GCP验证:RefreshError [英] GCP Authentication: RefreshError

问题描述

为了在我们的GCP后端中往返测试邮件发送代码，我正在向GMail收件箱发送电子邮件，并尝试验证其到达.从GMail API文档粘贴并嵌入到函数中，目前对GMail API进行身份验证的机制是相当标准的.

In order to round-trip test mail sending code in our GCP backend I am sending an email to a GMail inbox and attempting to verify its arrival. The current mechanism for authentication to the GMail API is fairly standard, pasted from the GMail API documentation and embedded in a function:

def authenticate():
    """Authenticates to the Gmail API using data in credentials.json,
    returning the service instance for use in queries etc."""
    store = file.Storage('token.json')
    creds = store.get()
    if not creds or creds.invalid:
        flow = client.flow_from_clientsecrets(CRED_FILE_PATH, SCOPES)
        creds = tools.run_flow(flow, store)
    service = build('gmail', 'v1', http=creds.authorize(Http()))
    return service

CRED_FILE_PATH指向该服务的已下载凭据文件. token.json文件的缺失会在通过浏览器窗口进行身份验证交互之后触发其重新创建，令牌的到期也是如此.

CRED_FILE_PATH points to a downloaded credentials file for the service. The absence of the token.json file triggers its re-creation after an authentication interaction via a browser window, as does the token's expiry.

这是一项集成测试，必须无头运行(即，不得进行任何交互).当需要重新认证时，当认证流开始访问sys.argv时，测试当前会引发异常，这意味着它会看到pytest的参数！

This is an integration test that must run headless (i.e. with no interaction whatsoever). When re-authentication is required the test currently raises an exception when the authentication flow starts to access sys.argv, which means it sees the arguments to pytest!

我一直在尝试找出如何使用不需要用户交互的机制(例如API密钥)可靠地进行身份验证.文档或Stackoverflow上的所有内容似乎都无法回答这个问题.

I've been trying to find out how to authenticate reliably using a mechanism that does not require user interaction (such as an API key). Nothing in the documentation or on Stackoverflow seems to answer this question.

最近的工作是使用具有GMail委派的服务帐户中的密钥文件来避免交互式Oauth2流.

A more recent effort uses the keyfile from a service account with GMail delegation to avoid the interactive Oauth2 flows.

def authenticate():
    """Authenticates to the Gmail API using data in g_suite_access.json,
    returning the service instance for use in queries etc."""
    main_cred = service_account.Credentials.from_service_account_file(
        CRED_FILE_PATH, scopes=SCOPES)
    # Establish limited credential to minimise any damage.
    credentials = main_cred.with_subject(GMAIL_USER)
    service = build('gmail', 'v1', credentials=credentials)
    return service

在尝试通过以下方式使用此服务

On trying to use this service with

        response = service.users().messages().list(userId='me',
                                    q=f'subject:{subject}').execute()

我得到:

google.auth.exceptions.RefreshError:
  ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method.',
   '{\n "error": "unauthorized_client",\n "error_description": "Client is unauthorized to retrieve access tokens using this method."\n}')

我觉得有些根本的东西我不了解.

I get the feeling there's something fundamental I'm not understanding.

推荐答案

该服务帐户需要获得授权，否则无法访问该域的电子邮件.

The service account needs to be authorized or it cant access the emails for the domain.

未授权客户端使用此方法检索访问令牌"

"Client is unauthorized to retrieve access tokens using this method"

表示您未正确授权它；检查将域范围的权限委派给服务帐户

Means that you have not authorized it properly; check Delegating domain-wide authority to the service account

来源:未授权客户端使用此方法Gmail API C#来检索访问令牌

这篇关于GCP验证:RefreshError的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！