问题描述

我正在制作一个不需要用户帐户/登录并允许用户购买订阅的应用.我想使用 Google Play Developer API 来验证用户是否有购买/有效订阅.从所有文档中，我收集了以下步骤.

I am making an app that does not require a user account/login, and allows the user to purchase a subscription. I want to use the Google Play Developer API to verify whether or not a user has a purchased/active subscription. From all of the documentation, I've gathered the following steps.

它们是否正确，你能回答其中的两个问题吗?

Are they correct, and could you answer the two questions in them?

1. 在 Google API 控制台中创建一个服务帐户.
2. 将提供给我的私钥(在哪里?肯定不在我的代码中/设备上保存为 此示例代码建议)
3. 使用 适用于 Java 的 Google APIs 客户端库 创建 JWT 并使用私有密钥(如何?文档给我这个，但那不是 Java 代码……我该怎么处理它?)
4. 构造访问令牌请求，并获取对 API 的访问权限
5. 应用程序现在可以向 API 发送 GET 请求以查找出是否用户订阅了
6. 访问令牌过期后，返回第 3 步.

1. Create a Service Account in the Google APIs Console.
2. Save the private key that is given to me (where? surely not in my code/on the device as this sample code suggests)
3. Use Google APIs Client Library for Java to create and sign a JWT with the private key (how? the docs give me this, but that is not Java code... What do I do with it?)
4. Construct an access token request, and get access to the API
5. Application can now send a GET request to the API to find out whether or not the user has a subscription
6. When the access token expires, go back to step 3.

另外，我有一个 Web 服务，虽然我对 Web 服务或 Web 服务编程一无所知...我只知道足够了解它可能需要在这里使用.

Also, I have a web service, though I know nothing about web services or web service programming... I only know enough to be aware that it is probably necessary to use here.

这些步骤不正确.请参阅下面的答案以了解正确的步骤.但是请注意，这仅适用于使用服务帐户(因为我不想要求用户必须明确允许 API 访问)

推荐答案

事实证明，我的步骤不正确.我花了几个星期才弄清楚这一点，而且似乎没有在其他任何地方记录下来.不客气:

As it turns out, my steps were not correct. It took me weeks to figure this out and it doesn't seem to be documented anywhere else. You're welcome:

1. 在 Google API 控制台<中创建 Web 应用程序 帐户/a>.将任何网站作为重定向 URI"；没关系，因为您不会真正使用它.创建帐户时，您将获得一个客户端 ID 和客户端密码.

1. Create a Web Application account in the Google APIs Console. Put any website as a "redirect URI"; it doesn't matter since you will not really be using it. You will get a client id and client secret when you create the account.

在您计算机上的浏览器中，转到 https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/androidpublisher&response_type=code&access_type=offline&redirect_uri=[YOUR REDIRECT URI]&client_id=[YOUR CLIENT ID] 并在出现提示时允许访问.

In a browser on your computer go to https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/androidpublisher&response_type=code&access_type=offline&redirect_uri=[YOUR REDIRECT URI]&client_id=[YOUR CLIENT ID] and allow access when prompted.

查看地址栏.您最初输入的 URI 的末尾将是您的刷新令牌.它看起来像 1/.... 您将在下一步中需要此代码".刷新令牌永不过期.

Look in the address bar. At the end of the URI you entered originally will be your refresh token. It looks like 1/.... You will need this "code" in the next step. The refresh token never expires.

转至 https://accounts.google.com/o/oauth2/token?client_id=[YOUR CLIENT ID]&client_secret= 将此代码"转换为刷新令牌"[您的客户机密]&code=[上一步的代码]&grant_type=authorization_code&redirect_uri=[YOUR REDIRECT URI].您可以将结果值保存在程序中；除非明确撤销，否则它永远不会过期.(@BrianWhite 插入的这一步——见评论)确保您使用的是 POST.(由 Gintas 插入)

Convert this "code" to a "refresh token" by going to https://accounts.google.com/o/oauth2/token?client_id=[YOUR CLIENT ID]&client_secret=[YOUR CLIENT SECRET]&code=[CODE FROM PREVIOUS STEP]&grant_type=authorization_code&redirect_uri=[YOUR REDIRECT URI]. You can save the resulting value right in your program; it never expires unless explicitly revoked. (this step inserted by @BrianWhite -- see comments) Make sure you are using POST.(inserted by Gintas)

在您的代码中，使用 BasicNameValuePairs "grant_type","refresh_token" 向 https://accounts.google.com/o/oauth2/token 发送 HttpPost 请求, "client_id",[YOUR CLIENT ID], "client_secret",[YOUR CLIENT SECRET], "refresh_token",[YOUR REFRESH TOKEN].有关示例，请查看此处.您将需要在单独的线程中执行此操作，可能使用 AsyncTask.这将返回一个 JSONObject.