest(\n new NetHttpTransport(),\n JacksonFactory.getDefaultInstance(),\n \"https://oauth2.googleapis.com/token\",\n clientSecrets.getDetails().getClientId(),\n clientSecrets.getDetails().getClientSecret(),\n authCode,\n REDIRECT_URI) // Specify the same redirect URI that you use with your web\n // app. If you don't have a web version of your app, you can\n // specify an empty string.\n .execute();\n\n String accessToken = tokenResponse.getAccessToken();\n\n // Use access token to call API\n GoogleCredential credential = new GoogleCredential().setAccessToken(accessToken);\n Drive drive =\n new Drive.Builder(new NetHttpTransport(), JacksonFactory.getDefaultInstance(), credential)\n .setApplicationName(\"Auth Code Exchange Demo\")\n .build();\n File file = drive.files().get(\"appfolder\").execute();\n\n // Get profile info from ID token\n GoogleIdToken idToken = tokenResponse.parseIdToken();\n GoogleIdToken.Payload payload = idToken.getPayload();\n String userId = payload.getSubject(); // Use this value as a key to identify a user.\n String email = payload.getEmail();\n boolean emailVerified = Boolean.valueOf(payload.getEmailVerified());\n String name = (String) payload.get(\"name\");\n String pictureUrl = (String) payload.get(\"picture\");\n String locale = (String) payload.get(\"locale\");\n String familyName = (String) payload.get(\"family_name\");\n String givenName = (String) payload.get(\"given_name\");\n ```\n\n ##### Python\n\n ```python\n from apiclient import discovery\n import httplib2\n from oauth2client import client\n\n # (Receive auth_code by HTTPS POST)\n\n\n # If this request does not have `X-Requested-With` header, this could be a CSRF\n if not request.headers.get('X-Requested-With'):\n abort(403)\n\n # Set path to the Web application client_secret_*.json file you downloaded from the\n # Google API Console: https://console.cloud.google.com/apis/credentials\n CLIENT_SECRET_FILE = '/path/to/client_secret.json'\n\n # Exchange auth code for access token, refresh token, and ID token\n credentials = client.credentials_from_clientsecrets_and_code(\n CLIENT_SECRET_FILE,\n ['https://www.googleapis.com/auth/drive.appdata', 'profile', 'email'],\n auth_code)\n\n # Call Google API\n http_auth = credentials.authorize(httplib2.Http())\n drive_service = discovery.build('drive', 'v3', http=http_auth)\n appfolder = drive_service.files().get(fileId='appfolder').execute()\n\n # Get profile info from ID token\n userid = credentials.id_token['sub']\n email = credentials.id_token['email']\n ```\n\n \u003cbr /\u003e"]]
