如何使用 JWT 通过 NodeJS 客户端库访问 Google Directory (Admin SDK)? [英] How do I use JWT to access Google Directory (Admin SDK) using NodeJS client libraries?

问题描述

我正在尝试制作一个服务器应用程序，它将向我的域的组添加/删除用户.请注意，它不会与用户进行任何交互，它是服务器到服务器的应用程序.

I'm trying to make a server application that will add/remove users to my domain's groups. Note that it will not have any interaction with users, it is server-to-server application.

我在 Google API 控制台中注册了我的应用程序，下载了密钥并通过发布将其转换为 .pem

I registered my application in the Google API Console, downloaded the key and transformed it to .pem by issuing

openssl pkcs12 -in my_google_key.p12 -out my_google_key.pem -nocerts -nodes

然后我去了域管理，安全 -> 高级设置 -> 身份验证 -> 管理 OAuth 客户端访问.在那里，我在授权 API 客户端中添加了一条记录.我使用了从控制台中的服务帐户获得的客户端 ID 并使用了范围:

Then I've been to the Domain Administration, Security -> Advanced Settings -> Authentication -> Manage OAuth Client access. There I added a record in Authorized API clients. I used the Client ID I got from the Service Account in Console and used scope:

https://www.googleapis.com/auth/admin.directory.group.

我为nodejs安装了googleapis，使用

I installed googleapis for nodejs, using

npm install googleapis

这是我的代码:

var googleapis = require('googleapis');

var SERVICE_ACCOUNT_EMAIL = 'My Service Account E-mail Address';
var SERVICE_ACCOUNT_KEY_FILE = 'my_google_key.pem'; // The .pem file is at the root of my application

var jwt = new googleapis.auth.JWT(
    SERVICE_ACCOUNT_EMAIL,
    SERVICE_ACCOUNT_KEY_FILE,
    null,
    ['https://www.googleapis.com/auth/admin.directory.group']
);

var client;

googleapis
.discover('admin', 'directory_v1')
.execute(function(err, data) {
    client = data;

    jwt.authorize(function(err, result) {
        console.log(jwt);
        client.admin.groups.list({
            "customer": "my_customer", // This is actually "my_customer"
            "domain": "domain.com" // The domain name I administer
        })
        .withAuthClient(jwt)
        .execute(function(err, result) {
            console.log(err);
            console.log(result);
        });
    });
});

而运行这段代码的结果是:

And the result of running this code is:

{ errors: 
    [ { domain: 'global',
        reason: 'forbidden',
        message: 'Not Authorized to access this resource/api' } ],
    code: 403,
    message: 'Not Authorized to access this resource/api' }

我错过了什么?如何使用 Admin SDK 授权我的应用程序?

What am I missing? How do I authorize my application with the Admin SDK?

推荐答案

1) 确保将域范围的权限委派给您的服务帐户.

1) Make sure you delegate domain wide authority to your service account.

2) 服务帐户必须模拟有权访问 Admin SDK Directory API 的人.

2) Service Accounts must impersonate someone with access to the Admin SDK Directory API.

初始化时包含它:

var jwt = new googleapis.auth.JWT(
    SERVICE_ACCOUNT_EMAIL,
    SERVICE_ACCOUNT_KEY_FILE,
    null,
    ['https://www.googleapis.com/auth/admin.directory.group'],
    account_with_Admin_SDK_access_to_impersonate@example.com
);

文档的这一部分详细解释了这两点:https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account

这篇关于如何使用 JWT 通过 NodeJS 客户端库访问 Google Directory (Admin SDK)?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！