Firebase(授权服务器)将令牌(Access Token)发送回客户端(浏览器).

Firebase (Authorization Server) sends a token (Access Token) back to the client (browser).

客户端现在使用该令牌向您的应用引擎服务(资源服务器)发出请求.

The client now makes a request to your app engine service (Resource Server) with that token.

您需要做的是检查令牌是否有效，如果有效，则返回该秘密数据.

OAuth 2.0 规范没有明确定义资源服务器和授权服务器之间用于访问令牌验证的交互:

The OAuth 2.0 spec doesn't clearly define the interaction between a Resource Server and Authorization Server for access token validation:

访问令牌属性和用于访问受保护资源的方法超出了本规范的范围，由配套规范定义.

Access token attributes and the methods used to access protected resources are beyond the scope of this specification and are defined by companion specifications.

因此，对于您使用的每个身份验证服务(Google、Facebook、GitHub 等)，您必须查找如何验证访问令牌.

So for each authentication service (Google, Facebook, GitHub, etc.) you use, you have to look up how to validate the Access Token.

示例:

谷歌

请求(来自您的应用引擎后端)

Request (from your app engine backend)

https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

回复

{
 // These six fields are included in all Google ID Tokens.
 "iss": "https://accounts.google.com",
 "sub": "110169484474386276334",
 "azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
 "iat": "1433978353",
 "exp": "1433981953",

 // These seven fields are only included when the user has granted the "profile" and
 // "email" OAuth scopes to the application.
 "email": "testuser@gmail.com",
 "email_verified": "true",
 "name" : "Test User",
 "picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
 "given_name": "Test",
 "family_name": "User",
 "locale": "en"
}

您可以从后端服务器发出这个简单的请求，但***使用 Google API 客户端库

You can make this plain request from your backend server but it would be better using one of the Google API Client Libraries

请参阅此处了解有关使用后端服务器进行身份验证一个>