带有服务帐户的 Google Coordinate OAuth2 [英] Google Coordinate OAuth2 with Service Account

问题描述

我有一个带有 Google Coordinate 的 C# 控制台应用程序.Net 库 和服务帐户打开身份验证.

I have a C# console application with Google Coordinate .Net library and Service Account open authentication.

private const string SERVICE_ACCOUNT_EMAIL = "XXX@developer.gserviceaccount.com";
private const string SERVICE_ACCOUNT_PKCS12_FILE_PATH = @"<path-to-private-key-file>YYY-privatekey.p12";
private const string GOOGLE_COORDINATE_TEAM_ID = "ZZZ";

private CoordinateService BuildService()
{
    X509Certificate2 certificate = new X509Certificate2(SERVICE_ACCOUNT_PKCS12_FILE_PATH, "notasecret", X509KeyStorageFlags.Exportable);

    var provider = new AssertionFlowClient(GoogleAuthenticationServer.Description, certificate){
        ServiceAccountId = SERVICE_ACCOUNT_EMAIL,
        Scope = CoordinateService.Scopes.Coordinate.GetStringValue()
    };
    var auth = new OAuth2Authenticator<AssertionFlowClient>(provider, AssertionFlowClient.GetState);

    return new CoordinateService(new BaseClientService.Initializer(){
        Authenticator = auth
    });
}

//some code that retrieves data from coordinate service
public void DoSomething()
{
    CoordinateService service = BuildService();
    var response = service.Jobs.List(GOOGLE_COORDINATE_TEAM_ID).Fetch();
    ...
}

从协调服务检索作业列表时，发生 DotNetOpenAuth.Messaging.ProtocolException(内部异常远程服务器返回错误:(400) 错误请求").使用 Fiddler 我设法看到了来自 Google OAuth 服务的响应.JSON 响应对象:

On retrieving list of jobs from Coordinate Service there is DotNetOpenAuth.Messaging.ProtocolException occured (inner exception "The remote server returned an error: (400) Bad Request"). Using Fiddler I managed to see response from Google OAuth service. JSON response object:

{
  "error" : "invalid_grant"
}

我读过一些建议更改本地服务器时间以匹配 Google OAth 服务器时间的文章.但是在将时间更改为一侧和另一侧后，问题仍然存在.你能给我一些想法为什么会发生这种情况吗?感谢所有回复！

I have read some articles that suggest to change local server time in order to match with Google OAth server time. But after changing time to one and other side the problem remains the same. Could you please give me some ideas why this is happening? Thanks for all responses!

推荐答案

服务帐户不能与 Coordinate API 一起使用.[这是因为协调中心 API 要求经过身份验证的 API 用户拥有协调中心许可，但无法将协调中心许可附加到服务帐户]

Service accounts cannot be used with the Coordinate API. [this is because the Coordinate API requires authenticated API users to have a Coordinate license, but it is not possible to attach a Coordinate license to a service account]

您可以改用网络服务器流程，请在下面找到示例.

You can use the web server flow instead, please find the sample below.

确保更新下面的代码，其中有包含TO UPDATE"的注释.

Make sure to update the code below, where there are comments containing "TO UPDATE".

using System; 
using System.Diagnostics; 
using System.Collections.Generic; 
using DotNetOpenAuth.OAuth2; 
using Google.Apis.Authentication.OAuth2; 
using Google.Apis.Authentication.OAuth2.DotNetOpenAuth; 
using Google.Apis.Coordinate.v1; 
using Google.Apis.Coordinate.v1.Data;

namespace Google.Apis.Samples.CoordinateOAuth2
{ 
    /// <summary> 
    /// This sample demonstrates the simplest use case for an OAuth2 service. 
    /// The schema provided here can be applied to every request requiring authentication. 
    /// </summary> 
    public class ProgramWebServer
    { 
        public static void Main (string[] args)
        { 
            // TO UPDATE, can be found in the Coordinate application URL
            String TEAM_ID = "jskdQ--xKjFiFqLO-IpIlg"; 

