将身份验证从一个Google Apps脚本网络应用传递到另一个Google Apps脚本网络应用 [英] Passing authentication from one Google Apps Script webapp to another Google Apps Script webapp

问题描述

我的Google Apps帐户中有两个Google Apps脚本。 b
脚本A：

作为我执行

谁可以访问网络应用程序：XXXXXXX.com中的任何人

脚本B：
$ b

以访问应用程序的用户身份执行

谁有权访问Web应用程序：XXXXXXX.com中的任何人

我希望脚本B使用UrlFetchApp来执行脚本A.我是否认证脚本B到脚本A？

注意：

脚本A正在用于将数据从\写入只有我有权访问的电子表格中。由于我的Google Apps域名管理员
不允许在域外进行共享，因此我无法设置匿名访问该网络应用程序的权限。 解决方案

>

我想让脚本B使用UrlFetchApp来执行脚本A.我如何将脚本B认证为脚本A？

即使脚本A设置为允许任何人访问它，但我们的目标是确保脚本B只能 脚本B能够提出有效的请求。这可以使用脚本A和脚本B有权访问的共享密钥轻松完成。当脚本B向脚本A发出请求时，它只需包含密钥。脚本A可以拒绝任何不包含密钥的请求。

只有能够查看脚本A或脚本B源代码的人才能够找到秘密密钥。当然，任何获得密钥的人都可以模拟脚本B.

作为进一步的改进，您可以使用 Utilities.computeHmacSha256Signature（） 方法作为避免将秘密密钥作为请求的一部分发送的方式。这两个脚本仍然需要知道密钥，但是您可以让脚本B计算一个签名并将其作为请求的一部分发送，而不是密钥本身。

I have two Google Apps Scripts in my Google Apps account. Both have been published as webapps with the following settings.

Script A:

Execute as me
Who has access to the web app:Anyone within XXXXXXX.com

Script B:

Execute as the user accessing the app
Who has access to the web app:Anyone within XXXXXXX.com

I want to have Script B use UrlFetchApp to execute Script A. How do I authenticate Script B to Script A?

Note:

Script A is being used to get\write data from\to a spreadsheet that only I have access. Since my Google Apps domain administrator does not allow sharing outside the domain, I can not set anonymous access to the web app.

解决方案

I want to have Script B use UrlFetchApp to execute Script A. How do I authenticate Script B to Script A?

Even though Script A is set up to allow anyone to access it, our goal is to secure it so that only Script B will be able to make a valid request. This can easily be accomplished using a shared secret key that both Script A and Script B have access to. When Script B makes the request to Script A, it simply needs to include the secret key. Script A can refuse any request which does not include the secret key.

Only someone who is able to view the source code to either Script A or Script B will be able to find the secret key. Of course, anyone who obtains the secret key is able to impersonate Script B.

As a further enhancement, you could use the Utilities.computeHmacSha256Signature() method as a way to avoid sending the secret key as part of the request. Both scripts still need to know the secret key, but you can have Script B compute a signature and send that as part of the request instead of the secret key itself.

这篇关于将身份验证从一个Google Apps脚本网络应用传递到另一个Google Apps脚本网络应用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！