ApiGee OAUTH 授权 [英] ApiGee OAUTH Authorization
问题描述
我是 apigee 的新手.我需要在我的代理中进行标注以从谷歌融合表中获取数据.FT 服务需要使用 oath 2.0 进行安全呼叫.我已经使用自定义代理制作了这个工作流程(没有任何 OAUTH 策略,并在键值映射中存储令牌、刷新令牌和到期)
I'm new in apigee. I need to make a callout in my proxy to fetch data from google fusion tables. FT Service require secure call using oath 2.0. I'm already made this workflow using custom proxy (without any OAUTH policy, and store token, refresh token and expiry in Key Value Map)
我还制作了 js 来计算过期时间和条件标注以刷新令牌.我知道这不是正确的方法,但我仍然不知道如何使用构建 Oauth 策略进行此调用.:(谷歌方面的 oauth 过程对我来说很清楚,但无法理解我在哪里有存储价值以及如何将 oauth 配置为本地方式......
also I made js to calculate expiration time and condition callout to refresh token. I understand that this is not correct way but I still can't get a clue how to make this call using building Oauth policy. :( It's clear for me oauth process from google side but cant understand where i have store value and how to configure oauth as native way ...
我从 github 成功部署了 oauth-authcode 示例并使其正常工作,但是当我更改 https://accounts.google.com/o/oauth2/auth 并替换我的 client_id 我收到错误无效的客户端 ID:XXXXX.apps.googleusercontent.com.ClientId 无效".
I successfully deploy oauth-authcode example from github and get it work but when i change Default Target Endpoint URL on https://accounts.google.com/o/oauth2/auth and substitute my client_id i get error "Invalid client id : XXXXX.apps.googleusercontent.com. ClientId is Invalid".
据我所知,第一个问题是获取授权码我必须给 google oauth 打电话,比如:
Well as I understand the first issue is get Authorization code I have to make a call to google oauth like:
https://accounts.google.com/o/oauth2/auth
?response_type=code
&redirect_uri={URL that obtain access code}
&client_id=XXXXX.apps.googleusercontent.com
&scope=https://www.googleapis.com/auth/fusiontables
&access_type=offline
&approval_prompt=force
&login_hint=MYEMAIL@gmail.com
&state=ANYSTATE
然后谷歌重定向授权码到redirect_uri
then google redirect authorization code to redirect_uri as
{redirect_uri}?code=ACCESSCODE&state=ANYSTATE
好吧,我将代理/oauth20 作为后端并将其指向为 redirect_uri.
well i make a proxy /oauth20 as a bakckend and point it as redirect_uri.
如何在此端配置 oauth 策略来存储此代码?
How to configure oauth policy on this end to store this code ?
我创建了产品 Fusion 并添加了 API 代理/oauth20"作为资源我还创建了 Developer App Fusion.
I create product Fusion and add API Proxy '/oauth20' as Resources Also I created Developer App Fusion.
我必须在开发者应用程序中作为回调 URL 填充哪个 URL?
What url i have to populate as Callback URL in Developer App?
我必须将哪个 url 用作 oauth 策略的重定向 url,以及如何存储用于 google 的客户端 ID 和客户端密码以及范围?我无法在 Developer app 中编辑 Consumer Key 和 Consumer Secret
Which url I have to use as redirect url for oauth policy and how can I store client id and client secret and scope that I use for google? I can't edit Consumer Key and Consumer Secret in Developer app
那么我的 api 代理获取授权码.
Well my api proxy obtain Authorization code.
如何将此代码更改为访问令牌?
How to change this code to access token?