            // Register the authenticator. 
            var provider = new WebServerClient (GoogleAuthenticationServer.Description);
            // TO UPDATE, can be found in the APIs Console.
            provider.ClientIdentifier = "335858260352.apps.googleusercontent.com";
            // TO UPDATE, can be found in the APIs Console.
            provider.ClientSecret = "yAMx-sR[truncated]fX9ghtPRI"; 
            var auth = new OAuth2Authenticator<WebServerClient> (provider, GetAuthorization); 

            // Create the service. 
            var service = new CoordinateService(new BaseClientService.Initializer()
                       {
                          Authenticator = auth
                       });

            //Create a Job Resource for optional parameters https://developers.google.com/coordinate/v1/jobs#resource 
            Job jobBody = new Job (); 
            jobBody.Kind = "Coordinate#job"; 
            jobBody.State = new JobState (); 
            jobBody.State.Kind = "coordinate#jobState"; 
            jobBody.State.Assignee = "user@example.com"; 


            //Create the Job 
            JobsResource.InsertRequest ins = service.Jobs.Insert (jobBody, TEAM_ID, "My Home", "51", "0", "Created this Job with the .Net Client Library");
            Job results = ins.Fetch (); 

            //Display the response 
            Console.WriteLine ("Job ID:"); 
            Console.WriteLine (results.Id.ToString ()); 
            Console.WriteLine ("Press any Key to Continue"); 
            Console.ReadKey (); 
        }

        private static IAuthorizationState GetAuthorization (WebServerClient client)
        { 
            IAuthorizationState state = new AuthorizationState (new[] { "https://www.googleapis.com/auth/coordinate" }); 
            // The refresh token has already been retrieved offline
            // In a real-world application, this has to be stored securely, since this token
            // gives access to all user data on the Coordinate scope, for the user who accepted the OAuth2 flow
            // TO UPDATE (see below the sample for instructions)
            state.RefreshToken = "1/0KuRg-fh9yO[truncated]yNVQcXcVYlfXg";

            return state;
        } 

    } 
}

可以使用 OAuth2 Playground 检索刷新令牌:

A refresh token can be retrieved by using the OAuth2 Playground:

• 在 API 控制台中，添加 OAuth Playground URL，https://developers.google.com/oauthplayground, 作为授权重定向 URI(当我们在OAuth 游乐场，如下)
• 转到 OAuth Playground，在浏览器会话中对您的 API 用户进行身份验证(此用户需要有协调中心许可).确保提供您拥有 OAuth2 客户端 ID(设置 > 使用您自己的 OAuth 凭据).否则，您的刷新令牌将绑定到 OAuth2 游乐场的内部 OAuth2 客户端 ID，要使用时会被拒绝具有您自己的客户端 ID 的刷新令牌以获取访问令牌.
• 使用范围 https://www.googleapis.com/auth/coordinate In Step1、点击授权 API" 在第 2 步中，点击交换授权代码"代币"
• 复制代码中的刷新令牌.保持安全.
• 此刷新令牌不会过期，因此您的应用将保持经过身份验证.

• In the APIs Console, add the OAuth Playground URL, https://developers.google.com/oauthplayground, as an authorized redirect URI (we’ll need that when we retrieve a refresh token in the OAuth Playground, below)
• Go to the OAuth Playground, in a browser session that has your API user authenticated (this user needs to have a Coordinate license). Make sure to provide you own OAuth2 client ID (Settings > Use your own OAuth credentials). Otherwise, your refresh token will be tied to the OAuth2 playground's internal OAuth2 client ID, and will be rejected when you want to use the refresh token with your own client IDs to get an access token.
• Use the scope https://www.googleapis.com/auth/coordinate In Step 1, hit "Authorize the API" In Step 2, hit "Exchange Authorization codes for tokens"
• Copy the refresh token in your code. Keep it secure.
• This refresh token does not expire, so your app will stay authenticated.

这篇关于带有服务帐户的 Google Coordinate OAuth2的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！