如何在脚本中使用Google应用专用密码? [英] How to use Google application-specific password in script?

问题描述

自从在Google上启用两要素身份验证(又称为两步验证)以来，我的 Google导出脚本不再工作.该计算机已经过验证和信任，但脚本却不可靠.实际上，每次执行cron作业时，我都会收到一个新的"Google验证码"，并且脚本失败.我认为使用wget或curl一劳永逸地对此类脚本进行身份验证应该是一件简单的事情，但是我找不到有关如何执行此操作的任何文档.

Since enabling 2-factor authentication (aka. 2-step verification) on Google, my Google export scripts no longer work. The computer is verified and trusted, but somehow the scripts are not. In effect, every time the cron job is run I receive a new "Google verification code" and the script fails. I assume it should be a simple matter to authenticate such scripts once and for all with wget or curl, but I couldn't find any documentation for how to do it.

Google身份验证方案经历了多次迭代，我似乎再也无法使用curl或mechanicalsoup登录.我曾尝试使用https://accounts.google.com/ServiceLogin?continue=https://calendar.google.com/calendar/exporticalzip&Email=username@gmail.com&Passwd=application-specific-password之类的URL，但总是会重定向到登录页面，通常显示以下消息:请使用您的帐户密码，而不是应用程序专用密码."

Google authentication schemes have gone through many iterations, and I can no longer seem to log in using curl or mechanicalsoup. I've tried using URLs like https://accounts.google.com/ServiceLogin?continue=https://calendar.google.com/calendar/exporticalzip&Email=username@gmail.com&Passwd=application-specific-password, and I always get redirected to a login page, usually with the message "Please use your account password instead of an application-specific password."

推荐答案

您是否完全确定要对shell脚本使用2因子认证?如果是这样，则无需尝试使计算机或脚本成为受信任的".每次运行脚本时，您只需执行完整的2因子身份验证即可.

Are you absolutely sure that you want to use 2-factor auth with the shell scripts? If so, you don't need to try to get your computer or script as "trusted". You just do the full 2-factor auth every time you run the script.

如果目标是跳过手动第二因素验证，我建议改为使用应用程序专用密码(如其他答案所建议). 只是假装您根本没有使用2要素身份验证，而是使用您的真实登录名，但将密码设置为在

If the target is to skip the manual second factor auth, I'd suggest using application-specific password instead (as already suggested by other answers). Just pretend that you're not using 2-factor auth at all and use your real login name but set password to one generated at https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en (subpage of https://www.google.com/settings/security).

目的是将应用程序专用密码名称"设置为对您有意义的值.例如，我有标记为"Pidgin at work"，"My Android Phone"，"Thunderbird Google Address Book Extension at Work"等密码.您可能有一个"Calendar and Reader Export Script".如果您认为此应用程序专用密码已被盗用(泄露")，只需单击同一页面上的吊销"链接，然后为您的脚本生成一个新密码.

The intent is to set Application-specific password "Name" to a value that is meaningful to you. For example, I have passwords labeled "Pidgin at work", "My Android Phone", "Thunderbird Google Address Book Extension at Work" etc. You could have one for "Calendar and Reader Export Script". If you ever believe that this Application-specific password is compromised ("leaked"), just hit the "Revoke" link on the same page and then generate a new password for your script.

对于代码，请仅使用适用于Google单因素身份验证的最新版本. 更新:因为原始问题使用URL https://accounts.google.com/ServiceLogin来启动会话登录，所以实际上是在伪造浏览器登录.但是，Google并未正式支持此功能，在撰写本文时，似乎使用应用程序特定密码进行正常登录将最终显示错误消息请使用您的帐户密码，而不是应用程序特定密码".

For the code, just use the last version that worked with Google single factor auth. Update: because the original question used URL https://accounts.google.com/ServiceLogin for initiating the session login it's practically faking browser login. However, Google does not officially support this and as I'm writing this, it seems that using application specific password for normal login will end up with error message "Please use your account password instead of an application-specific password".

要了解有关Google 2要素身份验证和受信任的计算机"的一件事，就是实际的实现只是向您的浏览器添加了一个有效期为30天的永久性Cookie.受信任的计算机并不意味着您的IP地址是受信任的，也不是创建了其他魔术连接.除非您的脚本从您选择的浏览器中捕获了受信任的计算机" Cookie，否则，如果您曾经将计算机标记为受信任的，那根本没有关系. (Google表单不应显示记住这台计算机30天"，而是信任此浏览器和用户帐户组合30天(保存永久cookie).但是，我想这太技术性了……)

One thing to understand about the Google 2-factor auth and "trusted computer" is that the actual implementation just adds a permanent cookie with 30 days expiry time to your browser. Trusted computer does not mean your IP address were trusted or some other magical connection were created. Unless your scripts capture the "trusted computer" cookie from your browser of choice, it does not matter at all if you've ever marked your computer as trusted. (The Google form should not say "Remember this computer for 30 days" but "Trust this browser and user account combination for 30 days (save permanent cookie)". However, I guess that was considered too technical...)

更新 :(摘自下面我的评论)唯一受官方支持的方法(服务器到服务器应用程序)记录在 https://code.google.com上创建的服务帐户私钥. /apis/console .或者，您可以使用ClientLogin身份验证(已弃用的尽力而为服务，直到2015年为止).

Update: (copied from my comment below) The only officially supported method (Server to Server applications) is documented at https://developers.google.com/accounts/docs/OAuth2ServiceAccount. It requires OAuth/JWT encoding the request and using Service Account private key created at https://code.google.com/apis/console. As an alternative you could use ClientLogin authentication (already deprecated, best effort service until 2015).

如果您决定使用OAuth，则可能需要查看 http: //blog.yjl.im/2010/05/bash-oauth.html 和 https ://github.com/oxys-net/curl-oauth

If you decide to go with OAuth, you might want to look at http://blog.yjl.im/2010/05/bash-oauth.html and https://github.com/oxys-net/curl-oauth

这篇关于如何在脚本中使用Google应用专用密码?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！