在 python 中的 gdata 上使用 OAuth2 和服务帐户 [英] Using OAuth2 with service account on gdata in python

问题描述

我想使用 data.photos.service.PhotosService 从 Picasa 推送和拉取照片.我从 Google 控制台获得了一个服务密钥文件 XXXXXXXX-privatekey.p12，现在我正在尝试使用该密钥与 google 进行身份验证.

I want to use data.photos.service.PhotosService to push and pull photos from Picasa. I got a service key file XXXXXXXX-privatekey.p12 from Google console and am now trying to authenticate using said key with google.

使用 appengine 的 OAUTH2 文档让我相信使用以下内容会很有用:

The documentation for OAUTH2 using appengine has led me to believe that using the following would be of use:

f = file(settings.SITE_ROOT + '/aurora/' + settings.PRIVATE_KEY, 'rb')
key = f.read()
f.close()

credentials = SignedJwtAssertionCredentials(settings.SERVICE_ACCOUNT_NAME, key, scope = 'http://picasaweb.google.com/data https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile')
http = httplib2.Http()
http = credentials.authorize(http)
service = build("oauth2", "v2", http=http)
user_info = None
try:
  user_info = service.userinfo().get().execute()
  # neither of these two methods work
  #gd_client.SetOAuthInputParameters(signature_method = gdata.auth.OAuthSignatureMethod.RSA_SHA1, consumer_key = "asdfasdfasdf.apps.googleusercontent.com", rsa_key = key, two_legged_oauth = True, requestor_id = user_info.get('email'))
  #gd_client.auth_token = gdata.gauth.TwoLeggedOAuthRsaToken(consumer_key = user_info.get('email'), rsa_private_key = key, requestor_id = user_info.get('email'))
except errors.HttpError, e:
  logging.error('An error occurred: %s', e)

user_inf0 = {u'verified_email': True, u'id': u'1234', u'name': u'asdfasdfasdf@developer.gserviceaccount.com', u'email': u'asdfasdfasdf@developer.gserviceaccount.com'}

问题是使用 SetOAuthInputParameters 的方法 1 返回无效令牌，或者方法 2 返回 403 受限.

The issue is that either method 1 using SetOAuthInputParameters returns a invalid token, or method 2 returns a 403 restricted.

当我真的和真的不想那样做时，我正在阅读大量代码，这些代码都执行常规的 3 条腿 oauth.有什么我还没有看到的想法/文章?

I am at my wits' end reading through mountains of code that all do regular 3 legged oauth when I really and truly do not want to do it that way. Any ideas/articles I haven't seen yet?

推荐答案

使用 gdata.gauth.OAuth2TokenFromCredentials.

Use gdata.gauth.OAuth2TokenFromCredentials.

auth2token = gdata.gauth.OAuth2TokenFromCredentials(credentials)
gd_client = auth2token.authorize(gd_client)

OAuth2TokenFromCredentials 旨在帮助您同时使用 apiclient 和 gdata.在幕后，它使用凭据来确保拥有执行 gdata 调用所需的身份验证信息.

OAuth2TokenFromCredentials is designed to help you use apiclient and gdata at the same time. Under the covers, it uses the credentials for making sure it has the auth information it needs to perform gdata calls.

请注意，如果您仍然收到 403，则可能完全是另一回事.我正在使用服务帐户访问用户的数据并收到 403，因为我没有在 SignedJwtAssertionCredentials 调用中正确指定用户.

Note, if you still get 403, it may be something else entirely. I was using a service account to access a user's data and was getting 403 because I hadn't spec'd the user properly in the SignedJwtAssertionCredentials call.

更新:这是我使用的基本模式:

UPDATE: Here's the basic pattern I used:

from oauth2client.client import SignedJwtAssertionCredentials
credentials = SignedJwtAssertionCredentials(
    "XXXXXXXXXXX@developer.gserviceaccount.com",
    open("keyfile").read(),
    scope=(
        "https://www.googleapis.com/auth/drive",
        "https://spreadsheets.google.com/feeds",
        "https://docs.google.com/feeds"
    ), # For example.
    sub="user@gmail.com"
)
http = httplib2.Http()
http = credentials.authorize(http) # Not needed? See comment below.
auth2token = gdata.gauth.OAuth2TokenFromCredentials(credentials)
gd_client = gdata.photos.service.PhotosService() # For example.
gd_client = auth2token.authorize(gd_client)

这篇关于在 python 中的 gdata 上使用 OAuth2 和服务帐户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！