无权请求范围-适用于设备的Google OAuth2 [英] Not authorized to request the scopes - Google OAuth2 for devices

问题描述

我最近一直在努力从python脚本访问gmail API.

I've recently been working on accessing the gmail API from a python script.

由于脚本需要在没有任何形式的Web浏览器的服务器上运行，因此我必须实现OAuth for Devices流程，如

As the script needs to run on a server, without any form of web browser, I've had to implement the OAuth for Devices flow, as detailed at https://developers.google.com/accounts/docs/OAuth2ForDevices

这很好，因为我一直在测试配置文件"范围，所以我一直在获取访问令牌.

This has gone just fine, as I've been testing with the "profile" scope, I've been getting access tokens as expected.

但是，为了切换到脚本所需的实际令牌，因为我需要被授权写给用户的电子邮件，因此我尝试使用范围www.googleapis.com/auth/gmail.compose运行脚本，该脚本返回以下内容:

However, to switch over to the the actual token that my script needs, as I need to be authorised to write to the user's email, I've tried running my script with the scope www.googleapis.com/auth/gmail.compose, which returns the following:

{u'error_uri': u'code.google.com/apis/accounts/docs/OAuth2.html', u'error_description': u'Not authorized to request the scopes: [www.googleapis.com/auth/gmail.compose]', u'error': u'invalid_scope'}

在这一点上，我感到好奇，并尝试了各种范围，对我来说似乎相当武断，哪些会起作用，哪些将不起作用.

At this point I got curious, and tried a variety of scopes, it seems fairly arbitrary to me, which ones would, and would not work.

工作:

www.googleapis.com/auth/calendar
www.google.com/m8/feeds

不起作用:

mail.google.com/
www.googleapis.com/auth/gmail.compose
www.googleapis.com/auth/gmail.readonly
www.googleapis.com/auth/gmail.modify
www.googleapis.com/auth/contacts.readonly

我已将代码上传到 https://gist.github.com/Hanse00/3a861430b1543599b3ed给有兴趣的人看看.

I've uploaded my code to https://gist.github.com/Hanse00/3a861430b1543599b3ed for anyone interested in having a look.

确实在项目控制台中启用了Gmail API.

The Gmail API is indeed enabled in the project console.

如果有人知道为什么会发生这种情况，我很高兴收到您的来信！

If anyone has any clue why this would be happening, I'd be glad to hear from you!

注意:由于作用域被视为链接，因此我不得不对其进行编辑，而我的声誉还不足以将其全部发布.我尝试过的范围实际上是正确的范围.

Note: I've had to edit the scopes as they count as links, and my reputation is not high enough to post them all. The scopes I tried were in fact the correct ones.

推荐答案

用于设备的Oauth2安全性较差，对于一些不太敏感的API来说是可以的/允许的，但并非所有API都可以. Gmail API不允许使用它.

The Oauth2 for devices flow is less secure and is fine/allowed for some less-sensitive APIs however not all of them. The Gmail API does not allow using it.

您可以让您的服务器实现Web服务器流(如果您可以在其上运行http服务器)，然后您的客户端将使用适当的令牌重定向回到那里，您可以检索并存储: https://developers.google.com/accounts/docs/OAuth2WebServer

You could have your server implement the web server flow (if you can run an http server on it) and then your client will redirect back there with a proper token you can retrieve+store: https://developers.google.com/accounts/docs/OAuth2WebServer

这篇关于无权请求范围-适用于设备的Google OAuth2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！