Google API OAuth2,服务帐户,“错误":“invalid_grant" [英] Google API OAuth2, Service Account, "error" : "invalid_grant"
问题描述
我正在尝试使用服务帐户将日历从 Dynamics CRM 软件同步到 Google.在此期间,我遇到了有关 .net 的 google API 文档的缺乏,尤其是有关授权的文档.由于使用了过时的库和类,大多数 Google 示例甚至无法编译.
I'm trying to use service account to sync calendars from Dynamics CRM software to Google. During this I faced lack of documentation on google API for .net, especially regarding authorization. Most of Google samples can't be even compiled because of outdated libraries and classes used.
所以我找到了一些关于实习和接收错误的例子.有人可以看看我的样本并告诉我我做错了什么吗?
So I found some example over interned and receive error. Could someone please look on my sample and tell what am I doing wrong?
准备步骤:
- 我在我的私人 Google 帐户中创建了一个项目.
- 在项目开发者控制台中,在 APIS & 下AUTH -> 凭据,我生成了服务帐户.然后点击生成 P12 密钥"并下载 .p12 文件.
- 根据 APIS &AUTH -> API,打开日历 API"
然后创建控制台应用程序并设法安装 OAuth 和 Calendar nuget 包.有:
Then created console app and managed to install OAuth and Calendar nuget packages. There are:
- Google API 身份验证客户端库,Google.Apis.Auth 1.8.1
- Google API 客户端库,Google.Apis 1.8.1
- Google API 核心客户端库,ID:Google.Apis.Core 1.8.1
- Google.APIs.Calendar.v3 客户端库,Google.Apis.Calendar.V3 1.8.1.860
找到了一个符合我需要的代码:
There is a code found and adapted to my needs:
using System;
using System.Security.Cryptography.X509Certificates;
using Google.Apis.Calendar.v3;
using Google.Apis.Auth.OAuth2;
using Google.Apis.Services;
namespace CrmToGoogleCalendar
{
class Program
{
static void Connect()
{
var certificate = new X509Certificate2("My Project-ee7facaa2bb1.p12", "notasecret", X509KeyStorageFlags.Exportable);
var serviceAccountEmail = "506310960175-q2k8hjl141bml57ikufinsh6n8qiu93b@developer.gserviceaccount.com";
var userAccountEmail = "<my email>@gmail.com";
var credential = new ServiceAccountCredential(new ServiceAccountCredential.Initializer(serviceAccountEmail)
{
User = userAccountEmail,
Scopes = new[] { CalendarService.Scope.Calendar }
}
.FromCertificate(certificate));
var service = new CalendarService(new BaseClientService.Initializer()
{
ApplicationName = "Test calendar sync app",
HttpClientInitializer = credential
});
var calList = service.CalendarList.List().Execute().Items;
foreach (var cal in calList)
{
Console.WriteLine(cal.Id);
}
}
static void Main(string[] args)
{
Connect();
}
}
}
我在应用程序和 Fiddler 中看到的与 Google API 的通信是:
The communication with Google API which I see in the app and Fiddler is:
请求:
主机:HTTPS accounts.google.com,网址:/o/oauth2/token
断言:长二进制字符串
grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
Host: HTTPS accounts.google.com, URL: /o/oauth2/token
Assertion: long binary string
grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer
回复:
HTTP/1.1 400 错误请求内容类型:application/json 缓存控制:no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache到期:1990 年 1 月 1 日星期五 00:00:00 GMT 日期:2014 年 7 月 24 日星期四 06:12:18GMT X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGINX-XSS-保护:1;mode=block 服务器:GSE 备用协议:443:quic传输编码:分块
HTTP/1.1 400 Bad Request Content-Type: application/json Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Date: Thu, 24 Jul 2014 06:12:18 GMT X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Alternate-Protocol: 443:quic Transfer-Encoding: chunked
1f { "error" : "invalid_grant" } 0
1f { "error" : "invalid_grant" } 0
请帮助并提前致谢!
