Google 服务帐号无法模拟 G Suite 用户 [英] Google service account can't impersonate GSuite user

问题描述

from google.oauth2 import service_account
import googleapiclient.discovery

SCOPES = ['https://www.googleapis.com/auth/calendar']
SERVICE_ACCOUNT_FILE = 'GOOGLE_SECRET.json'

credentials = service_account.Credentials.from_service_account_file(
        SERVICE_ACCOUNT_FILE, scopes=SCOPES)

delegated_credentials = credentials.with_subject('address@example.com')

google_calendar = googleapiclient.discovery.build('calendar', 'v3', credentials=delegated_credentials)

events = google_calendar.events().list(
    calendarId='address@example.com',
    maxResults=10
).execute()

上述代码的结果为:

google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method.', '{
  "error" : "unauthorized_client",
  "error_description" : "Client is unauthorized to retrieve access tokens using this method."
}')

域范围委派 已开启.服务帐号客户端 ID 在 GSuite 中获得了适当范围的授权.

Domain-wide delegation is on. The service account client ID is authorized with the appropriate scopes in GSuite.

服务帐户适用于普通凭据.它仅不适用于委派凭据.

The service account works for normal credentials. It only doesn't work for delegated credentials.

我在我们的域中尝试了不同的 API(范围)和不同的用户.

I've tried different APIs (scopes) and different users in our domain.

我让一位同事尝试从头开始编写一个样本，他得到了同样的结果.

I had a colleague try to code up a sample from scratch and he got the same thing.

推荐答案

我认为您的问题是您在致电 日历 API 但我在自己的实现中使用了一些不同之处

I think you're problem is that your not authorising your credentials before making the call to the Calendar API but there is a couple of differences that you have that I use in my own implementation

• 使用以下导入语句

• Use the following import statements

from oauth2client.service_account import ServiceAccountCredentials
from apiclient import discovery

使用from_json_keyfile_name 方法

授权凭据并在构建服务时将其作为 http 参数传递

Authorise the credentials and pass it as a http argument when building the service

尝试修改您的代码:

from apiclient import discovery
from oauth2client.service_account import ServiceAccountCredentials
import httplib2

SCOPES = ['https://www.googleapis.com/auth/calendar']
SERVICE_ACCOUNT_FILE = 'GOOGLE_SECRET.json'

credentials = ServiceAccountCredentials.from_json_keyfile_name(
        SERVICE_ACCOUNT_FILE, scopes=SCOPES)

# Use the create_delegated() method and authorize the delegated credentials
delegated_credentials = credentials.create_delegated('address@example.com')  
delegated_http = delegated_credentials.authorize(httplib2.Http())
google_calendar = discovery.build('calendar', 'v3', http=delegated_http)

events = google_calendar.events().list(
    calendarId='address@example.com',
    maxResults=10
).execute()

我还建议在您的 API 调用中设置 calendarId='primary'，以便您始终返回当前已为其委派凭据的用户的主日历.

I would also suggest setting calendarId='primary' in your API call so that you always return the primary calendar of the user who you currently have delegated credentials for.

有关使用 ServiceAccountCredentials 进行身份验证的更多信息，请参阅以下链接:http://oauth2client.readthedocs.io/en/latest/source/oauth2client.service_account.html

For more information on authenticating using ServiceAccountCredentials see the following link: http://oauth2client.readthedocs.io/en/latest/source/oauth2client.service_account.html

这篇关于Google 服务帐号无法模拟 G Suite 用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！