当'执行应用程序为我'时Google API授权。 [英] Google API Authorization when 'Executing the app as me.'
问题描述
发布网络应用程序后,我通过外部帐户对其进行了测试,精细。刷新标记然后从脚本所有者的UserProperties中移除。当应用程序从外部帐户再次运行时,它会提示授权并正确授权(将新标记保存在脚本所有者的UserProperties中)。但是,对API的下一次POST调用收到403-Forbidden错误。此时,应用程序将继续从任何帐户(包括脚本所有者的帐户)收到403-Forbidden错误,直到令牌被手动清除并作为脚本所有者重新授权。
为什么这些令牌无效?我希望,由于应用程序正在作为脚本/融合所有者执行,所以以编程方式接收的任何令牌都将与脚本/融合所有者授权的令牌一样有效。如果我的期望不正确,我该如何防范多用户的这种情况?
更新
我已经在这方面获得了更多的牵引力,并确定了一些我想在此分享的相关问题。首先,我手动删除了令牌(刷新和访问),以测试应用程序授权的能力。后续授权未返回刷新令牌(导致过度提示)。我发现这是来自google API的故意结果。除了必需的请求参数以返回刷新令牌之外,我发现刷新令牌仅在第一次用户提示和授权时返回( ref。here))。为了获得另一个更新令牌,您需要撤销并在请求中重新授权或强制批准提示。一旦我确定它变得更加清楚,令牌被附加到做出初始授权请求的用户。只要我保留由脚本/表所有者获取的刷新令牌,那么脚本可以由任何外部用户使用(并且使用刷新令牌以编程方式重新授权)。这让我回到了这一点。如果我失去了刷新令牌,我需要手动删除所有剩余的令牌碎片,以脚本/表所有者的身份登录,撤销对应用的访问权限,然后重新授权。
Per Zig's回答如下,那就是它是如何。有没有办法我可以通过编程方式阻止这个非常手动的过程? 解决方案
脚本作为所有者执行将通过appscript builtin自动保存所有者标记认证。
但是,如果您自己在做oauth流程,它将保存用户的令牌,从而无法访问您的数据。
Over the last few months I have become familiar with OAuth2.0 authorization within google apps script but a recent anomaly has me confuzzled. I have a standalone web-app that acts as a front-end to a fusion table. The web-app is set to 'execute as' the script and fusion table owner and the fusion table grants view access to external users. The program detects authorization, prompts if needed, and uses refresh tokens if they're available. When run from the account that owns the script and fusion table, all is well.
Once I published the web-app, I tested it from an external account and it worked fine. The refresh token was then removed from the script-owner's UserProperties. When the app was run again from an external account, it prompted for authorization and authorized correctly (saving the new tokens in the UserProperties of the script-owner). However, the next POST call to the API received a 403-Forbidden error. At this point the app will continue to receive 403-Forbidden errors from any account (including the script-owner's account) until the tokens are manually cleared and reauthorized as the script-owner.
Why is it that these tokens are not valid? I would expect that since the app is being 'executed as' the script/fusion owner, any tokens received programmatically would be as valid as those those authorized by the script/fusion owner. If my expectations are incorrect, how can I protect against this situation for multiple users?
Update
I've gained some more traction on this and have identified some related issues that I wanted to share here. First of all, I was manually deleting the tokens (refresh and access) to test the ability of the app to authorize. Subsequent authorizations were not returning a refresh token (which caused excessive prompting). I found out that this is an intentional outcome from the google API. Aside from the requisite request parameters to return a refresh token, I found out that a refresh token is only returned on the first user-prompt and authorization(ref. here). In order to get another refresh token, you need to either revoke-acess and re-authorize or force the approval prompt in the request. Once I fixed that it became much clearer that the token was 'attached' to the user making the initial authorization request. As long as I retained the refresh token acquired by the script/table owner, then the script could be used (and reauthorized programmatically using the refresh token) by any external user. Which brings me back to the point. If I lose the refresh token, I need to manually delete all remaining token scraps, login as script/table owner, revoke access to the app, then reauthorize.
Per Zig's answer below, that is just how it is. Is there no way I can programmatically prevent that very manual process?
Script executing as owner will save owner tokens automatically through appscript builtin authentication. However if you are doing the oauth flow yourself, it will save the user's token and thus wont have access to your data.
这篇关于当'执行应用程序为我'时Google API授权。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