在我的应用程序中,我进行 POST :
In my app i make POST :
https://accounts.google.com/o/oauth2/token
code={code}
client_id={ClientID}
client_secret={ClientSecret}
redirect_uri=https://vatsenko-test.apigee.net/v1/oauth20/oauth/authorize
grant_type=authorization_code
然后提取令牌
$.access_token
$.refresh_token
$.expires_in
有没有办法手动配置 oauth 流来获取令牌?(我的意思是硬编码 client_id、client_secret 以及获取令牌并将其存储到 apigee 的代码,然后在标注中仅制定 verifyaccesstoken 策略)
is any way to manually configure oauth flow to get token ? (i mean hardcode client_id, client_secret,and code to fetch token and store it to apigee and then make only verifyaccesstoken policy in callout)
推荐答案
您遇到的一些困惑是很自然的.尤其如此,因为您同时使用了 2 个 OAuth 系统(Google 和 Apigee 的),而不是单独使用 1 个.也就是说,您仍然可以解决这个问题——它只需要考虑一些设计因素.
Some of the confusion you are encountering is natural. This is especially true because you are using 2 OAuth systems (Google and Apigee's) together instead of using 1 on its own. That said, you can still get this to work out-- it will just take some design considerations.
我将采用的方法是在您撰写问题时回答您的问题,但您可能还想与 Apigee 合作进行进一步深入的设计讨论.
The approach I'll take is to answer your questions as you wrote them, but you may also want to work with Apigee for further in-depth design discussions.
我从 github 成功部署了 oauth-authcode 示例并使其正常工作,但是当我更改 https://accounts.google.com/o/oauth2/auth 并替换我的 client_id 我收到错误无效的客户端 ID:XXXXX.apps.googleusercontent.com.ClientId 无效".
I successfully deploy oauth-authcode example from github and get it work but when i change Default Target Endpoint URL on https://accounts.google.com/o/oauth2/auth and substitute my client_id i get error "Invalid client id : XXXXX.apps.googleusercontent.com. ClientId is Invalid".
您需要使用来自 Google 的 OAuth 系统的 client_id 才能利用 Google 的 OAuth 系统.
You'll need to use your client_id from Google's OAuth system in order leverage Google's OAuth system.
这端如何配置oauth策略来存储这段代码?
How to configure oauth policy on this end to store this code ?
通常,您会使用网络服务器应用程序来处理此代码.如果您想使用 API 代理来做同样的事情,您可以将授权代码作为查询参数传入(例如,&code=XYZ).您的 Apigee 代理会将代码称为 request.queryparameter.code.
Typically you would use a web server app to handle this code. If you wanted to use an API proxy to do the same, you could pass the authorization code in as query parameter (e.g., &code=XYZ). Your Apigee proxy would refer to the code as request.queryparameter.code.
我必须在开发者应用中填充哪个网址作为回调网址?
What url i have to populate as Callback URL in Developer App?
开发者应用中回调 URL 的 URL 应该是网络服务器应用回调 URL.在您的情况下,您声明要使用 Apigee API 代理,因此您应该使用它.当您在 Apigee 上生成授权代码时,此回调 URL 需要匹配作为 redirect_uri 查询参数传递的 URL.如果它们不匹配,您将收到来自 Apigee 的错误消息.正如您在最近的文章中所读到的那样,出于安全原因,我们已经进行了此项检查.
The URL for Callback URL in Developer App should be the web server app callback URL. In your case, you stated you want to use an Apigee API proxy, so you should use that. This callback URL will need to match the URL that is passed along as the redirect_uri query parameter when you generate the authorization code on Apigee. If they don't match, you will get an error from Apigee. As you may have read in recent articles, this check has been in place for security reasons.
我必须将哪个 url 用作 oauth 策略的重定向 url,以及如何存储用于 google 的客户端 ID 和客户端密码以及范围?我无法在 Developer app 中编辑 Consumer Key 和 Consumer Secret
Which url I have to use as redirect url for oauth policy and how can I store client id and client secret and scope that I use for google? I can't edit Consumer Key and Consumer Secret in Developer app
如上所述,重定向 URI 需要与您为开发者应用设置的回调 URL 相同.我建议将 Google 的 client_id 和 client_secret 存储在 键/值映射中.然后,当您调用 Google 检索其令牌时,您可以从键/值映射中提取这些值,并将它们用于标头中供 Google 使用.
As mentioned above, the redirect URI will need to be the same as the callback URL you set for the Developer app. I would advise to store Google's client_id and client_secret in a Key/Value Mapping. Then, when you call out to Google to retrieve their token, you can extract these values out of the Key/Value Mapping and use them in the header for Google to consume.
