授权命令行工具使用 Google API(通过 OAuth2.0 或其他任何方式) [英] Authorizing command line tool to consume Google APIs (through OAuth2.0 or anything else)
问题描述
我认为我了解 OAuth 2.0 在移动应用或网站环境中的工作原理 - 我的情况也不是这样.
我有一个 C++ 命令行 应用程序,我想授予它访问 Google 服务之一的权限 (Google Fusion Tables) 但我认为这个问题适用于任何 Google 服务,或者见鬼,也许也适用于任何必须处理 OAuth2 的命令行应用程序.
我有用户名.我有密码(用户输入的).我需要获得一个令牌,以便我可以通过 Curl 进行调用.实现此目标的最简单方法是什么?
更新 1:
阅读文档后,似乎最不痛苦的 OAuth2 流程将是 "Installed Application" 一个.
我的想法是,我的命令行工具将在不需要令牌的情况下请求公共表(但似乎我们仍然需要从 Google 发送一个 AppID,我可以从 Google API 仪表板获取).
每当我的命令行工具需要使用私有资源时,该用户都需要提供 Google 提供的授权代码(然后我的命令行工具可以使用它来获取可用的令牌).如果用户未在命令行中提供授权代码,我的工具将只打印一个链接,用户可以将其粘贴到 URL 以生成授权代码.该链接将如下所示:
https://accounts.google.com/o/th.www2auth2googleapis.com/auth/fusiontables&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=code&client_id=812741506391-h38jh0j4fv0ce1krdkiq0hfvt6n5amrfvt.apps.amrf 一旦用户接受,她就必须将该授权代码粘贴到终端,以便命令行工具可以使用它.命令行工具将使用授权代码向 Google 请求一个令牌,然后,最后,我可以使用 Google 令牌进行 API 调用. 有些事情我还不清楚.授权码有变化吗?如果是这样,我似乎需要在某处保存令牌和刷新令牌,以便每次令牌过期时都可以重用刷新令牌. 是我一个人,还是这整件事看起来像疯了一样,只是为了让我可以从命令行使用 Google API? 我通常会使用 ClientLogin 流程,但一切似乎都表明它很快就会被弃用. 授权码仅有效一次.在您交换它 - 并获得一个刷新令牌和一个访问令牌后 - 它将不再可用.扔掉它就行了.它只是一次性使用,您不再需要它.您需要做的只是将刷新令牌保留/保存/保留在某个本地文件中以供重复使用. 刷新标记是重要的标记.它使您可以无限制地访问 API,因为您可以使用它以编程方式获取新的访问令牌(有效期为 1 小时).查看关于该操作的刷新令牌文档. Google API 客户端库通常会自动且透明地为您处理令牌刷新,但由于我们没有 C++ 客户端库,您需要自己执行此操作.我们使用的一种技术是在向 API 发出请求时捕获 403 错误(表示无效的访问令牌),在这种情况下,我们进行刷新以获取新的访问令牌,然后自动重试最初失败的操作. 可以为您提供最佳用户体验的流程是使用服务器端 Web 应用程序流程.可以在已安装的和/或命令行应用程序上使用它,尽管它需要更多的工作.方法如下: 就是这样,您现在拥有刷新和访问令牌(来自第 4 步),并且在关闭浏览器后您又回到了您的应用中. 客户端登录已被弃用.它正在消失并且不适用于较新的 API.Google 不希望用户向您提供他们的密码,因为您可能会想要存储它并且可能会被黑客入侵 :)) 此外,它让您可以访问太多信息,因为您可以使用他们的 Google Checkout 帐户购买东西或更改他们的密码以窃取他们的帐户.目前,从安全角度来看,唯一的方法是使用像 OAuth2 这样的三足认证系统,并且不鼓励使用密码,以便用户摆脱将用户名和密码提供给 3rd 方的习惯.当然,OAuth2 更难用于桌面/命令行应用程序... 如果您不想或无法启动 Web 服务器来侦听代码,那么您可以使用 请注意,并非所有 OAuth 2 提供商都支持,但至少 Google 和 Facebook 支持. I think I understand how OAuth 2.0 works in the context of a mobile app or website - neither is my case. I have a C++ command line application that I want to give access to one of the Google Services (Google Fusion Tables) but I think this question applies to any of the Google Services, or heck, perhaps also any command line app that has to deal with OAuth2. I have the username. I have the password (the user typed it). I need to get a token so I can make the calls through Curl. What is the easiest way to accomplish this? Update 1: After going through the documentation, it seems that the least painful OAuth2 flow will be the "Installed Application" one. What I am thinking is that my command line tool will make requests for public tables without needing a token (but it seems we still need to be sending an AppID from Google which I can get from the Google APIs dashboard). Whenever my command line tool will need to use a private resource, that user would be required to supply a Google supplied authorization code (which my command line tool can then use to get a usable token). If the user has not supplied the authorization code in the command line, my tool would just print a link that the user can paste to the URL to generate the authorization code. The link would look like this: Once the user accepts, she would have to paste that authorization code to the terminal so it can be used by the command line tool. The command line tool would use the authorization code to ask Google for a token and then, finally, I can then use the Google token to make the API calls. A few things are still unclear to me. Does the authorization code change? If so, it seems I would need