Google OAuth 2.0-具有离线访问权限的增量授权 [英] Google OAuth 2.0 - Incremental authorization with offline access

问题描述

我正在尝试在我的Google Oauth2中实现增量授权应用.

I'm trying to implement incremental authorization with Google Oauth2 in my application.

首先，当用户登录时，应用程序正在请求某些范围和脱机访问.我将在数据库中生成并存储refreshToken，以便可以在需要时刷新访问令牌以进行API调用.

At first, when users sign in, the application is requesting some scopes and offline access. I'm generating and storing the refreshToken in my database so I can refresh access tokens to make API calls when needed.

现在，我将实现一个新功能，该功能将要求一个新的作用域，但仅当用户尝试使用此新功能时，我才想请求该作用域.

Now I'm going to implement a new functionality that will request a new scope, but I would like to ask for this scope only if users try to use this new functionality.

我面临的问题是，当应用程序提示用户同意新范围时，Google要求访问所有先前接受的范围.

The problem I'm facing is that, when the application promts users to consent for new scope, Google is requesting access for all the previously accepted scopes.

我尝试了没有脱机访问权限(使用授予"方法)，并且似乎可以正常运行(如说明中所述:向用户请求其他范围.").这样做，Google仅请求新的作用域，并且生成的访问令牌似乎运行良好.但是，如果我尝试进行离线访问(使用"grantOfflineAccess"方法)，Google会要求所有范围.如果我再次接受所有范围，它将返回一个授权代码，并且我可以再次生成refreshToken，但是我只想接受新的范围.

I have tried without offline access (using 'grant' method) and it seems to be working (as the description says 'Request additional scopes to the user.'). Doing that, Google is only requesting new scope and the access token generated seems to work fine. But if I try with offline access (using 'grantOfflineAccess' method), Google asks for all the scopes. If I accept all the scopes again, it returns an authorization code and I can generate the refreshToken again, but I would like to do that only accepting the new scope.

我想知道在请求脱机访问时可能无法执行此操作，因为您需要生成一个包含所有作用域的新的refreshToken，但是我找不到与此有关的任何信息.

I was wondering maybe it's not possible to do it when requesting offline access, as you need to generate a new refreshToken with all the scopes, but I couldn't find any information about this.

我做错什么了吗，还是无法通过离线访问实现?

Am I doing anything wrong or is it not possible to achieve this with offline access?

更新:还会生成URL(而不是使用JS库)，如此处，Google会要求所有范围.这将是生成的URL的示例:

UPDATE: Also generating the URL (instead of using the JS library) as explained here, Google asks for all the scopes. This would be an example of the generated URL:

https://accounts.google.com/o/oauth2/v2/auth?
  scope=my_new_scope&
  redirect_uri=https://myapp.example.com/callback&
  response_type=code&
  client_id=my_client_id&
  prompt=consent&
  include_granted_scopes=true

UPDATE2 :我发现了一个此处报告的问题 ，其中有人评论说无法对已安装的应用程序执行此操作.但是有一条注释解释了如何使用Web服务器流，这是使用OAuth2游乐场的步骤( https://developers.google.com/oauthplayground ):

UPDATE2: I've found a reported issue here, where someone commented that it's not possible to do it for installed applications. But there is a comment explaining how to do it with web server flow, these are the steps using OAuth2 playground (https://developers.google.com/oauthplayground):

1)选择Google日历范围.

1) Select the Google Calendar scope.

2)授权访问权限

3)交换令牌代码.

4)向令牌信息端点发出请求: > https://www.googleapis.com/oauth2/v2/tokeninfo?access_token= ...

4) Make request to the token info endpoint: https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=...

5)验证令牌仅包含Google日历范围.

5) Verify that the token only contains the Google Calendar scope.

6)取消选择Google日历范围，然后选择Google云端硬盘 范围.

6) De-select the Google Calendar scope and select the Google Drive scope.

7)在授权窗口中编辑URL并附加 & include_granted_scopes = true.

7) Edit the URL in the authorization window and append &include_granted_scopes=true.

8)授权驱动器作用域.

8) Authorize the Drive scope.

9)将代码交换为令牌.

9) Exchange the code for a token.

10)向令牌信息端点发出请求.

10) Make request to the token info endpoint.

11)确认它既包含日历"作用域又包含驱动器"作用域.

11) Verify that it contains both the Calendar and Drive scopes.

这样做，我在第一个验证中得到了日历范围，在第二个验证中得到了驱动器范围.即使使用刷新令牌，我也无法同时获得两个作用域的访问令牌.之后，这很奇怪，我检查了具有我的帐户访问权限的应用程序，并且OAuth2 Playground具有两个作用域:

Doing the same I get Calendar scope in the first verification and Drive scope in the second one. Even using the refresh token I cannot get an access token with both scopes. After that, and this is pretty strange, I've checked the applications with access to my account and OAuth2 playground has both scopes:

提前谢谢！

推荐答案

我终于完成了使用JS库实现增量授权的工作.使用 grantOfflineAccess函数，您可以发送新范围想要要求.默认情况下，当您使用 gapi.auth2.authorize <时，include_granted_scopes为true./a>.

I've finally accomplished to implement incremental authorization using JS library. Using grantOfflineAccess function you can send the new scopes you want to request. By default include_granted_scopes is true when you use gapi.auth2.authorize.

因此，您只需要发送新范围，例如:

So you just need to send the new scopes, for example:

GoogleUser.grantOfflineAccess({scope: 'https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/calendar'}

然后，您将收到授权码，以换取refreshToken.您可以通过使用新的refreshToken生成一个access_token并调用令牌信息端点来检查一切是否正常: https://www.googleapis.com/oauth2/v2/tokeninfo?access_token= ...

Then you will receive an authorization code to exchange for a refreshToken. You can check everything works by generating an access_token with the new refreshToken and calling the token info endpoint: https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=...

我确定这是我一开始尝试过的方法，所以我想我做错了.

I'm sure this was something I've tried at first, so I guess I was doing something wrong.

无论如何，由于 an库问题.基本上，问题在于，为了获得更好的用户体验并避免出现问题，您应该能够使用prompt: 'consent'，以便用户无需选择帐户即可接受新范围.但这是不可能的，如果用户选择不同的帐户来接受应用程序中的不同范围，则可能会遇到问题.

Anyways, I have decided to not use incremental authorization due to an issue with the library. Basically the problem is that, for a better user experience and to avoid problems, you should be able to use prompt: 'consent' so the user doesn't need to select an account to accept new scopes. But this is not possible and you could have problems if users select different accounts to accept different scopes from your application.

这篇关于Google OAuth 2.0-具有离线访问权限的增量授权的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！