Google云端硬盘访问权限-服务帐户或OAuth-读取/写入用户文件 [英] Google Drive Access - Service Account or OAuth - To read/write user files

问题描述

我有一个对文件执行操作的.NET控制台应用程序.我希望允许客户向我们提供其Google云端硬盘帐户的访问权限，以便我们可以读写文件.我们的控制台应用程序作为服务运行，因此用户无法与其进行交互并授权我们访问其Google云端硬盘帐户.

I have a .NET console application that performs operations on files. I would like to allow clients to give us access to their Google Drive accounts so we can read and write files. Our console application runs as a service so there is no way for the user to interact with it and authorize our access to their Google Drive account.

我一直在考虑使用Google服务帐户进行应用程序级别身份验证，直到得知服务帐户无权访问设置该服务帐户的用户的Google云端硬盘文件夹.这种目的无法实现，因为它是我希望获得访问权限的客户的Google云端硬盘帐户.

I was looking at using a Google Service Account for application level authentication until I learned that a Service Account does not have access to the Google Drive folder of the user that sets up the Service Account. This sort of defeats the purpose because it is the client's Google Drive account I am looking to gain access to.

我看到SO成员 @pinoyyid 发布的变通办法

I saw a workaround posted by SO member @pinoyyid posted in this SO answer where the refresh token can be generated using Google's Oauth2 Playground, but I am concerned that the refresh tokens could expire and user intervention would be needed again to generate another one.

另一个回应提到该解决方案是创建服务帐户，然后与该服务帐户共享用户的Google云端硬盘帐户.

Another response mentioned the solution was to create the Service Account and then share the user's Google Drive account with the Service Account.

Google推荐的方法是什么?如何最好地获得对Google云端硬盘帐户的访问权限，而仅要求所有者进行一次身份验证，却又使他们能够随时撤消访问权限?

What is the recommended approach by Google? How best to gain access to a Google Drive account while only requiring the owner to authenticate on a one-time basis, yet allowing them the ability to revoke access at any time?

推荐答案

服务帐户和存储的OAuth刷新令牌都是可行的方法.每个都有优点和缺点.

Both Service Account and a stored OAuth Refresh Token are viable approaches. Each has its pros and cons.

服务帐户将在您的用户只需要授予对可以共享给SA的特定文件夹的访问权限时起作用.请注意，SA创建的任何文件均归SA拥有并消耗SA的配额.您不能将用户的云端硬盘帐户共享到SA"，而只能共享单个文件夹.

A Service Account will work where your users only need to grant access to a specific folder which they can share to the SA. Be aware that any files the SA creates are owned by, and consume quota of, the SA. You can't "share the user's Drive account to the SA", you can only share individual folders.

存储RT是更宽松的选择.您不会使用我引用的答案中所述的OAuth游乐场，因为要让用户通过该流程实在太笨拙了.相反，您需要编写自己的注册/授权服务(可以使用AppEngine，Lambda等-因此编写和托管并不难).

Storing a RT is the more permissive option. You wouldn't use the OAuth playground as described in my answer that you referenced as that's far to clunky to ask users to go through. Instead you would need to write your own registration/authorisation service (you can use AppEngine, Lambda, etc - so it's not difficult to write and host).

这篇关于Google云端硬盘访问权限-服务帐户或OAuth-读取/写入用户文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！