将身份验证从一个Google Apps脚本网络应用传递到另一个Google Apps脚本网络应用 [英] Passing authentication from one Google Apps Script webapp to another Google Apps Script webapp
问题描述
我的Google Apps帐户中有两个Google Apps脚本。 b
脚本A:
作为我执行
谁可以访问网络应用程序:XXXXXXX.com中的任何人
脚本B:
$ b
以访问应用程序的用户身份执行
谁有权访问Web应用程序:XXXXXXX.com中的任何人
我希望脚本B使用UrlFetchApp来执行脚本A.我是否认证脚本B到脚本A?
注意: 脚本A正在用于将数据从\写入只有我有权访问的电子表格中。由于我的Google Apps域名管理员
不允许在域外进行共享,因此我无法设置匿名访问该网络应用程序的权限。 解决方案
>
我想让脚本B使用UrlFetchApp来执行脚本A.我如何将脚本B认证为脚本A?
即使脚本A设置为允许任何人访问它,但我们的目标是确保脚本B只能 脚本B能够提出有效的请求。这可以使用脚本A和脚本B有权访问的共享密钥轻松完成。当脚本B向脚本A发出请求时,它只需包含密钥。脚本A可以拒绝任何不包含密钥的请求。
只有能够查看脚本A或脚本B源代码的人才能够找到秘密密钥。当然,任何获得密钥的人都可以模拟脚本B.
作为进一步的改进,您可以使用 Utilities.computeHmacSha256Signature()
方法作为避免将秘密密钥作为请求的一部分发送的方式。这两个脚本仍然需要知道密钥,但是您可以让脚本B计算一个签名并将其作为请求的一部分发送,而不是密钥本身。
I have two Google Apps Scripts in my Google Apps account. Both have been published as webapps with the following settings.
Script A:
Execute as me
Who has access to the web app:Anyone within XXXXXXX.com
Script B:
Execute as the user accessing the app
Who has access to the web app:Anyone within XXXXXXX.com
I want to have Script B use UrlFetchApp to execute Script A. How do I authenticate Script B to Script A?
Note:
Script A is being used to get\write data from\to a spreadsheet that only I have access. Since my Google Apps domain administrator does not allow sharing outside the domain, I can not set anonymous access to the web app.
I want to have Script B use UrlFetchApp to execute Script A. How do I authenticate Script B to Script A?
Even though Script A is set up to allow anyone to access it, our goal is to secure it so that only Script B will be able to make a valid request. This can easily be accomplished using a shared secret key that both Script A and Script B have access to. When Script B makes the request to Script A, it simply needs to include the secret key. Script A can refuse any request which does not include the secret key.
Only someone who is able to view the source code to either Script A or Script B will be able to find the secret key. Of course, anyone who obtains the secret key is able to impersonate Script B.
As a further enhancement, you could use the Utilities.computeHmacSha256Signature()
method as a way to avoid sending the secret key as part of the request. Both scripts still need to know the secret key, but you can have Script B compute a signature and send that as part of the request instead of the secret key itself.
这篇关于将身份验证从一个Google Apps脚本网络应用传递到另一个Google Apps脚本网络应用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!