登录服务器端应用程序以及不推荐使用 [英] signin for server-side apps and plus deprecation

问题描述

我有一个服务器端应用程序，要求用户使用其浏览器登录，然后服务器继续使用该令牌自行执行操作.

I have a server side application that requires that a user sign in using his browser and then the server continues to use that token to do stuff on its own.

我使用的是这里描述的流程，几乎是逐字记录的，但是还有一些其他范围: https://developers.google.com/identity/sign-in/web/server-side-flow .在此流程中，Google接管了整个登录过程.我用gapi.auth2.init()创建一个auth2对象，然后在该对象上调用.grantOfflineAccess()，然后如果成功，将获得带有令牌的回调.我不知道这是否是最新/最好的方法，但是效果很好.

I'm using the flow described here, pretty much verbatim, but with a few additional scopes: https://developers.google.com/identity/sign-in/web/server-side-flow. In this flow, Google takes over through the login process. I create an auth2 object with gapi.auth2.init(), then I call .grantOfflineAccess() on that object, and later I get a callback with a token if succcessful. I don't know if this is the latest/greatest way to do it, but it works fine.

今天，我收到了一封来自Google的电子邮件，警告我我正在使用plus.me范围，该范围已被弃用，并将于2019年3月停止工作.

Today, I received an email from Google warning me that I am using the plus.me scope and that is deprecated and will stop working in March 2019.

事实是，我没有在代码中的任何地方请求该范围，并且我的应用程序未使用Google Plus.我只要求:

Thing is, I'm not requesting that scope anywhere in my code and my app doesn't use Google Plus. I only request:

https://www.googleapis.com/auth/calendar.readonly
https://www.googleapis.com/auth/gmail.compose
profile
email

看起来好像对plus.me和其他一些作用域的请求的插入来自Google的代码，而这些来自

It looks like the insertion of the request for plus.me and a few other scopes is coming from Google's code, something that comes from https://apis.google.com/js/client:platform.js, or something that Google downloads later on as part of the login process -- that's the beauty of this process: Google does fancy stuff I don't need to know about.

但是最终，我从Google那里获得的令牌包括:

But ultimately, the token I get back from Google includes:

scope: "openid email profile https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/gmail.compose https://www.googleapis.com/auth/calendar.readonly https://www.googleapis.com/auth/userinfo.email"

肯定有我不需要的东西，包括plus.me，我猜这是我所关心的.如何控制或停止此操作?或者，也许我不需要做任何事情，而Google会在关闭plus.me范围之前自行照顾好它?

There is definitely stuff there I didn't ask for, including the plus.me which is I guess what I'm concerned about. How do I control or stop this? Or maybe I don't need to do anything and Google will take care of it themselves before they shutdown the plus.me scope?

推荐答案

您是正确的，您的范围请求很好.从您的个人资料范围请求中隐含了plus.me.不幸的是，在这种情况下，电子邮件通知发送给了许多开发人员.如果您已完成代码搜索，而我们所知的全部信息是plus.me，那应该没问题.只要确保您没有使用任何可能也具有这种依赖性的3P库即可.

You are right, your scope request is fine. plus.me is implied from your profile scope request. Unfortunately, the email notification went out to a number of developers in this situation. If you've done a code search and all we notified you about was plus.me, you should be fine. Just make sure you're not using any 3P libs that may also have this dependency.

这篇关于登录服务器端应用程序以及不推荐使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！