Google API Oauth2:所有用户只有一个刷新令牌? [英] Google API Oauth2: Only one refresh token for all users?
问题描述
我正在使用OAuth2身份验证,并且我有一个拥有多个用户的CMS,每个用户都有自己的配置文件。我们公司有一个Google帐户,可以访问多个Google Analytics帐户。对于使用CMS的每个用户,我使用不同的用户名连接到Google AnalyticsAPI,并将每个用户的令牌保存在数据库数据存储中。问题是,如果有一位用户断开并撤销了他的令牌,那么使用相同Google帐户的其他用户也无法访问Google Analytics API,这是没有道理的。
编辑:进一步调查后,我发现当第一个用户进行身份验证时,保存在数据存储中的令牌包含'refresh_roken'以及'access_token'。但是,当其他用户进行身份验证(他们使用相同的Google帐户,但使用不同的Google Analytics帐户)时,其令牌只会包含access_token。如果其中一人撤销他的代币,所有人都将失去联系。
我该如何阻止这种情况发生,并让每个用户都能收到他自己的refresh_token?
编辑2:
我在数据存储中存储单独的行,每个用户存储一行。让我澄清 - 如果你看看
服务帐号是一种不需要用户的认证验证它。它通过在开发者控制台中创建服务帐户身份验证,然后获取电子邮件地址并将其添加到Google Analytics(分析)管理员,就像您对其他任何用户一样。现在,服务帐户可以像用户一样直接访问Google Analytics(分析)帐户。然后,您的应用程序从API请求数据,而不会提示用户进行访问。您可以显示Liz,Jim,并请求他们验证所有数据。
I am using OAuth2 Authentication, and I have a CMS with multiple users, each with their own profiles. It happens that our company has a Google account with access to multiple Analytics accounts. For each user who uses the CMS, I connect to the Google Analytics API using a different username, and each user’s token is saved in a database data store. The problem is, if one user disconnects and revokes his token, none of the other users who use the same Google account will be able to access the Analytics API either, which doesn’t make sense.
EDIT: After further investigation, I found that when the first user authenticates, the token saved in the data store contains a 'refresh_roken' as well as an 'access_token'. However, when other users authenticate (they use the same google account, but different Analytics accounts), their tokens will only contain the 'access_token'. If one of them revokes his token, all will lose their connections.
How can I stop this from happening and have each user receive his own refresh_token?
EDIT 2:
I do store separate rows in the data store, one for each user. Let me clarify - if you look at this diagram, imagine a CMS where one CMS user needs to see statistics from "Liz's Personal Account", and another CMS user needs to see stats from "Liz's Team Account".
Both CMS users are from the same company, and they both use the same google account - "liz@gmail.com". CMS user A connects to the Analytics API using "liz@gmail.com", receives a refresh_token and wants to view statistics for "Liz's Website". Then CMS user B connects to the Analytics API also using "liz@gmail.com", but now he doesn't receive a refresh_token anymore, only an access_token - this is a problem because the user will be asked again to connect after the access_token expires.
What I was normally doing when one user was disconnecting was to delete the token from the data store AND revoke the token, but maybe I shouldn't revoke it, should I? In any case, if in my scenario user A disconnects, this deletes his data store token, which means we won't have the refresh_token stored anymore, as user B didn't have it in the first place.
User accounts diagram:
I think you need to check databaseDatastore. If done correctly your database datastore should be storing refreshTokens for each of your users identified by userName in your code.
When a new user authenticates you should be inserting a new row in the database for them.
// New User we insert it into the database
string insertString = "INSERT INTO [dbo].[GoogleUser] ([username],[RefreshToken],[Userid]) " +
" VALUES (@key,@value,'1' )";
Then when you want to access it again you should be selecting it out by again by username
using (SqlCommand command = new SqlCommand("select RefreshToken from GoogleUser where UserName = @username;", myConnection))
If for some reason it doesn't work then you should delete only this one user. it almost sounds like if one authentication fails you are deleting them all.
// Deletes the users data.
string deleteString = "delete [dbo].[GoogleUser] from " +
" where username = @key";
Without seeing how you have implemented databasedatastore I cant help more, but this is my version of databasedatastore.cs
Update:
If you are only accessing a single Google Analytics account you should be using a Service account.
Update in response to your update
You need to have a look at my database datastore. But seriously you should not have more then one user using the same gmail account.
Step one:
User liz@gmail.com logs into your app authenticates the app, a row should be inserted into your database username liz@gmail.com with a refreshtoken. your databasedatastore should handle saveing it.
when the access token expires assuming that you have created databasedatastore correctly it will use the refreshtoken to automaticly get a new access token for user name liz@gmail.com.
Step 2:
Some other person logs in with liz@gmail.com, database data store checks the database for user name liz@gmail.com and gets the refresh token associated with liz@gmail.com and requests a new access token.
You should not be deleting refresh tokens or users from the database unless for some reason it doesn't work. It may not work if a user went to the Google account and revoked your access. There should be only one username liz@gmail.com and refresh token associated for it.
A service account is a type of authentication that doesn't require a user to authenticate it. It works by creating a service account authentication in the developer console then taking the email address and adding it to the Google analytics admin like you would any other user. Now the service account has access to the google analytics account directly just like a user.
Then your application request data from the API without prompting a user for access. You can show Liz , Jim and sue all the data with out asking them to authenticate.
这篇关于Google API Oauth2:所有用户只有一个刷新令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