to save the token and refresh tokens somewhere so I can reuse the refresh token every time the token expires. Is it just me, or does this whole thing seems like crazy talk just so that I can use a Google API from the command line? I would normally use the ClientLogin flow, but everything seems to point out that it will be deprecated soon. The authorization code is only valid once. After you have exchanged it - and got a refresh token and an access token - it won't be usable anymore. Just dump it. It's one-time use only and you don't need it anymore. What you need to do is simply keep/save/persist the refresh token in some local file for reuse. The refresh token is the important token. It gives you access to the API for an unlimited period of time because you can use it to programmatically get new access tokens (which are valid 1h). Check the refresh token doc about that operation. The Google APIs Client libraries usually handle refreshing the tokens automatically and transparently for you but since we don't have a C++ client lib you need to do this yourself. One technique we use is that we catch 403 errors when doing requests to the API (which indicates an invalid access token), in that case we do the refresh to get a new access token, then automatically re-try the operation that failed initially. The flow that will give you the best user experience is to use the server-side web application flow. It is possible to use it on installed and/or command line application, though it is more work. Here is how: That's it, you now have the refresh and the access tokens (from step 4) and you are back in your app after killing the browser. Client Login has been deprecated. It's going away and doesn't work with newer APIs. Google doesn't want users to give you their password, as you might be tempted to store it and you could get hacked :)) Also, it gives you access to too much information, since you could buy stuff with their Google Checkout account or change their password to steal their accounts. Currently, the only way to go on a security standpoint is to use these 3-legged auth systems like OAuth2 and discourage the use of passwords so that users get out of the habit of providing their username and password to 3rd parties. Of course, OAuth2 is a lot harder to use for desktop/command-line applications... If you do not want or can't start a web server to listen for the code then you can use the Beware as not all OAuth 2 providers support that but at least Google and Facebook do. 这篇关于授权命令行工具使用 Google API(通过 OAuth2.0 或其他任何方式)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!回答有关已安装应用程序"流程的问题:
我的建议:
http://127.0.0.1:7777)http://127.0.0.1:7777莉>http://127.0.0.1:7777.为什么搞得这么乱?
OOB 替代方案
oob OAuth 流程.它的工作原理是简单地将 oob 指定为重定向 URI.在这种情况下,用户不会被重定向到给定的 URL,而是会看到一个页面,上面写着这是您的身份验证代码.将其复制粘贴到您的应用程序中.".在您的应用程序上,您可以简单地让您的用户将身份验证代码粘贴到文本字段中,瞧.这是一种更糟糕的用户体验,但在某些情况下可以更强大,并且可以在更多环境中工作,尤其是低技术环境.To answer your question about the "Installed application" flow:
My advice:
http://127.0.0.1:7777)http://127.0.0.1:7777http://127.0.0.1:7777.Why All this mess?
The OOB Alternative
oob OAuth flow. It works by simply specifying oob as the redirect URI. In this case, instead of being redirected to a given URL, the user will be shown a page that says "Here is your auth code. Copy paste it into your app.". On your app you can simply have your user paste the auth code in a text field and voila. This is a worse user experience but can be more robust in some cases and work in more environment, especially low-tech environments.