推荐答案
经过一些调查,我发现 Google API 与您的个人帐户 @gmail.com 无法正常工作.您应该在 Google 中拥有组织域帐户,格式为 you@your_organisation_domain
After some investigations I found, that Google API does not work as expected with your personal account @gmail.com. You should have organization domain account in Google in format you@your_organisation_domain
然后,同样令人困惑的是,Google Drive API 页面上有文档,将域范围的权限委派给您的服务帐户" 部分未在日历 API 页面中提及.该部分有7个步骤,必须完成.
Then, what is also pretty confusing, there is documentation at Google Drive API page, with "Delegate domain-wide authority to your service account" section not mentioned at Calendar API page. There are 7 steps in the section, are required to be done.
顺便说一句,个人帐户管理网站 admin.google.com 甚至不可用.因此,使用@gmail.com 帐户执行这 7 个步骤是不可能的.
BTW with personal account administration site admin.google.com is even unavailable. So it's impossible to perform these 7 steps with @gmail.com account.
然后,当客户端在 Google Apps 管理控制台 > 安全 > 高级设置 > 管理 OAuth 客户端访问中获得授权后,代码开始工作.
Then, when client is authorised in Google Apps Admin Console > Security > Advanced settings > Manage OAuth Client access the code starts to work.
有一个代码对我有用:
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Security.Cryptography.X509Certificates;
using Google.Apis.Calendar.v3;
using Google.Apis.Calendar.v3.Data;
using Google.Apis.Auth.OAuth2;
using Google.Apis.Services;
namespace CrmToGoogleCalendar
{
class Program
{
static void Connect()
{
Console.WriteLine("Calendar via OAuth2 Service Account Sample");
var certificate = new X509Certificate2("My MC Project-3f38defdf4e4.p12", "notasecret", X509KeyStorageFlags.Exportable);
var serviceAccountEmail = "795039984093-c6ab1mknpediih2eo9cb70mc9jpu9h03@developer.gserviceaccount.com";
var userAccountEmail = "me@testdomain.com";
var credential = new ServiceAccountCredential(new ServiceAccountCredential.Initializer(serviceAccountEmail)
{
User = userAccountEmail,
Scopes = new[] { CalendarService.Scope.Calendar }
}
.FromCertificate(certificate));
var service = new CalendarService(new BaseClientService.Initializer()
{
ApplicationName = "Test calendar sync app",
HttpClientInitializer = credential
});
/* Get list of calendars */
var calList = service.CalendarList.List().Execute().Items;
var myCalendar = calList.First(@c => @c.Id == userAccountEmail);
/* CREATE EVENT */
var event1 = new Event()
{
Kind = "calendar#event",
Summary = "Calendar event via API",
Description = "Programmatically created",
Status = "confirmed",
Organizer = new Event.OrganizerData() {
Email = userAccountEmail
},
Start = new EventDateTime()
{
DateTime = DateTime.Now.AddDays(1)
},
End = new EventDateTime()
{
DateTime = DateTime.Now.AddDays(1).AddHours(1)
},
ColorId = "6",
Reminders = new Event.RemindersData()
{
UseDefault = false,
Overrides = new List<EventReminder>(
new [] {
new EventReminder()
{
Method = "popup",
Minutes = 60
}
})
}
};
event1 = service.Events.Insert(event1, myCalendar.Id).Execute();
Console.WriteLine("Created event Id: {0}", event1.Id);
/* ENLIST EVENTS */
Console.WriteLine("calendar id={0}", myCalendar.Id);
var events = service.Events.List(myCalendar.Id).Execute();
foreach (var @event in events.Items)
{
Console.WriteLine("Event ID: {0}, ICalUID: {1}", @event.Id, @event.ICalUID);
Console.WriteLine(" Name: {0}", @event.Summary);
Console.WriteLine(" Description: {0}", @event.Description);
