“执行该动作需要授权".消息，即使在单击“允许"后也是如此. [英] "Authorisation is required to perform that action" message, even after clicking "Allow"

问题描述

我最近遇到了一个问题，即授权一个新的Google App Script项目，特别是使用Cloud SQL admin API的一个项目.

I've recently run into an issue authorising a new Google App Script project, specifically one using the Cloud SQL admin API.

相同的代码存在于先前授权的GAS项目中，并且可以正常工作，但是如果我复制GAS项目并尝试首次运行功能，则无法完成授权过程.我正在浏览的屏幕如下:

The same code exists in previously authorised GAS projects and works fine, but if I take a copy of the GAS project and try to run a function for the first time I'm unable to complete the authorisation process. The screens I'm going through are listed below:

1. 需要授权. -点击查看权限"
2. 选择一个帐户来授权Google项目. -点击了我的帐户
3. 此应用未通过验证！ -点击转到项目 (不安全)"
4. Google项目希望访问此范围列表.-单击允许"
5. 执行该操作需要授权.

1. Authorisation Required. - clicked "Review Permissions"
2. Choose an account to authorise the Google project. - clicked my account
3. This app isn't verified! - clicked "Go to project (unsafe)"
4. Google project wants access to this list of scopes.- clicked "Allow"
5. Authorisation is required to perform that action.

警告屏幕(3)是该过程的最新内容.今年初我创建并运行新项目时，我不会忘记遇到它.我想知道Google最近是否对OAuth2.0的安全性实现进行了任何更改.

The warning screen (3) is a recent addition to the process. I don't rememeber encountering it when I've created and run new projects earlier this year. I'm wondering if Google has made any changes to their security implementation of OAuth2.0 recently.

此外，此问题似乎仅影响对Cloud SQL admin API的REST调用.在上述同一项目中，我能够运行将数据写入BigQuery表的函数，该函数也位于托管Google SQL实例的同一Google项目中.显然，可以使某些范围和代码起作用.

Also, this issue only seems to affect REST calls to the Cloud SQL admin API. In the same project mentioned above I am able to run functions which write data to BigQuery tables in the same Google project which is also hosting the Cloud SQL instances. Clearly some scopes and code can be made to work.

" https://www.googleapis.com/auth/sqlservice.admin"范围包含在我请求并批准的列表中.我什至尝试手动编辑URL以添加所请求的更多范围，但仍然无法通过执行此操作需要授权"屏幕.

The "https://www.googleapis.com/auth/sqlservice.admin" scope is included in the list of those I requested and approve. I even tried manually editing the URL to add more scopes being requested and it still doesn't get me passed the "Authorisation is required to perform that action" screen.

有人有什么主意吗?

正在触发验证的相关代码.

The code in question which is triggering the authentication.

// Function to get the ip address of a given CloudSQL instance
function _getInstanceIpAddress_(projectId, sqlInstance) {

  var token = _getAuthenticationToken_();

  // Create the header authorisation  
  var headers = {
    "Authorization": "Bearer " + token
  };

  // Create the Cloud SQL instances get parameters
  var parameters = {
    "method": "get",    
    "headers": headers,
    "instance": sqlInstance,
    "project": projectId,
    "muteHttpExceptions": true
  };

  // Create the url of the sql instances get API    
  var api = "https://www.googleapis.com/sql/v1beta4/projects/" + projectId + "/instances/" + sqlInstance + "?fields=ipAddresses";   

  try {
    // Use the url fetch service to issue the https request and capture the response
    var response = UrlFetchApp.fetch(api, parameters);    

    // Extract the ip address of the instance from the response
    var content = JSON.parse(response.getContentText());

    return content.ipAddresses[0].ipAddress; 
  } catch(err) {
    _log_('ERROR', 'Getting ' + sqlInstance + ' instance ip address failed: ' + err);
    return null;
  }
}

function _getAuthenticationToken_() {
  // Check we have access to the service
  var service = getService();
  if (!service.hasAccess()) {
    var authorizationUrl = service.getAuthorizationUrl();
    _log_('INFO', 'Open the following URL and re-run the script: ' + authorizationUrl);
    return;
  }

  Logger.log('Passed Authentication');

  //Get the Access Token
  return service.getAccessToken();

  function getService() {
    // Create a new service with the given name. The name will be used when
    // persisting the authorized token, so ensure it is unique within the
    // scope of the property store.
    return OAuth2.createService('companyName-dev-service')

    // Set the endpoint URLs, which are the same for all Google services.
    .setAuthorizationBaseUrl('https://accounts.google.com/o/oauth2/auth')
    .setTokenUrl('https://accounts.google.com/o/oauth2/token')

    // Set the client ID and secret, from the Google Developers Console.
    .setClientId(CLIENT_ID)
    .setClientSecret(CLIENT_SECRET)

    // Set the name of the callback function in the script referenced
    // above that should be invoked to complete the OAuth flow.
    .setCallbackFunction('authCallback')

    // Set the property store where authorized tokens should be persisted.
    .setPropertyStore(PropertiesService.getUserProperties())

    // Set the scopes to request (space-separated for Google services).
    // this is admin access for the sqlservice and access to the cloud-platform:
    .setScope(
      'https://www.googleapis.com/auth/sqlservice.admin ' + 
      'https://www.googleapis.com/auth/cloud-platform')

    //Removed because this Should be covered by cloud-platform
    //'https://www.googleapis.com/auth/devstorage.read_write ' 

    // Below are Google-specific OAuth2 parameters.

    // Sets the login hint, which will prevent the account chooser screen
    // from being shown to users logged in with multiple accounts.
    .setParam('login_hint', Session.getActiveUser().getEmail())

    // Requests offline access.
    .setParam('access_type', 'offline')

    // Forces the approval prompt every time. This is useful for testing,
    // but not desirable in a production application.
    .setParam('approval_prompt', 'force');
  }

  function authCallback(request) {
    var cloudSQLService = getService();
    var isAuthorized = cloudSQLService.handleCallback(request);

    if (isAuthorized) {
      _log_('INFO', 'Access Approved');
      return HtmlService.createHtmlOutput('Success! You can close this tab.');
    } else {
      _log_('INFO', 'Access Denied');
      return HtmlService.createHtmlOutput('Denied. You can close this tab');
    }
  }
}

推荐答案

我们在Google Compute Engine API中遇到了类似的问题.根据本文在appsscript.json文件中明确设置范围为我们解决了这个问题:

We had a similar issue with the Google Compute Engine API. Setting the scopes explicitly in the appsscript.json file as per this article solved it for us:

"oauthScopes": [
    "https://www.googleapis.com/auth/spreadsheets.readonly",
    "https://www.googleapis.com/auth/userinfo.email",
    "https://www.googleapis.com/auth/script.container.ui",
    "https://www.googleapis.com/auth/script.external_request",
    "https://www.googleapis.com/auth/spreadsheets",
    "https://www.googleapis.com/auth/compute",
    "https://www.googleapis.com/auth/cloud-platform"
  ],

这篇关于“执行该动作需要授权".消息，即使在单击“允许"后也是如此.的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！