通过 JS 客户端库为 Drive 使用授权时，是否可以正确选择任何可用的 Google 帐户以使用? [英] Is it possible to be able to correctly select any available Google account to use when using authorisation via the JS client library for Drive?

问题描述

我有一个现有的支持 Google Drive 的应用程序，它使用 Google Java 客户端库和服务器流身份验证.

I've got an existing Google Drive enabled application that's using the Google Java client library and server flow auth.

如果您没有登录应用程序并导航到 URL，并且您在该浏览器上登录了多个 google 帐户(只能使用一个个人 Google 帐户，其他任何帐户都必须是 Google 企业帐户)OAuth 回调提供了选择要使用的 Google 帐户的选项.

If you're not logged into the application and navigate to the URL AND you have logged into more than one google account on that browser (only one personal Google account is possible, any additional ones have to be Google business accounts) the OAuth callback offers the options to select which Google Account to use.

但是，在测试切换到使用 JavaScript 客户端库时，我无法使用 gapi.auth.authorize 激活多帐户选择屏幕.是否可以使用JS库处理多个帐户?

However, whilst testing a switch to using the JavaScript client library I'm not able to activate the multiple account selection screen using gapi.auth.authorize. Is it possible to handle multiple accounts using the JS library?

更新:我尝试使用 immediate 参数 false.只要我不在弹出窗口中更改帐户，我就可以登录.如果我确实更改了帐户，则可以:

Update : I tried with the immediate parameter false. I can log in as long as I don't change account in the popup. If I do change account, I get to:

https://accounts.com/o/oauth2/auth?client_id=433863057149.apps.googleusercontent.com&scope=https://www.googleapis.com/auth/drive.file+https://www.googleapis.com/auth/drive.install+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile&immediate=false&redirect_uri=postmessage&origin=https://drivedrawio.appspot.com&proxy=oauth2relay593063763&response_type=token&state=701344514&authuser=1

在一个新选项卡中，没有任何反应.我已经制作了一个视频来演示.

in a new tab and nothing happens. I've made a video to demonstrate.

更新 2:此错误针对 JS 客户端库已接受多账号双选需求.

Update 2 : This bug against the JS client library for the need for double selection of mulitple account has been accepted.

推荐答案

由于以下参数，您没有获得多用户选择屏幕:authuser=0这会自动选择您登录的第一个帐户(authuser=1 将选择第二个等等...).

You are not getting the multi user selection screen because of the following parameter: authuser=0 This automatically selects the first account you are signed-in with (authuser=1 would select the second etc...).

目前无法使用客户端库删除该参数，因为如果没有值，客户端库会自动将其设置为 0(这就是它声称不处理多帐户的原因)，因此一种方法是将其覆盖为-1 例如，这将显示多帐户选择器.然后，您还可以在请求访问的同时请求访问用户的个人资料或电子邮件到其他 API 并获取用户的电子邮件或其 ID.然后在随后的身份验证中，您可以指定将绕过用户选择屏幕的 user_id 参数.

It's currently not possible to remove that param using the client library because the client library sets it automatically to 0 (this is why it claims not to handle multi-accounts) if there is no value so one way is to override it to -1 for example, this will show the multi-account chooser. Then you could also ask to access the user's profile or email at the same time you ask access to other APIs and fetch either the email of the user or its ID. Then on subsequent auth you can specify the user_id param which wil bypass the user-selection screen.

所以在实践中，首先像这样授权:

So in practice, first authorize like this:

gapi.auth.authorize({client_id: <Your Client ID>,
                     scope: 'https://www.googleapis.com/auth/drive openid', // That requires access to Google Drive and to the UserInfo API
                     authuser: -1});

上述唯一的问题是客户端库的自动刷新将不起作用，因为每个身份验证都会在多帐户选择屏幕上被阻止.

The only problem with the above is that the auto-refresh of the client library will not work because every auth will by blocked at the multi-account selection screen.

诀窍是使用 UserInfo API 获取用户的 ID，将该 ID 保存在会话 cookie 中并在随后的身份验证中使用它:

The trick is to get the ID of the user using the UserInfo API, save that ID in a session cookie and use it on subsequent auth like that:

gapi.auth.authorize({client_id: <Your Client ID>,
                     scope: 'https://www.googleapis.com/auth/drive openid',
                     user_id: <The User ID>,
                     authuser: -1});

指定用户 ID 将确保绕过多帐户选择器，并允许来自客户端库的令牌自动刷新再次工作.

Specifying the User's ID will make sure the multi-account chooser is bypass and will allow the auto-refresh of the token from the client lib to work again.

作为参考，影响用户流的其他 URL 参数是:

For reference, other URL param that impact the User flow are:

• user_id:类似于 authuser(绕过多帐户选择屏幕)但您可以使用电子邮件地址(例如 bob@gmail.com)或您的用户 ID从我们的 Open ID Connect 端点/Google+ API/UserInfo API 获取
• approval_prompt:默认为 auto，可以设置为 force 以确保显示批准/授权屏幕.这可确保在后续身份验证中(第一次之后)不会绕过甘特屏幕.
• immediate:immediate 有点棘手，当设置为 true 时，它将绕过授权屏幕(有点像 approval_prompt=auto) 如果用户之前已经授予批准，但如果用户之前没有授予批准，您将被重定向并显示错误:error=immediate_failed.如果设置为 false，它不会添加特殊行为，因此不会回退到由 approval_prompt 值设置的行为.

• user_id: similar than authuser (bypasses the multi-account selection screen) but you can use email address (e.g. bob@gmail.com) or the User ID you get from our Open ID Connect endpoint/Google+ API/UserInfo API
• approval_prompt: default is auto, can be set to force to make sure that the approval/grant screen gets shown. This makes sure that the gant screen is not bypassed on subsequent auth (after first time).
• immediate: immediate is a bit tricky, when set to true it will bypass the grant screen (kinda like approval_prompt=auto) if the user already granted approval previously, but if the user has not granted approval previously you will get redirected with an error: error=immediate_failed. If set to false it won't add special behavior and therefore fallback on the behavior setup by the approval_prompt value.

注意:immediate=true 和 approval_prompt=force 是无效的组合.

Note: immediate=true and approval_prompt=force is an invalid combination.

我认为客户端库正在使用 immediate 参数，这样如果他得到 error=immediate_failed 它将重新启动一个没有 authuser 的认证流程代码>参数，但这只是推测:)

I think the client library is using the immediate param so that if he gets the error=immediate_failed it will restart an auth flow without the authuser param, but that's only speculations :)

这篇关于通过 JS 客户端库为 Drive 使用授权时，是否可以正确选择任何可用的 Google 帐户以使用?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！