每次调用gapi.auth.authorize的替代方法 [英] Alternative to calling gapi.auth.authorize every time

问题描述

我有一个单页Web应用程序，该应用程序使用Google Apps Script Execution API来调用返回所需数据的函数.我的项目基于Google提供的快速启动示例代码

I have a single-page web application that uses Google Apps Script Execution API to call functions that return the data I need. I based my project on the quick start sample code provided by Google.

这需要使用OAuth，而我是通过使用客户端JavaScript的函数来完成此操作的Google提供的库.

This requires the use of OAuth and I am accomplishing that via functions that make use of the client JavaScript library provided by Google.

第一次要求用户进行身份验证，以下功能与immediate: false一起使用:

The first time a user is asked to authenticate the following function is used with immediate: false:

gapi.auth.authorize({client_id: CLIENT_ID, scope: SCOPES, immediate: false}, handler);

后续的API请求还必须提供一个身份验证令牌，因此我正在调用相同的功能，但使用immediate: true:

Subsequent API requests must also provide an authentication token, so I am calling the same function, but with immediate: true:

gapi.auth.authorize({'client_id': CLIENT_ID, 'scope': SCOPES, 'immediate': true}, handler);

每次调用gapi.auth.authorize时，都会在页面上添加一个新的IFRAME，似乎是存储身份验证操作/令牌的结果等.

Each time, gapi.auth.authorize is called, a new IFRAME is added to the page, seemingly to store the results of the authentication operation/token, etc.

是的，一切正常，但我认为必须有一种更好的方法来做到这一点.

So, yes, everything works but I am thinking that there has to be a better way of doing this.

在初始身份验证之后，还有另一种方法可以进行后续的API调用，而无需使用gapi.auth.authorize并在页面上添加另一个IFRAME吗?

Is there another way to make subsequent API calls, after initial authentication, that doesn't require using gapi.auth.authorize and adding yet another IFRAME to the page?

根据Google:

注释

在初始用户授权后，使用即时:真模式的对gapi.auth.authorize的调用将获得无需用户干预的auth令牌.

推荐答案

简而言之，除非您使用离线"模式，否则您将无法避免使用iframe(或较早的弹出窗口).这是交易:
可以通过两种不同的方法来请求许可，即离线"或不离线".

In short, you can't avoid the iframe (or popup which is the older way) unless you use "offline" mode. Here is the deal:
There are two distinct ways to request a permission, "offline" or "not offline".

在脱机中，oauth2通过给您刷新令牌"来授予您永久许可(好吧，如果用户从google帐户安全性页面或某些范围撤消了许可，这并不是永远的.如果用户更改了密码).

In Offline, oauth2 gives you a permanent permission by giving you the "refresh token" (ok it's not really forever if the user revokes the permission from the google account security page, or for some scopes if the user changes their password).

此特殊令牌使您可以在任何需要的地方通过简单地对API进行"GET"调用来创建新的访问令牌，而无需任何用户干预. 在您的情况下，这是您需要的模式，没有办法解决，这就是它存在的原因，并且您必须格外小心地安全存储它，等等.

This special token lets you create new access tokens whenever you want by simply doing a "GET" call to the API, without any user intervention. In your case, this is the mode you need, no way around it, this is why it exists, and you have to take special care to store it securely and so on.

在非脱机模式下，您仅获得临时许可(访问令牌"在1小时后过期)，而没有获得刷新令牌".但是，如何运作?在某个地方必须有一些刷新令牌或私有存储的东西.

使用Google JavaScript API客户端库进行身份验证利用了浏览器安全功能可以做到这一点.尤其是，浏览器会保护每个子域的存储和Cookie，一旦您登录浏览器，google.com就会存储或使用Cookie来保护发送给Google的参数以验证您的身份.
那么，如何读取这些值?打开google.com网址是让javascript读取值的唯一方法. Google允许使用特殊参数，以便可以回传访问令牌.如何打开页面?浏览器当前支持的唯一方式是通过iframe"或弹出窗口".

这使google页面可以像安全代理一样向Google索要东西.内嵌或打开google页面(作为弹出窗口)的页面无法伪造自己的URL，因此此代理"知道哪个页面正在请求数据.然后，代理可以通过google服务器验证此调用方的作用域，并返回新的访问令牌.黑客无法从服务器上伪造此信息，因为它没有所需的cookie(存储在每个用户的浏览器中的google子域下，这是在线"模式的唯一作用.)

弹出式窗口"是在浏览器保护iframe之前的一种较旧的方式，但是当弹出式窗口打开并立即关闭时，它至少会引起闪屏"(在上面的链接中搜索震颤")

因此，后来的Google提供了"iframe"模式，从而提供了更加流畅的体验.上面的链接提到使用iframe是立即"模式.

In Not offline mode, you only get a temporary permission ("access token" expires in 1 hour), you do not get the "refresh token". But how does that work? somewhere there must be some refresh token or something private stored.

Authentication using the Google APIs Client Library for JavaScript takes advantage of browser security features to do this. In particular, browsers secure storage and cookies per subdomain, and once you are logged-in to the browser, google.com will store or use cookies to secure parameters that it sends to google to validate you.
So, how to read those values? Opening the google.com url is the only way to have javascript read the values. Google allows special parameters so it can communicate back the access token. How to open a page? by "iframe" or "popup" are the only ways that browsers currently support.

This allows the google page to act like a secure proxy to ask Google for stuff. A page that iframes or opens the google page (as a popup) cannot fake its own URL so this "proxy" knows what page is asking for data. The proxy can then validate with google servers for what scopes this caller has, and return a new access token. A hacker cannot fake this from a server because it does not have the cookie needed (stored in each user's browser under a google subdomain, which is the only place where "online" mode works.)

"popup" was the older way before browsers had secured iframes, but it will cause at minimum a "flash" when the popup opens and immediately closes (search for "jarring" in the link above)

Thus, later Google provided "iframe" mode which gives a much smoother experience. Using the iframe is the "immediate" mode that the link above mentions.

TLDR:必须使用离线"或入侵用户的浏览器.

TLDR: gotta use "offline" or hack the user's browser.

这篇关于每次调用gapi.auth.authorize的替代方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！