当用户选择 Google 账号时,一键登录客户端会检索 Google ID 令牌。ID 令牌是用户身份的已签名断言,其中还包含用户的基本个人资料信息,可能包括已通过 Google 验证的电子邮件地址。
当 ID 令牌可用时,您可以使用它们通过应用的后端进行安全身份验证,或自动为用户注册新账号,而无需验证用户的电子邮件地址。
如需使用 ID 令牌登录或注册用户,请将令牌发送到应用的后端。在后端,使用 Google API 客户端库或通用 JWT 库验证令牌。如果用户之前未使用此 Google 账号登录您的应用,请创建一个新账号。
如果您选择使用随机数来帮助避免重放攻击,请使用 getNonce 将随机数与 ID 令牌一起发送到后端服务器,并检查预期值。我们强烈建议您考虑使用 Nonce 来提高用户安全性。
从凭据对象获取 ID 令牌
检索用户的凭据后,检查凭据对象是否包含 ID 令牌。如果有,请将其发送到您的后端。
Java
publicclassYourActivityextendsAppCompatActivity{// ...privatestaticfinalintREQ_ONE_TAP=2;// Can be any integer unique to the Activity.privatebooleanshowOneTapUI=true;// ...@OverrideprotectedvoidonActivityResult(intrequestCode,intresultCode,@NullableIntentdata){super.onActivityResult(requestCode,resultCode,data);switch(requestCode){caseREQ_ONE_TAP:try{SignInCredentialcredential=oneTapClient.getSignInCredentialFromIntent(data);StringidToken=credential.getGoogleIdToken();if(idToken!=null){// Got an ID token from Google. Use it to authenticate// with your backend.Log.d(TAG,"Got ID token.");}}catch(ApiExceptione){// ...}break;}}}
Kotlin
classYourActivity:AppCompatActivity(){// ...privatevalREQ_ONE_TAP=2// Can be any integer unique to the ActivityprivatevarshowOneTapUI=true// ...overridefunonActivityResult(requestCode:Int,resultCode:Int,data:Intent?){super.onActivityResult(requestCode,resultCode,data)when(requestCode){REQ_ONE_TAP->{try{valcredential=oneTapClient.getSignInCredentialFromIntent(data)validToken=credential.googleIdTokenwhen{idToken!=null->{// Got an ID token from Google. Use it to authenticate// with your backend.Log.d(TAG,"Got ID token.")}else->{// Shouldn't happen.Log.d(TAG,"No ID token!")}}}catch(e:ApiException){// ...}}}// ...}
[null,null,["最后更新时间 (UTC):2025-07-27。"],[],[],null,["# Authenticate with a backend using ID tokens\n\n| **Caution:** One Tap for Android is deprecated. To ensure the continued security and usability of your app, [migrate to\n| Credential Manager](/identity/sign-in/credential-manager). Credential Manager supports passkey, password, and federated identity authentication (such as Sign-in with Google), stronger security, and a more consistent user experience.\n\nThe One Tap sign-in client retrieves a Google ID token when the user selects a\nGoogle Account. An ID token is a signed assertion of a user's identity that also\ncontains a user's basic profile information, possibly including an email address\nthat has been verified by Google.\n\nWhen ID tokens are available, you can use them to securely authenticate with\nyour app's backend, or to automatically sign up the user for a new account\nwithout the need to verify the user's email address.\n\nTo sign in or sign up a user with an ID token, send the token to your app's\nbackend. On the backend, verify the token using either a Google API client\nlibrary or a general-purpose JWT library. If the user hasn't signed in to your\napp with this Google Account before, create a new account.\n\nIf you've optionally chosen to use a nonce to help avoid replay attacks, use\n[getNonce](https://developers.google.com/android/reference/com/google/android/gms/auth/api/identity/GetSignInIntentRequest#public-string-getnonce)\nto send it along with the ID Token to your backend server, and check for the\nexpected value. We recommend that you strongly consider using a nonce to\nimprove user safety and security.\n\nGet an ID token from the credentials object\n-------------------------------------------\n\nAfter you retrieve a user's credentials, check if the credentials object\nincludes an ID token. If it does, send it to your backend. \n\n### Java\n\n```java\npublic class YourActivity extends AppCompatActivity {\n\n // ...\n private static final int REQ_ONE_TAP = 2; // Can be any integer unique to the Activity.\n private boolean showOneTapUI = true;\n // ...\n\n @Override\n protected void onActivityResult(int requestCode, int resultCode, @Nullable Intent data) {\n super.onActivityResult(requestCode, resultCode, data);\n\n switch (requestCode) {\n case REQ_ONE_TAP:\n try {\n SignInCredential credential = oneTapClient.getSignInCredentialFromIntent(data);\n String idToken = credential.getGoogleIdToken();\n if (idToken != null) {\n // Got an ID token from Google. Use it to authenticate\n // with your backend.\n Log.d(TAG, \"Got ID token.\");\n }\n } catch (ApiException e) {\n // ...\n }\n break;\n }\n }\n}\n```\n\n### Kotlin\n\n```kotlin\nclass YourActivity : AppCompatActivity() {\n\n // ...\n private val REQ_ONE_TAP = 2 // Can be any integer unique to the Activity\n private var showOneTapUI = true\n // ...\n\n override fun onActivityResult(requestCode: Int, resultCode: Int, data: Intent?) {\n super.onActivityResult(requestCode, resultCode, data)\n\n when (requestCode) {\n REQ_ONE_TAP -\u003e {\n try {\n val credential = oneTapClient.getSignInCredentialFromIntent(data)\n val idToken = credential.googleIdToken\n when {\n idToken != null -\u003e {\n // Got an ID token from Google. Use it to authenticate\n // with your backend.\n Log.d(TAG, \"Got ID token.\")\n }\n else -\u003e {\n // Shouldn't happen.\n Log.d(TAG, \"No ID token!\")\n }\n }\n } catch (e: ApiException) {\n // ...\n }\n }\n }\n // ...\n}\n```"]]