无法使用Google服务帐户请求Fusion Tables API的访问令牌 [英] Failed to request access token for Fusion Tables API with Google Service Account

问题描述

我已经成功地通过Google服务帐户(通过HTTP/REST和.NET客户端库)使用Google API来访问Google云端硬盘中的文件.

I have been successfully using Google API (via HTTP/REST, as well as using the .NET client library) with a Google Service Account to access the files in Google Drive.

最近，我正在探索Fusion Tables.我可以通过Web应用程序将API与用户授权一起使用.但是，当我尝试使用同一项目下的Google服务帐户访问它时，只要我有 https://www.googleapis.com/auth/fusiontables :

Recently, I am exploring the Fusion Tables. I am able to use the API with user authorization via a web application. However, when I try to access it using Google Service Account under the same project, it failed with the below error, whenever I have https://www.googleapis.com/auth/fusiontables in the scope:

https://www.googleapis.com/oauth2/v3/token

HTTP 401

{错误":"unauthorized_client"，"error_description":请求中未经授权的客户端或作用域." }

https:// www.googleapis.com/oauth2/v3/token

HTTP 401

{"error": "unauthorized_client", "error_description": "Unauthorized client or scope in request." }

当我删除https://www.googleapis.com/auth/fusiontables并且同一代码块与

The error goes away, when I remove https:// www.googleapis.com/auth/fusiontables and the same code block works fine with https://www.googleapis.com/auth/drive and other scopes.

我已经检查并确认已在Google Developers Console上为我的项目启用了"Fusion Tables API". (否则，我最初通过Web应用程序进行的用户授权将无法正常工作.)

I have checked and confirmed the "Fusion Tables API" is already enabled for my project at Google Developers Console. (Otherwise, my user authorization via a web application would not be working at the first place.)

有什么我可能错过的东西吗?任何帮助将不胜感激.

Is there anything which I could have missed out? Any help would be greatly appreciated.

推荐答案

我刚刚遇到了这个问题: Google驱动器服务帐户和";未经授权的客户或请求中的范围"

I just come across this: Google drive service account and "Unauthorized client or scope in request"

尽管乍一看似乎并没有关系，但确实是同一问题.

Even though it does not seems to be related at the first glance, it is indeed the same issue.

从下面的代码块中删除User = svcAcct,后，问题已解决.

Problem resolved after removing User = svcAcct, from the below code block.

  ServiceAccountCredential credential;
  credential = new ServiceAccountCredential(
    new ServiceAccountCredential.Initializer(svcAcct) {
      // User = svcAcct, *** removed ***
      Scopes = new System.Collections.Generic.List<string>(scopes.Split(' '))
    }.FromCertificate(certificate)
  );

因此，以下是一般建议:

Hence, here is the general advise:

请勿不必要地使用 User = svcAcct 调用 ServiceAccountCredential.Initializer .

仅在尝试模拟其他用户时执行此操作 (前提是正确完成了适当的设置 在Google Apps管理控制台中).

Only do this when you are trying to impersonating a difference user (with the condition that the appropriate setup has been correctly done in Google Apps Admin Console).

即使在某些情况下可能不会产生任何错误， 包括电子邮件地址的某些意外行为 JWT声明中的服务帐户本身设置为"sub"的值 字段.

Even though it may not produce any error under certain cases, there are some unexpected behaviors when including an email address of the service account itself in the JWT claim set as the value of the "sub" field.

这篇关于无法使用Google服务帐户请求Fusion Tables API的访问令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！