google oauth2 使用 user@gmail.com 模拟服务帐户 [英] google oauth2 impersonate service account with user@gmail.com

问题描述

我想访问一些 google api 服务:

I wanted to access some google api services:

• GDrive API
• 联系 API
• 人员 API

我正在努力处理 oauth2 模拟服务帐户流程(您知道:Google Oauthv2 - 服务帐户描述.对于模拟，您需要在 google 应用程序控制台中应用委派全域权限"，下载相应的 pk12 文件并在 google 控制台项目中激活 api.

And I'm struggeling with the oauth2 impersonate service account flow (you know that one: Google Oauth v2 - service account description. For impersonification you need to apply the "Delegating domain-wide authority" in the google apps console, download the correspoding pk12 file and activate the api in a google console project.

此刻我总是得到:

com.google.api.client.auth.oauth2.TokenResponseException: 401 Unauthorized
at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)
at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307)
at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:384)
at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489)
at oauthsample.GDriveAPI.<init>(GDriveAPI.java:50)
at oauthsample.GDriveAPI.main(GDriveAPI.java:85)

这是我的代码:

        HttpTransport httpTransport = new NetHttpTransport();
        JacksonFactory jsonFactory = new JacksonFactory();    

        Set<String> scopes = new HashSet<String>();
        scopes.add("https://www.google.com/m8/feeds");

        GoogleCredential credential = new GoogleCredential.Builder()
                .setTransport(httpTransport)
                .setJsonFactory(JSON_FACTORY)
                .setServiceAccountId("myserviceuser@xxxxxx.iam.account.com")
                .setServiceAccountPrivateKeyFromP12File(new File("somep12key.p12"))
                .setServiceAccountScopes(scopes)
                .setServiceAccountUser("my_user_name@gmail.com")
                .build();

       credential.refreshToken();
       ContactsService service = new ContactsService("MYAPP");
        service.getRequestFactory().setHeader("User-Agent", "MYAPP");
        service.setHeader("GData-Version", "3.0");
        service.setOAuth2Credentials(credential);

        URL feedUrl = new URL("https://www.google.com/m8/feeds/contacts/default/full");
        ContactFeed resultFeed = service.getFeed(feedUrl, ContactFeed.class);

我还通过 stackoverflow 进行了大量搜索(无法列出所有参考资料并检查响应和解决方案).但是有一个问题从未得到明确回答——无论是在谷歌文档中还是在所有 stackoverflow 帖子中:

I also searched heavily through stackoverflow (can't list all references and checked the responses and solutions). But one question was never clearly answered - nor in googles documentaiont nor on all the stackoverflow posts:

• 是否真的可以用普通的 user@gmail.com 用户来模拟服务帐户(我的意思是一个普通的 gmail 帐户，无法访问将域范围内的权限委派给服务"一章中提到的管理控制台?帐户"并且没有自己的域)?

有人说是，有人说不是.那么什么是绝对真理?

Some say yes, some say no. So what's the absolute truth?

据我阅读谷歌文档时的理解:服务帐户只能在您负责自己的域时模拟用户，并且您需要使用自己的域注册一个谷歌工作帐户.然后您就可以访问管理控制台并授予对服务帐户的访问权限.

As far as I understand when reading the google docs: The service account can only impersonate on users when you in charge of a own domain and you need to have a google work account with your own domain registered. Then you're able to access the admin console and can grant access to the service account.

感谢您的耐心和耐心解答.

Thanks for your patience and for your time to answer.

最好的问候马特

推荐答案

简短的回答是否定的，无法模拟 @gmail.com 帐户执行服务帐户.关键原因是，尽管服务帐户 OAuth 流程不涉及授权屏幕，但最终还是有人必须说我授权此应用程序冒充此用户."

The short answer is no, it's not possible to perform service-account impersonate of a @gmail.com account. The key reason is that although the service account OAuth flow doesn't involve an authorization screen, at the end of the day someone must still say "I authorize this application to impersonate this user."

在 Google Apps 域的情况下，此人是域管理员，他有权为域中的所有用户批准应用程序.对于@gmail.com 帐户，没有其他机构可以代表您批准此操作.而且，如果您无论如何都必须要求用户授权，那么使用常规的 3-legged OAuth 流程来提示用户进行授权、获取刷新令牌等是有意义的.

In the case of a Google Apps domain that person is the domain administrator, who has the authority to approve apps for all users in the domain. For an @gmail.com account, there is no other authority that can approve this on your behalf. And if you have to ask the user for authorization anyway, they it just makes sense to use the regular 3-legged OAuth flow to prompt the user for authorization, get a refresh token, etc.

现在有一个技巧，你可以让@gmail.com 用户通过常规的 3 条腿流程，一旦他们批准它，从那时起使用服务帐户流程.然而，这会导致一些奇怪的问题，所以我们禁用了该选项.这可能就是过去在这是否可能的问题上存在分歧的原因.

Now for a while there was a trick where you could take an @gmail.com user through the regular 3-legged flow, and once they approved it use the service account flow from then on. This lead to some strange problems however, so we've disabled that option. This may be why there was disagreement in the past about if this is possible.

这篇关于google oauth2 使用 user@gmail.com 模拟服务帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！