Google 服务帐号无法模拟 G Suite 用户 [英] Google service account can't impersonate GSuite user
问题描述
from google.oauth2 import service_account
import googleapiclient.discovery
SCOPES = ['https://www.googleapis.com/auth/calendar']
SERVICE_ACCOUNT_FILE = 'GOOGLE_SECRET.json'
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
delegated_credentials = credentials.with_subject('address@example.com')
google_calendar = googleapiclient.discovery.build('calendar', 'v3', credentials=delegated_credentials)
events = google_calendar.events().list(
calendarId='address@example.com',
maxResults=10
).execute()
上述代码的结果为:
google.auth.exceptions.RefreshError: ('unauthorized_client: Client is unauthorized to retrieve access tokens using this method.', '{
"error" : "unauthorized_client",
"error_description" : "Client is unauthorized to retrieve access tokens using this method."
}')
域范围委派
已开启.服务帐号客户端 ID 在 GSuite 中获得了适当范围的授权.
Domain-wide delegation
is on. The service account client ID is authorized with the appropriate scopes in GSuite.
服务帐户适用于普通凭据.它仅不适用于委派凭据.
The service account works for normal credentials. It only doesn't work for delegated credentials.
我在我们的域中尝试了不同的 API(范围)和不同的用户.
I've tried different APIs (scopes) and different users in our domain.
我让一位同事尝试从头开始编写一个样本,他得到了同样的结果.
I had a colleague try to code up a sample from scratch and he got the same thing.
推荐答案
我认为您的问题是您在致电 日历 API 但我在自己的实现中使用了一些不同之处
I think you're problem is that your not authorising your credentials before making the call to the Calendar API but there is a couple of differences that you have that I use in my own implementation
使用以下导入语句
Use the following import statements
from oauth2client.service_account import ServiceAccountCredentials
from apiclient import discovery
授权凭据并在构建服务时将其作为 http
参数传递
Authorise the credentials and pass it as a http
argument when building the service
尝试修改您的代码:
from apiclient import discovery
from oauth2client.service_account import ServiceAccountCredentials
import httplib2
SCOPES = ['https://www.googleapis.com/auth/calendar']
SERVICE_ACCOUNT_FILE = 'GOOGLE_SECRET.json'
credentials = ServiceAccountCredentials.from_json_keyfile_name(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
# Use the create_delegated() method and authorize the delegated credentials
delegated_credentials = credentials.create_delegated('address@example.com')
delegated_http = delegated_credentials.authorize(httplib2.Http())
google_calendar = discovery.build('calendar', 'v3', http=delegated_http)
events = google_calendar.events().list(
calendarId='address@example.com',
maxResults=10
).execute()
我还建议在您的 API 调用中设置 calendarId='primary'
,以便您始终返回当前已为其委派凭据的用户的主日历.
I would also suggest setting calendarId='primary'
in your API call so that you always return the primary calendar of the user who you currently have delegated credentials for.
有关使用 ServiceAccountCredentials
进行身份验证的更多信息,请参阅以下链接:http://oauth2client.readthedocs.io/en/latest/source/oauth2client.service_account.html
For more information on authenticating using ServiceAccountCredentials
see the following link: http://oauth2client.readthedocs.io/en/latest/source/oauth2client.service_account.html
这篇关于Google 服务帐号无法模拟 G Suite 用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!