当通过JS客户端库使用授权时,是否可以正确选择任何可用的Google帐户? [英] Is it possible to be able to correctly select any available Google account to use when using authorisation via the JS client library for Drive?
问题描述
我有一个现有Google Drive支持的应用程序,它使用Google Java客户端库和服务器流验证。
如果您未登录到应用程序并导航到该网址,并且您已在该浏览器上登录了多个Google帐户(只有一个个人Google帐户是可能的,其他任何Google帐户都必须是Google企业帐户),则OAuth回调提供选项以选择要使用的Google帐户。然而,在测试切换器使用JavaScript客户端库时,我无法使用gapi.auth.authorize激活多个帐户选择屏幕。是否有可能使用JS库处理多个帐户?
更新:我尝试使用 immediate 参数假。只要我不在弹出窗口中更改帐户,我就可以登录。如果我更改了帐户,则可以:
在新选项卡中没有任何反应。我已经制作了一个视频来演示。
更新2:此错误针对JS客户端库的需求双倍选择多个帐户已被接受。
由于以下参数,您没有获得多用户选择屏幕: authuser = 0
这会自动选择您登录的第一个帐户( authuser = 1 )会选择第二等等)。
目前无法使用客户端库删除该参数,因为客户端库自动将它设置为0(这就是为什么它声称不处理多帐户)如果没有值,所以一种方式是将其覆盖为-1例如,这将显示多帐户选择器。然后,您还可以要求访问用户个人资料或电子邮件,同时询问访问权限到其他API并获取用户的电子邮件或其ID。然后在随后的auth中,您可以指定绕过用户选择屏幕的 user_id param。 ,首先授权如下:
gapi.auth.authorize({client_id:< Your Client ID> ;,
范围:'https://www.googleapis.com/auth/drive openid',//需要访问Google Drive和UserInfo API
authuser:-1});
上述唯一的问题是客户端库的自动刷新将不起作用,因为每个auth会在多帐户选择屏幕上被屏蔽。
诀窍是使用UserInfo API获取用户的ID,将该ID保存在会话Cookie中,在后续auth中使用它:
gapi.auth.authorize({client_id:< Your Client ID> ;,
范围:'https://www.googleapis.com/auth/drive openid',
user_id:<用户ID> ;,
authuser:-1});
指定用户的ID将确保多账户选择器被绕过并允许自动刷新来自客户端lib的令牌再次工作。
$ b
作为参考,影响用户流程的其他URL参数是:
user_id :类似于 authuser (绕过多帐户选择屏幕),但您可以使用电子邮件地址(例如bob @ gmail.com)或您从我们的Open ID Connect端点/ Google + API / UserInfo API获取的用户ID
approval_prompt :默认为 auto ,可以设置为 force 以确保显示批准/授权屏幕。这可以确保在后续auth(第一次之后)时不会绕过gant屏幕。
immediate : immediate 有点棘手,当设置为 true时,它将绕过授权屏幕(有点像 approval_prompt = auto ),如果用户以前已经批准了批准,但是如果用户以前没有批准批准,您将得到一个错误重定向: error = immediate_failed 。如果设置为 false ,它不会添加特殊行为,因此不会因 approval_prompt 值而影响行为设置。 / li>
注意: immediate = true 和 approval_prompt = force 是一个无效的组合。
我认为客户端库使用 immediate param因此,如果他得到 error = immediate_failed ,它将重新启动一个没有 authuser 参数的认证流程,但这只是推测:)
I've got an existing Google Drive enabled application that's using the Google Java client library and server flow auth.
If you're not logged into the application and navigate to the URL AND you have logged into more than one google account on that browser (only one personal Google account is possible, any additional ones have to be Google business accounts) the OAuth callback offers the options to select which Google Account to use.
However, whilst testing a switch to using the JavaScript client library I'm not able to activate the multiple account selection screen using gapi.auth.authorize. Is it possible to handle multiple accounts using the JS library?
Update : I tried with the immediate parameter false. I can log in as long as I don't change account in the popup. If I do change account, I get to:
in a new tab and nothing happens. I've made a video to demonstrate.
Update 2 : This bug against the JS client library for the need for double selection of mulitple account has been accepted.
You are not getting the multi user selection screen because of the following parameter: authuser=0
This automatically selects the first account you are signed-in with (authuser=1 would select the second etc...).
It's currently not possible to remove that param using the client library because the client library sets it automatically to 0 (this is why it claims not to handle multi-accounts) if there is no value so one way is to override it to -1 for example, this will show the multi-account chooser. Then you could also ask to access the user's profile or email at the same time you ask access to other APIs and fetch either the email of the user or its ID. Then on subsequent auth you can specify the user_id param which wil bypass the user-selection screen.
So in practice, first authorize like this:
gapi.auth.authorize({client_id: <Your Client ID>,
scope: 'https://www.googleapis.com/auth/drive openid', // That requires access to Google Drive and to the UserInfo API
authuser: -1});
The only problem with the above is that the auto-refresh of the client library will not work because every auth will by blocked at the multi-account selection screen.
The trick is to get the ID of the user using the UserInfo API, save that ID in a session cookie and use it on subsequent auth like that:
gapi.auth.authorize({client_id: <Your Client ID>,
scope: 'https://www.googleapis.com/auth/drive openid',
user_id: <The User ID>,
authuser: -1});
Specifying the User's ID will make sure the multi-account chooser is bypass and will allow the auto-refresh of the token from the client lib to work again.
For reference, other URL param that impact the User flow are:
user_id: similar thanauthuser(bypasses the multi-account selection screen) but you can use email address (e.g. bob@gmail.com) or the User ID you get from our Open ID Connect endpoint/Google+ API/UserInfo APIapproval_prompt: default isauto, can be set toforceto make sure that the approval/grant screen gets shown. This makes sure that the gant screen is not bypassed on subsequent auth (after first time).immediate:immediateis a bit tricky, when set totrueit will bypass the grant screen (kinda likeapproval_prompt=auto) if the user already granted approval previously, but if the user has not granted approval previously you will get redirected with an error:error=immediate_failed. If set tofalseit won't add special behavior and therefore fallback on the behavior setup by theapproval_promptvalue.
Note: immediate=true and approval_prompt=force is an invalid combination.
I think the client library is using the immediate param so that if he gets the error=immediate_failed it will restart an auth flow without the authuser param, but that's only speculations :)
这篇关于当通过JS客户端库使用授权时,是否可以正确选择任何可用的Google帐户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
