在Python中使用gdata上的服务帐户使用OAuth2 [英] Using OAuth2 with service account on gdata in python

问题描述

我想使用 data.photos.service.PhotosService 从Picasa推送和提取照片。我从Google控制台获得了一个服务密钥文件XXXXXXXX-privatekey.p12，现在正在尝试使用所述密钥与Google进行身份验证。

使用appengine的OAUTH2文档让我相信使用以下内容将是有用的：

  f = file（settings.SITE_ROOT +'/ aurora /'+ settings.PRIVATE_KEY，'rb'）
 key = f.read（）
 f.close（）
 
 credentials = SignedJwtAssertionCredentials（settings.SERVICE_ACCOUNT_NAME，key，scope ='http://picasaweb.google.com/data https://www.googleapis.com/ auth / userinfo.email https://www.googleapis.com/auth/userinfo.profile'）
 http = httplib2.Http（）
 http = credentials.authorize（http）
服务= build（oauth2，v2，http = http）
 user_info = None 
 try：
 user_info = service.userinfo（）.get（）。execute（）
＃这两种方法都不起作用
＃gd_client.SetOAuthInputParameters（signature_method = gdata.auth.OAuthSignatureMethod.RSA_SHA1，consumer_key =asdfasdfasdf.apps.googleusercontent.com，rsa_key = key，two_legged_oauth = True，requestor_ id = user_info.get（'email'））
＃gd_client.auth_token = gdata.gauth.TwoLeggedOAuthRsaToken（consumer_key = user_info.get（'email'），rsa_private_key = key，requestor_id = user_info.get（'email' ））
 except errors.HttpError，e：
 logging.error（'发生错误：％s'，e）
 
 user_inf0 = {u'verified_email'：True， u'id'：u'1234'，u'name'：u'asdfasdfasdf@developer.gserviceaccount.com'，u'email'：u'asdfasdfasdf@developer.gserviceaccount.com'} 
  
 
 $ b 
问题是使用 SetOAuthInputParameters 的方法1返回无效标记或方法2返回一个 403限制。 
 
 
 
当我真的不想这样做时，我正在阅读所有经常用三段式代码的代码。任何想法/文章我还没有看到？
解决方案
使用gdata.gauth.OAuth2TokenFromCredentials。
  auth2token = gdata.gauth.OAuth2TokenFromCredentials（凭证）
 gd_client = auth2token.authorize（gd_client）
  
 OAuth2TokenFromCredentials旨在帮助您同时使用apiclient和gdata。在封面下，它使用凭证来确保它具有执行gdata调用所需的auth信息。
 
 
 
请注意，如果您仍然得到403，那可能是某种东西其他完全。我正在使用服务帐户来访问用户的数据，因为我没有在SignedJwtAssertionCredentials调用中正确指定用户，所以获得了403。
 
 
 
更新：这里是我使用的基本模式：
 
 
  from oauth2client.client import SignedJwtAssertionCredentials 
 credentials = SignedJwtAssertionCredentials（
XXXXXXXXXXX @ （），
 open（keyfile）。read（），
 scope =（
https://www.googleapis.com/auth/drive，
https://spreadsheets.google.com/feeds，
https://docs.google.com/feeds
），＃例如。
 sub = user@gmail.com
）
 http = httplib2.Http（）
 http = credentials.authorize（http）＃不需要吗？见下面的评论。 
 auth2token = gdata.gauth.OAuth2TokenFromCredentials（凭证）
 gd_client = gdata.photos.service.PhotosService（）＃例如。 
 gd_client = auth2token.authorize（gd_client）
  
 
I want to use data.photos.service.PhotosService to push and pull photos from Picasa. I got a service key file XXXXXXXX-privatekey.p12 from Google console and am now trying to authenticate using said key with google. 

The documentation for OAUTH2 using appengine has led me to believe that using the following would be of use:
f = file(settings.SITE_ROOT + '/aurora/' + settings.PRIVATE_KEY, 'rb')
key = f.read()
f.close()

credentials = SignedJwtAssertionCredentials(settings.SERVICE_ACCOUNT_NAME, key, scope = 'http://picasaweb.google.com/data https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile')
http = httplib2.Http()
http = credentials.authorize(http)
service = build("oauth2", "v2", http=http)
user_info = None
try:
  user_info = service.userinfo().get().execute()
  # neither of these two methods work
  #gd_client.SetOAuthInputParameters(signature_method = gdata.auth.OAuthSignatureMethod.RSA_SHA1, consumer_key = "asdfasdfasdf.apps.googleusercontent.com", rsa_key = key, two_legged_oauth = True, requestor_id = user_info.get('email'))
  #gd_client.auth_token = gdata.gauth.TwoLeggedOAuthRsaToken(consumer_key = user_info.get('email'), rsa_private_key = key, requestor_id = user_info.get('email'))
except errors.HttpError, e:
  logging.error('An error occurred: %s', e)

user_inf0 = {u'verified_email': True, u'id': u'1234', u'name': u'asdfasdfasdf@developer.gserviceaccount.com', u'email': u'asdfasdfasdf@developer.gserviceaccount.com'}
The issue is that either method 1 using SetOAuthInputParameters returns a invalid token, or method 2 returns a 403 restricted. 

I am at my wits' end reading through mountains of code that all do regular 3 legged oauth when I really and truly do not want to do it that way. Any ideas/articles I haven't seen yet?
解决方案
Use gdata.gauth.OAuth2TokenFromCredentials.
auth2token = gdata.gauth.OAuth2TokenFromCredentials(credentials)
gd_client = auth2token.authorize(gd_client)
OAuth2TokenFromCredentials is designed to help you use apiclient and gdata at the same time. Under the covers, it uses the credentials for making sure it has the auth information it needs to perform gdata calls.

Note, if you still get 403, it may be something else entirely. I was using a service account to access a user's data and was getting 403 because I hadn't spec'd the user properly in the SignedJwtAssertionCredentials call.

UPDATE: Here's the basic pattern I used:
from oauth2client.client import SignedJwtAssertionCredentials
credentials = SignedJwtAssertionCredentials(
    "XXXXXXXXXXX@developer.gserviceaccount.com",
    open("keyfile").read(),
    scope=(
        "https://www.googleapis.com/auth/drive",
        "https://spreadsheets.google.com/feeds",
        "https://docs.google.com/feeds"
    ), # For example.
    sub="user@gmail.com"
)
http = httplib2.Http()
http = credentials.authorize(http) # Not needed? See comment below.
auth2token = gdata.gauth.OAuth2TokenFromCredentials(credentials)
gd_client = gdata.photos.service.PhotosService() # For example.
gd_client = auth2token.authorize(gd_client)


                        
这篇关于在Python中使用gdata上的服务帐户使用OAuth2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！