通过网络浏览器访问Google Drive API应用程序数据的凭据(JavaScript) [英] Google Drive API Application data accessing credentials from Web browser(Javascript)
问题描述
我正在尝试从Google控制台获取凭据,以通过Web browser(Javascript)选项访问我的应用程序驱动器数据(以便稍后使用Picker API).但是,当我选择应用程序数据"(访问属于您自己的应用程序的数据)选项时,我收到消息:
无法从Web浏览器安全地访问应用程序数据. 请考虑选择其他平台.
任何人都可以解释一下,为什么它不安全,以及如何使用Web浏览器访问我的应用程序数据,也许应该选择其他凭据?
谢谢.
您可以通过三种可能的方式访问Google云端硬盘数据:
- 通过OAuth浏览器:向用户打开一个弹出窗口,他登录到他/她的Google帐户并获得访问令牌.在向驱动器api发出的每个请求中,您都将此令牌作为参数密钥传递.
- 通过api密钥浏览器:无需登录,Google仅需要知道哪个应用程序正在使用其服务,即可使用此密钥.这是最简单的选项,在没有服务器端应用程序且仅需要访问公共数据时使用.您无法通过此方法访问任何私人文件.
- 服务器端:您使用私钥进行身份验证.对驱动器api的所有请求都只能在后端进行,将您的密钥共享到javascript代码中是不安全的.
我想您正在尝试第二种选择.我遇到了同样的问题,当您逐步进行操作时,它说对于Drive来说是不安全的,我不明白,因为您将共享一个公共密钥,并且只能访问可公开访问的文件.
要生成此密钥,您可以 https://console.developers.google.com/apis/credentials 单击创建证书",然后选择"API密钥".
请记住,api密钥对于执行需要特殊权限的操作是无用的,唯一可以做的就是读取公共文件/文件夹.
现在,如果不是第二个选项,则需要在浏览器中访问应用程序的私有数据.出于确切原因说不可能,不安全,这是不可能的.密钥会在您提出的每个请求中显示,对于某人来说,窃取您的密钥并为您的云端硬盘帐户做他想做的事情很容易.
但是,如果您需要在浏览器中访问私有内容,我想您已经拥有一个登录系统,如果没有,则没有理由在Google云端硬盘中将其私有(无论如何,任何人都可以访问).如果您具有登录系统,则必须具有服务器端应用程序.在这种情况下,正确的做法是将对Drive api的所有调用移到后端,并使用私钥(上一个列表中的第三个选项)进行身份验证.
I'm trying to obtain credentials from Google Console to access my Application Drive data through Web browser(Javascript) option (In order to use Picker API latter on). But when I select option Application data(Access data belonging to your own application) I got the message:
Application data cannot be accessed securely from a web browser. Please consider selecting another platform.
Can anyone explain, why It is not secure, and how can I access my application data using Web browser, maybe should choose different credentials?
Thanks.
You can access your Google Drive Data in three possible ways:
- Browser through OAuth: a pop-up opens to the user, he logs into his/her Google account and get an access-token. You pass this token as the parameter key in every request you make to the drive api.
- Browser through api key: there's no need to log in, Google need this key only to know which app is using their services. It's the simplest option, you use this when you don't have a server-side application and need to access only public data. You can't access any private file through this method.
- Serverside: You use a private key to authenticate. All requests to the drive api MUST be made only in the backend, it would be insecure to share your key in a javascript code.
I suppose you're trying the second option. I had the same problem, when you are going through the step-by-step it says it would be insecure for Drive, which I don't understand, since you'd be sharing a public key and be acessing only publicly available files.
To generate this key you can go https://console.developers.google.com/apis/credentials click "create creadential" and select "API key".
Just remember, the api key is useless to do anything you'd need special permissions to, the only thing you can do with this is read public files/folders.
Now, if it's not the second option you need, if you need to access private data of your application in the browser. It's not possible for the exact reason it says it isn't, it's not secure. The key would be visible in every request you make, it would be very easy for someone to steal your key and do whatever he/she wants to your Drive account.
But, if you need to access private stuff in the browser I suppose you have a login system, if not, there's no reason for it to be private in Google Drive (anyone would have access anyway). If you have a login system you must have a server-side application. In this case, the correct thing to do is move all your calls to the Drive api to your backend and use a private key (third option in the previous list) to authenticate.
这篇关于通过网络浏览器访问Google Drive API应用程序数据的凭据(JavaScript)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
