GAE 强制通过 app.yaml、python 装饰器或 users.get_current_user 登录? [英] GAE enforcing sign in by app.yaml, python decorators or users.get_current_user?
问题描述
我在我的 app.yaml 配置文件中为 GAE 应用程序使用登录"选项.看起来像这样:
- 网址:/admin/.*脚本:myapp.app登录:管理员- 网址:/.*脚本:myapp.app需要登录更新(根据 bossylobster 的建议):我希望用户始终登录(未签名的用户不能做任何事情),我需要知道用户是谁.实际上,我需要 OAuth2 凭据才能与 Google API 通信(例如,我需要使用 Google Profiles API 获取一些用户的信息,并使用 Google Calendar API 写入用户的日历).最后,我需要一个管理员用户来执行一些操作(例如使用 Google Provisioning API 创建新域的用户)
我正在使用 google-api-client 库,并尝试使用 oauth2 装饰器.然后,在我的 RequestHandlers 中,我有这个:
class MainHandler(webapp.RequestHandler):@decorator.oauth_aware定义获取(自我):如果decorator.has_credentials():# 做一点事别的:url = 装饰器.authorize_url()self.response.out.write(template.render('templates/index.html',{'authorize_url': url}))最后,我阅读了另一种方法:
user = users.get_current_user()如果用户:# 做一点事别的:问候 = ("<a href="%s">登录或注册</a>." %users.create_login_url("/"))self.response.out.write("<html><body>%s</body></html>"% 问候)处理用户身份验证以满足我的需求的最佳方法是什么(请参阅更新)?
非常感谢
我想您可能会混淆 OAuth 2.0 装饰器的作用与其他两种方法.
OAuth 2.0 装饰器并非特定于您的应用,如果您想为用户获取 OAuth 2.0 凭据,然后使用这些凭据与 Google API 通信,则可以使用它.
另外两个只是从 App Engine 设置的会话 cookie 中获取用户信息的简单方法.
如果你真的想要一个装饰器,你可以使用 login_required,记录在这里:
https://developers.google.com/appengine/docs/python/tools/webapp/utilmodule
在 app.yaml 中指定、检查 users.get_current_user 是否为 None 或使用 @login_required 在指定的处理程序上.
您要使用的三个不同时间的粗略近似值如下:
1) 如果你想让用户登录,但不需要知道具体用户,在app.yaml中使用login: required.>
2) 如果想了解用户,但如果用户未登录也有回退,请使用 users.get_current_user 并根据用户定制您的行为或 None 如果这是返回值.
3) 如果您想了解用户并始终让用户登录,请使用 @login_required.
更新:
(基于对需求的进一步解释.)由于您总是希望用户登录并且总是希望他们使用 OAuth 2.0 凭据,因此您应该始终使用 decorator.oauth_required.
至于使用 API,只有 Google Calendar API 可以与google-api-python-client 库.Google Apps Provisioning API 是一个 Google 数据 API,而日历 API 是 基于发现的 API.
因此,您需要使用 gdata-python-client 库 以使用 Provisioning API.您需要从 oth.OAuth2Credentials 对象 到 gdata.gauth.OAuth2Token 对象以对任何一个使用相同的令牌.
使用OAuth2Decorator 时,您将能够通过decorator.credentials() 访问oauth2client.client.OAuth2Credentials 的实例.
第二次更新:
我最近添加对此的支持到gdata-python-client.
from gdata.gauth import OAuth2TokenFromCredentialsauth_token = OAuth2TokenFromCredentials(decorator.credentials())auth_token.authorize(客户端)该实现允许两个令牌/凭据对象 decorator.credentials() 和 auth_token 保持同步,无论您更改哪个对象的值.
I'm using 'login' option in my app.yaml configuration file for a GAE application. Looks like this:
- url: /admin/.*
script: myapp.app
login: admin
- url: /.*
script: myapp.app
login: required
UPDATE (by suggestion of bossylobster): I want a user always signed in (unsigned users can't do anything), and I need to know who the user is. Actually, I need OAuth2 credentials to communicate with Google APIs (for example, I need to fetch some user's info with Google Profiles API, and write in the user's calendar with Google Calendar API). Finally, I need an admin user to perform some operations (like create new domain's users, with Google Provisioning API)
I'm using google-api-client library, and playing around with oauth2 decorators. Then, in my RequestHandlers, I have this:
class MainHandler(webapp.RequestHandler):
@decorator.oauth_aware
def get(self):
if decorator.has_credentials():
# do something
else:
url = decorator.authorize_url()
self.response.out.write(template.render('templates/index.html',
{'authorize_url': url}))
Finally, I've read about another method:
user = users.get_current_user()
if user:
# do something
else:
greeting = ("<a href="%s">Sign in or register</a>." %
users.create_login_url("/"))
self.response.out.write("<html><body>%s</body></html>" % greeting)
What is the best method to handle the user's authentication to fit my needs (see UPDATE)?
Many thanks in advance
I think you may be confusing what the OAuth 2.0 decorator does vs. the other two approaches.
The OAuth 2.0 decorator is not specific to your app, you would use it if you want to get OAuth 2.0 credentials for your users and then use those to communicate with Google APIs.
The other two are simply ways to get the user information from a session cookie that is set by App Engine.
If you really want a decorator, you would use login_required, documented here:
https://developers.google.com/appengine/docs/python/tools/webapp/utilmodule
There is no one best approach between specifying in app.yaml, checking if users.get_current_user is None or using @login_required on specified handlers.
A rough approximation of the three distinct times you'd want to use these are the following:
1) If you want users to be logged in, but don't need to know the specific user, use login: required in app.yaml.
2) If want to know the user, but also have a fallback if the user is not logged in, use users.get_current_user and tailor your behavior to the user or to None if that is the returned value.
3) If you want to know the user and always have one logged in, use @login_required.
UPDATE:
(Based on a further explanation of needs.) Since you always want to log your users in and always want OAuth 2.0 credentials for them, you should always use decorator.oauth_required.
As for using the APIs, only the Google Calendar API can be used with the google-api-python-client library. The Google Apps Provisioning API is a Google Data API, while the Calendar API is a discovery-based API.
As a result, you'll need to use the gdata-python-client library to use the Provisioning API. You'll need to manually convert from a oauth2client.client.OAuth2Credentials object to a gdata.gauth.OAuth2Token object to use the same token for either one.
When using OAuth2Decorator, you'll be able to access an instance of oauth2client.client.OAuth2Credentials via decorator.credentials().
SECOND UPDATE:
I recently added support for this to gdata-python-client.
from gdata.gauth import OAuth2TokenFromCredentials
auth_token = OAuth2TokenFromCredentials(decorator.credentials())
auth_token.authorize(client)
The implementation allows the two token/credentials objects decorator.credentials() and auth_token to stay in sync, no matter which object you change values on.
这篇关于GAE 强制通过 app.yaml、python 装饰器或 users.get_current_user 登录?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
