如何以编程方式创建Google Apps用户帐户 [英] How can I create google apps user account programatically

问题描述

我的组织(波兰侦察兵协会)拥有自己的Google Apps域，每个侦察兵都必须拥有一个电子邮件地址.

My organisation (Polish Scouting Association) has it's own google apps domain, and every scout is entiteled to have one e-mail address.

我们决定创建一个WWW应用程序，用户可以在其中进行授权，并设置自己的Google Apps帐户.为此，我们需要一种非互动式的互动式方式来创建Google Apps帐户.

We decided to create an WWW application in which user can authorize, and sets up his own google apps account. To do this we need to have a progammatic, non-interactive a way to create google apps accounts.

要明确:

1. 用户使用我们在整个组织中使用的凭据登录到我们的应用程序
2. 他开始创建Google Apps帐户
3. 我们的应用程序创建了他的Google Apps帐户

可以使用已弃用的 Google Data API 完成此操作.另一种方法似乎是通过 Google Admin目录API ，但是根据文档，需要实际的物理用户使用Oauth2授权请求.

This could be done using Google Data API, which is deprecated. Another way seems to be via Google Admin directory API, but according to the documentation there needs to be physical human user to authorize requests using Oauth2.

在示例中，提出了以下流程:

In the example following flow is proposed:

flow = OAuth2WebServerFlow(CLIENT_ID, CLIENT_SECRET, OAUTH_SCOPE, REDIRECT_URI)
authorize_url = flow.step1_get_authorize_url()
print 'Go to the following link in your browser: ' + authorize_url
code = raw_input('Enter verification code: ').strip()
credentials = flow.step2_exchange(code)

似乎我需要使用 OAuth2方案 ，(我想)这意味着某个拥有管理员权限的在世者会授权每个请求，在我们的情况下，我们显然希望用户能够初始化帐户创建.

And it seems that I need to use OAuth2 scheme, which (I guess) implies that some living person with admin right authorizes every request, in our case we obviously want user to be able to initialize account creation.

是否可以使用此(或任何其他)API?

Is this possible using this (or any other) API?

推荐答案

@David的答案使我走上了正确的轨道，但是在使用服务帐户时遇到了一些问题.

@David answer got me on the right track, but I had some problems with using a service account.

我决定使用服务帐户和模拟API，请注意，这将为您的应用程序提供非常高的访问权限，并显着提高安全性！

I decided to use service account and impersonation API, beware that this gives a very high level of access to your applicaiton and raises the security bar consideably!

无论如何，这是您需要做的:

Anyways, here is what you need to do:

按照本教程进行操作，但是当设置凭据创建服务帐户

Follow this tutorial, but when setting up credentials create a service account

这是页面的重要内容:

(...)，您可以在开发人员中自行激活Admin SDK 通过执行以下操作进行控制台:

(...) you can activate the Admin SDK yourself in the Developers Console by doing the following:

• 转到Google Developers Console.
• 选择一个项目，或创建一个新项目.
• 在左侧的边栏中，展开APIs&授权接下来，单击API.在API列表中，确保Admin SDK的状态为开".
• 在左侧的边栏中，选择凭据".
• 无论哪种情况，您都将进入凭据"页面，并可以从此处创建项目的凭据.

• Go to the Google Developers Console.
• Select a project, or create a new one.
• In the sidebar on the left, expand APIs & auth. Next, click APIs. In the list of APIs, make sure the status is ON for the Admin SDK.
• In the sidebar on the left, select Credentials.
• In either case, you end up on the Credentials page and can create your project's credentials from here.

如果还没有这样做，请通过以下方式创建OAuth 2.0凭据: 点击OAuth标题下的创建新的客户端ID.接下来，寻找 您的应用程序的客户ID和客户机密在相关表中 您也可以从此页面创建和编辑重定向URI.

If you haven't done so already, create your OAuth 2.0 credentials by clicking Create new Client ID under the OAuth heading. Next, look for your application's client ID and client secret in the relevant table You may also create and edit redirect URIs from this page.

域范围内的授权

使用本指南对您的代码执行域范围的授权..

1. 转到您的Google Apps域的管理控制台.
2. 从控件列表中选择安全性".如果您未看到安全性"列表，请从底部的灰色栏中选择更多控件. 页，然后从控件列表中选择安全性".
3. 从选项列表中选择高级设置".
4. 在身份验证"部分中选择管理第三方OAuth客户端访问权限".
5. 在客户名称"字段中输入服务帐户的客户ID.
6. 在一个或多个API范围"字段中，输入应授予您的应用程序访问权限的范围列表(请参见下图).为了 如果您需要在域范围内访问Google Drive API和 Google Calendar API输入: https://www.googleapis.com/auth/drive ， https://www.googleapis.com/auth/calendar 单击授权按钮.

1. Go to your Google Apps domain’s Admin console.
2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
3. Select Advanced settings from the list of options.
4. Select Manage third party OAuth Client access in the Authentication section.
5. In the Client name field enter the service account's Client ID.
6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to the Google Drive API and the Google Calendar API enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar Click the Authorize button.

请注意，您需要在第5步中提供Client ID而不是Email Address.

Please note that you'll need to provide Client ID not Email Address in step 5.

请参见范围列表.

安装google-api-python-client，将PyCrypto设置为PyOpenSSL(您可以省略PyOpenSSL)，但是随后您需要转换下载的证书.

Install google-api-python-client, PyCrypto an PyOpenSSL (you may omit PyOpenSSL), but then you'll need to convert downloaded certificate.

with open('private/key-filename.p12', 'rb') as f:
    private_key = f.read()

credentials = SignedJwtAssertionCredentials(
   'user-email-@developer.gserviceaccount.com', # Email address [1]
   private_key,
   'https://www.googleapis.com/auth/admin.directory.user',
   sub="impersonated-user@foo.bar" # Impersonate user [2])

• 1 是服务帐户电子邮件地址，并且 2 是 admin 的现有地址.您域中的坚强"用户.从现在开始，将使用此命令执行API采取的所有操作(标记为 2 )用户授权和凭证.
• 请注意， 1 包含步骤5中的服务帐户>(与客户ID不同).
• Where 1 is an service account e-mail address, and 2 is an already existing address of admin user in your domain. From now on all actions taken by the API will be performed using this (marked by 2) user authorisation and credentials.
• Note that 1 contains Email Address of Service account (this is different from Client ID) in step 5.

现在，您应该具有对API的读写帐户.

Now you should have read-write account to your API.

这篇关于如何以编程方式创建Google Apps用户帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！