如何将此代码更改为访问令牌?
How to change this code to access token?
让我们退后一步,考虑一下 Apigee 的身份验证代码和访问令牌如何适合 Google 的身份验证代码和访问令牌.
Let's take a step back and consider how Apigee's auth code and access tokens will fit into Google's auth code and access tokens.
对于与 Apigee 交互的开发者应用,您需要确保 Apigee 能够理解任何生成的身份验证代码和访问令牌.为了让 Apigee 进一步与 Google 的身份验证代码授权类型 OAuth 系统交互,您需要将 Google 的身份验证代码作为属性存储在 Apigee 的身份验证代码中.您可以在生成身份验证代码时通过
For the Developer app to interface with Apigee, you'll want to ensure that Apigee can make sense of any generated auth codes and access tokens. For Apigee to further interface with Google's auth code grant type OAuth system, you'll want to store Google's auth code as an attribute in Apigee's auth code. You can achieve this through the <Attributes> field when you generate the auth code. When your Developer app interfaces with Apigee, the Developer app will send in the Apigee auth code that will then contain an attribute with Google's auth code. You can use getoauthv2info to extract attributes from the Apigee auth code. Then you can callout to Google using Google's own auth code that they recognize.
当您提交 Google 的授权码时,您将收到 Google 访问/刷新令牌作为回报.然后,您需要考虑是否要将 Apigee 的访问/刷新令牌替换为 Google 的…….这是一个设计考虑因素.
When you submit Google's auth code, you will receive Google access/refresh tokens in return. You will then want to consider whether you want to replace Apigee's access/refresh token with Google's... or not. This is a design consideration.
如果您想替换 Apigee 的访问/刷新令牌,您可以利用 Apigee 的
If you want to replace Apigee's access/refresh token, you can leverage Apigee's <ExternalAccessToken> and <ExternalRefreshToken> features. When using these fields in generating the access token on Apigee, you can ensure Apigee recognizes the same access token Google produced.
或者,如果 Google 和 Apigee 令牌不需要匹配,那么您可以将 Google 的访问令牌和刷新令牌作为属性存储在 Apigee 的访问令牌中.这样,当开发者应用与 Apigee 交互时,必须使用 Apigee 的访问/刷新令牌(以及 client_id 和 secret).然后,我们可以通过访问您存储的 Apigee 访问令牌属性来查找 Google 的访问令牌.在 VerifyAccessToken 之后,您可以将这些属性作为 accesstoken..
Alternatively, if the Google and Apigee token do not need to match, then you can store Google's access token and refresh token as attributes in Apigee's access token. In this way, when the Developer app interfaces with Apigee, it's Apigee's access/refresh tokens (and client_id and secret) that must be used. Then, we can look up Google's access token by accessing the Apigee access token attribute that you've stored. After VerifyAccessToken, you can access these attributes as accesstoken.<custom attribute>.
有没有办法手动配置 oauth 流来获取令牌?(我的意思是硬编码 client_id、client_secret 以及获取令牌并将其存储到 apigee 的代码,然后在标注中仅制定 verifyaccesstoken 策略)
is any way to manually configure oauth flow to get token ? (i mean hardcode client_id, client_secret,and code to fetch token and store it to apigee and then make only verifyaccesstoken policy in callout)
如上所述,键/值映射将在这里为您提供帮助.您可以在调用 Google 之前根据需要设置标题信息.并且如前所述,您可以将 Google 的身份验证代码作为属性存储在 Apigee 的身份验证代码中.
As mentioned above, Key/Value Mapping will help you here. You can set the header information as required before you call out to Google. And as discussed prior, you can store Google's auth code in Apigee's auth code as an attribute.
希望这会有所帮助.如果现场会议能更恰当地帮助您,请随时联系我们的支持人员或 Scrum Master.
Hope this helps. Feel free to reach out to our Support or Scrum Masters if a live session will help you more appropriately.
这篇关于ApiGee OAUTH 授权的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
