如何将OAuth与Google日历一起使用以仅访问一个日历? [英] How to use OAuth with Google Calendar to access only ONE calendar?
问题描述
我正在为客户构建Web应用程序,但我不确定自己在做正确的事...
I'm building a web application for a customer and I'm not really sure I'm doing the right thing...
基本上,我创建了一个PHP应用程序,该程序可以在Google上读取,编辑,删除日历,并在我自己的Web应用程序数据库中保留一个副本(出于各种原因).现在,我了解了OAuth 2.0,并意识到使用它比使用我的客户端通用Google密码(可以访问所有google服务(日历,电子邮件等)直接在我的Web应用程序中以PHP文件(其他方式)更安全.话说来,如果黑客进入服务器,那么他可以窃取她的密码...).
Basically, I created a PHP application that read, edit, delete calendars on Google and keeps a copy on my own web application DB (for various reasons). Now, I read about the OAuth 2.0 and realise it could be safer to use this than have my client general Google password (that access ALL google services (calendar, email, etc)) directly in my web app in a PHP file (in other words, if a hacker enter the server than he can steal her password...).
因此,我创建了OAuth 2.0帐户,从此页面http://code.google.com/apis/calendar/v3/using.html#setup添加类/文件夹,并在测试页面上添加了适当的脚本以授权访问您的信息" (see "Instantiating the client " in the same page) ...
So I created the OAuth 2.0 account, add the classes/folders from this page http://code.google.com/apis/calendar/v3/using.html#setup and added the proper scripts on a test page to "authorize access to your information" (see "Instantiating the client " in the same page) ...
这是我的问题:如果我用我的登录信息(而不是我的客户端)登录了gmail,然后转到测试页,它将要求我授权对我的Google日历的访问权限.但我要我客户的日历,不是我的!因此,让我们假装我注销,使用我的客户信息登录并转到测试页面:完美,我授权了该帐户,然后将我重定向到可以查看她的HER日历的应用程序.
Here is my questions: If I am logged in my gmail with MY login info (not my Client) and I go to my test page, it will ask ME to authorize access to my Google Calendar. But I want my client's calendar, NOT MINE! So, let's pretend I logout, log in with my customer info and go to the test page : it's perfect, I authorize the account, then I'm redirected to my app where i can see HER calendar.
但是,这不切实际或不合逻辑...例如,由于我希望她在GENERAL PUBLIC网站上的人们浏览页面,并填写表格以便自动进行约会.该脚本必须检查她的Google日历....并要求获得其Gmail帐户的权限?不,我要她的日历.
But this is not practical OR logical... Since, for example, I want people on her GENERAL PUBLIC website to go on a page, and fill a form in order to automate her appointments. The script must check her google calendar.... and ask permission for THEIR gmail accounts? No, I want HER calendar.
这是我的问题.我究竟做错了什么?这是正确的方法还是我错过了一步?这个API就是要这样做吗?
So this is my problem / question. What am I doing wrong? Is this the right way to do so or did I miss a step? Was this API meant to do this?
如何使用API以上述方式工作?
How can I use the API to work in the way described above?
谢谢大家点燃蜡烛
乔尔
推荐答案
如果我正确地理解了您的身份,那么您就拥有正确的身份验证.问题是您不想显示已登录用户的日历.您要显示客户的日历.
If I'm understanding you correctly, you've got the authentication right. The problem is that you don't want to display the calendar of the logged-in user; you want to display your client's calendar.
用户可以在以下两种情况之一中写日历:
A user can write to a calendar in one of two circumstances:
- 用户拥有日历,或者
- 所有者通过指定用户的电子邮件地址,显式地授予了用户写权限.
很明显,第二种情况无法扩展.在这两种情况下,您都需要将客户端的凭据嵌入到应用程序中,然后使用它们来代表经过身份验证的用户创建约会,或者与该用户共享日历.当然,您需要对客户的凭据进行加密-不要只是在您的应用程序中对它们进行硬编码!
Clearly the second situation doesn't scale. And in either case, you'd need to embed your client's credentials in your application, then use them either to create appointments on behalf of an authenticated user, or to share the calendar with the user. Of course, you'll want to encrypt your client's credentials--don't simply hard-code them in your app!
与其使用客户的真实"帐户,不如为该日历创建一个新帐户(具有唯一的电子邮件地址和密码),似乎更加安全.然后,客户可以像客户一样通过应用程序访问它,或者您可以与她共享日历并授予她写权限.
Rather than using your client's "real" account, it would seem more secure to create a new account (with a unique email address and password) specifically for this calendar. Your client could then access it through your application as her customers would, or you could share the calendar with her and give her write access.
另一种可能是将日历设为对用户只读,而不是让他们直接在客户的日历上创建约会,您的应用可以让他们请求约会:它将在用户的日历上创建事件,并向您的客户的日历发送邀请.然后,您的应用将不需要任何嵌入式凭据.它还将使您的客户有机会确认或拒绝每次约会,并自动将其回复发送给用户.另一个好处是,每个用户的约会都将出现在他/她自己的个人Google日历上.
Another possibility might be to make the calendar read-only to the users, and rather than allowing them to create appointments directly on your client's calendar, your app could let them request appointments: it would create the events on the users' calendars and send invitations to your client's calendar. Then your app won't need any embedded credentials. It would also give your client the opportunity to confirm or decline each appointment, automatically sending her response to her users. Another benefit is that each user's appointments would appear on his/her own personal Google calendar.
我很想知道您(或其他任何人)是否找到更好的解决方案.
I'd be interested to know if you (or anyone else) finds a better solution.
这篇关于如何将OAuth与Google日历一起使用以仅访问一个日历?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
