谷歌的OAuth 2.0 include_granted_scopes工作不适合安装的应用程序 [英] Google OAuth 2.0 include_granted_scopes not working for installed app

问题描述

我在尝试使用新的增量授权一个安装的应用程序，以便添加范围到现有的授权，同时保持现有的作用域。这是通过使用新的 include_granted_scopes = TRUE 参数完成。但是，不管是什么我试过，再授权总是完全覆盖范围。这里有一个最小的Bash的PoC剧本我写来演示我的问题：

I'm attempting to use the new incremental authorization for an installed app in order to add scopes to an existing authorization while keeping the existing scopes. This is done using the new include_granted_scopes=true parameter. However, no matter what I've tried, the re-authorization always overwrites the scopes completely. Here's a minimal Bash PoC script I've written to demo my issue:

client_id='716905662885.apps.googleusercontent.com' # throw away client_id (non-prod)
client_secret='CMVqIy_iQqBEMlzjYffdYM8A' # not really a secret
redirect_uri='urn:ietf:wg:oauth:2.0:oob'

while :
do
  echo "Please enter a list of scopes (space separated) or CTRL+C to quit:"
  read scope

  # Form the request URL
  # http://goo.gl/U0uKEb
  auth_url="https://accounts.google.com/o/oauth2/auth?scope=$scope&redirect_uri=$redirect_uri&response_type=code&client_id=$client_id&approval_prompt=force&include_granted_scopes=true"

  echo "Please go to:"
  echo
  echo "$auth_url"
  echo
  echo "after accepting, enter the code you are given:"
  read auth_code

  # swap authorization code for access token
  # http://goo.gl/Mu9E5J
  auth_result=$(curl -s https://accounts.google.com/o/oauth2/token \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d code=$auth_code \
    -d client_id=$client_id \
    -d client_secret=$client_secret \
    -d redirect_uri=$redirect_uri \
    -d grant_type=authorization_code)
  access_token=$(echo -e "$auth_result" | \
               grep -Po '"access_token" *: *.*?[^\\]",' | \
               awk -F'"' '{ print $4 }')

  echo
  echo "Got an access token of:"
  echo $access_token
  echo

  # Show information about our access token
  info_result=$(curl -s --get https://www.googleapis.com/oauth2/v2/tokeninfo \
    -H "Content-Type: application/json" \
    -d access_token=$access_token)
  current_scopes=$(echo -e "$info_result" | \
                   grep -Po '"scope" *: *.*?[^\\]",' | \
                   awk -F'"' '{ print $4 }')

  echo "Our access token now allows the following scopes:"
  echo $current_scopes | tr " " "\n"
  echo
  echo "Let's add some more!"
  echo

done

脚本简单地执行OAuth授权，然后打印出当前令牌被授权使用的范围。从理论上讲它应该继续通过但在实践中，每次添加范围，范围的列表是越来越每次覆盖。这样的想法会在第一次运行，你会使用的东西尽可能小的范围如电子邮件再下运行，粘性的东西更像是只读的日历 https://www.googleapis.com/auth/calendar.readonly 。每一次，用户只应提示授权当前请求的范围，但由此产生的令牌应该是不错的所有范围，包括那些授权的previous运行。

The script simply performs OAuth authorization and then prints out the scopes the token is currently authorized to use. In theory it should continue to add scopes each time through but in practice, the list of scopes is getting overwritten each time. So the idea would be on the first run, you'd use a minimal scope of something like email and then the next run, tack on something more like read-only calendar https://www.googleapis.com/auth/calendar.readonly. Each time, the user should only be prompted to authorize the currently requested scopes but the resulting token should be good for all scopes including those authorized on previous runs.

我试过用新鲜CLIENT_ID /秘密，结果都是一样的。我知道我可以只再次包括已经授权范围，但该提示用户所有范围的，即使是那些已经理所当然的，大家都知道的范围列表的时间越长，就越有可能的用户所接受。

I've tried with a fresh client_id/secret and the results are the same. I know I could just include the already authorized scopes again but that prompts the user for all of the scopes, even those already granted and we all know the longer the list of scopes, the less likely the user is to accept.

更新：在进一步的测试，我发现我的应用程序中的权限确实显示每个增量授权的组合范围。我试着等待约30秒增量身份验证后，再抓住与刷新新的访问令牌令牌但访问令牌仍限于最后一个授权的范围，而不是合并范围列表中。

UPDATE: during further testing, I noticed that the permissions for my app do show the combined scopes of each incremental authorization. I tried waiting 30 seconds or so after the incremental auth, then grabbing a new access token with the refresh token but that access token is still limited to the scopes of the last authorization, not the combined scope list.

更新2：我也与周围保持原有刷新令牌玩弄。刷新令牌只获得新的访问令牌，让原来的范围，则逐步添加范围不包括在内。因此，有效的似乎 include_granted_scopes = TRUE 正在对令牌没有影响，新老刷新令牌继续工作，但只为自己指定的范围。我不能让一个组合范围刷新或访问令牌。

UPDATE 2: I've also toyed around with keeping the original refresh token. The refresh token is only getting new access tokens that allow the original scopes, the incrementally added scopes are not included. So it seems effectively that include_granted_scopes=true is having no effect on the tokens, the old and new refresh tokens continue to work but only for their specified scopes. I cannot get a "combined scope" refresh or access token.

推荐答案

谷歌的OAuth 2.0服务不支持安装/原生应用增量权威性;它仅适用于在 Web服务器的情况下。他们的文档被打破了。

Google's OAuth 2.0 service does not support incremental auth for installed/native apps; it only works for the web server case. Their documentation is broken.

这篇关于谷歌的OAuth 2.0 include_granted_scopes工作不适合安装的应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！