Console.WriteLine(" Status: {0}", @event.Status);
Console.WriteLine(" Color: {0}", @event.ColorId);
Console.WriteLine(" Attendees: {0}", @event.Attendees == null ? "" : @event.Attendees.Select(a => a.Email).ToString());
Console.WriteLine(" Kind: {0}", @event.Kind);
Console.WriteLine(" Location: {0}", @event.Location);
Console.WriteLine(" Organizer: {0}", @event.Organizer.Email);
Console.WriteLine(" Recurrence: {0}", @event.Recurrence == null ? "no recurrence" : String.Join(",", @event.Recurrence));
Console.WriteLine(" Start: {0}", @event.Start.DateTime == null ? @event.Start.Date : @event.Start.DateTime.ToString());
Console.WriteLine(" End: {0}", @event.End.DateTime == null ? @event.End.Date : @event.End.DateTime.ToString());
Console.WriteLine(" Reminders: {0}", @event.Reminders.UseDefault.Value ? "Default" : "Not defailt, " +
(@event.Reminders.Overrides == null ? "no overrides" : String.Join(",", @event.Reminders.Overrides.Select(reminder => reminder.Method + ":" + reminder.Minutes)))
);
Console.WriteLine("=====================");
}
Console.ReadKey();
}
static void Main(string[] args)
{
Connect();
}
}
}
产生的输出看起来是这样的:
The output produced looks so:
Calendar via OAuth2 Service Account Sample
Created event Id: jkits4dnpq6oflf99mfqf1kdo0
calendar id=me@testdomain.com
Event ID: 1logvocs77jierahutgv962sus, ICalUID: 1logvocs77jierahutgv962sus@google.com
Name: test event
Description: test description2
Status: confirmed
Color:
Attendees:
Kind: calendar#event
Location: location2
Organizer: me@testdomain.com
Recurrence: RRULE:FREQ=WEEKLY;BYDAY=TH
Start: 2014-07-31
End: 2014-08-01
Reminders: Not defailt, email:10,popup:10
=====================
Event ID: 1logvocs77jierahutgv962sus_20140814, ICalUID: 1logvocs77jierahutgv962sus@google.com
Name: test event updated
Description: test description2
Status: confirmed
Color:
Attendees:
Kind: calendar#event
Location: location2
Organizer: me@testdomain.com
Recurrence: no recurrence
Start: 2014-08-14
End: 2014-08-15
Reminders: Not defailt, email:10
=====================
Event ID: 974hqdhh8jhv5sdobkggmdvvd8, ICalUID: 974hqdhh8jhv5sdobkggmdvvd8@google.com
Name: One hour event
Description: test description
Status: confirmed
Color: 7
Attendees:
Kind: calendar#event
Location: Meeting Room Hire, Broadway, 255 The Bdwy, Broadway, NSW 2007, Australia
Organizer: me@testdomain.com
Recurrence: no recurrence
Start: 1/08/2014 10:00:00 AM
End: 1/08/2014 11:00:00 AM
Reminders: Default
=====================
Event ID: jkits4dnpq6oflf99mfqf1kdo0, ICalUID: jkits4dnpq6oflf99mfqf1kdo0@google.com
Name: Calendar event via API
Description: Programmatically created
Status: confirmed
Color: 6
Attendees:
Kind: calendar#event
Location:
Organizer: me@testdomain.com
Recurrence: no recurrence
Start: 2/08/2014 12:30:50 PM
End: 2/08/2014 1:30:50 PM
Reminders: Not defailt, popup:60
=====================
第一个活动是每周定期的全天活动系列.第二个是更新第一个的单个事件(具有相同的 UID).三是单项活动一小时.最后一个是由上面的代码创建的.
First event is recurrent weekly whole day event series. Second is updated single event of the first (has the same UID). Third is single event for one hour. The last is created by code above.
希望这能帮助其他人节省时间.
Hope this will help others to economy their time.
这篇关于Google API OAuth2,服务帐户,“错误":“invalid_grant"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
