如何处理对Google oAuth的服务帐户调用中的CORS? [英] How to handle CORS in a service account call to Google oAuth?
问题描述
我使用服务帐户访问Google日历。这意味着不会提示日历所有者进行授权。
I access a Google calendar using a service account. This means that the owner of the calendar will not be prompted for his authorization.
这在Python中很好,我在其中进行了请求
调用具有特定正文的 https://accounts.google.com/o/oauth2/token
。
This works fine in Python, where I make a requests
call to https://accounts.google.com/o/oauth2/token
with a specific body. This gets me back a token I can use later.
我现在需要在独立浏览器(Chrome-无用户交互)中运行应用程序,并尝试直接移植
I now need to have an application running in a standalone browser (Chrome - without user interaction) and tried to directly port this call as
fetch('https://accounts.google.com/o/oauth2/token',
{
method: 'POST',
body: JSON.stringify(body),
})
.then(function(res) { return res.json(); })
.then(function(data) { alert(JSON.stringify(data)) })
但是我收到Google的回复
but I get a reply from Google
无法加载 https://accounts.google.com/o/oauth2/token :否
'Access-Control-Allow-Origin'标头是存在于请求的
资源中。因此,不允许访问来源 http://devd.io 。
响应的HTTP状态代码为400。如果不透明的响应满足了
的需求,请将请求的模式设置为 no-cors,以在禁用
CORS的情况下获取资源。
Failed to load https://accounts.google.com/o/oauth2/token: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://devd.io' is therefore not allowed access. The response had HTTP status code 400. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
我对CORS的了解有限(a 上一个答案读得很好)是
My limited understanding of CORS (a previous answer was a very good read) is that
所请求的$ b上没有'Access-Control-Allow-Origin'标头$ b资源
No 'Access-Control-Allow-Origin' header is present on the requested resource
表示它不在 response 标头中,这意味着Google不会希望我从浏览器运行时通过JS访问其资源(指向 https://accounts.google.com
的其他内容)。
means that it is not present in the response headers, which means that Google does not want me to access its resources via JS when ran from the browser (which points to something else that https://accounts.google.com
).
这可能是一个好主意,但我控制了所有元素,从代码到浏览器,并希望以与在非浏览器环境中获取令牌相同的方式来获取该令牌,特别是我的工作Python代码。
This may be a good idea but I control all elements, from the code to the browser and would like to get that token the same way I get it in a non-browser environment, specifically my working Python code.
如何告诉 https://accounts.google.com
给我发回 Access-Control-Allow-Origin
标头告诉我的浏览器可以接受呼叫吗?
How can I tell https://accounts.google.com
to send me back a Access-Control-Allow-Origin
header which tell my browser that it is OK to accept the call?
推荐答案
您不能。
客户端和服务器端代码需要以不同的方式与OAuth交互。
Client side and server side code need to interact with OAuth in different ways.
Google 提供了说明客户端流程的文档。
重要的是,其中一部分涉及重定向到Google的服务器,而不是通过 fetch
或 XMLHttpRequest
。
Importantly, part of it involves redirecting to Google's servers instead of accessing them with fetch
or XMLHttpRequest
.
这篇关于如何处理对Google oAuth的服务帐户调用中的CORS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!