Google Maps Coordinate API客户端可以通过身份验证，但执行时返回403禁止

Question

I've been following all (and sometimes conflicting) documentations I could find but nothing worked for me so I hope I get some answers by someone in the know. 我一直在跟踪我能找到的所有（有时是相互矛盾的）文档，但对我没有任何帮助，所以我希望我能从知道的人那里得到一些答案。 Many thanks in advance. 提前谢谢了。

I have a trial Google Maps Coordinate account that works well in the browser. 我有一个试用版Google Maps Coordinate帐户，该帐户在浏览器中效果很好。 Now I'm trying to access it programmatically using google-api-ruby-client. 现在，我尝试使用google-api-ruby-client以编程方式访问它。 I've set up a server-to-server certificate. 我已经设置了服务器到服务器的证书。

I can authenticate okay (I think) because I can get an access token. 我可以验证身份（因为我可以），因为我可以获得访问令牌。 But when I call client.execute I get 403 forbidden. 但是当我调用client.execute时，我被禁止使用403。 I am not over-quota as shown on google api console (1000/day) and I am not calling fast (less than 1/sec). 我没有在google api控制台上显示的超额配额（每天1000次），而且通话速度也不快（每秒少于1次）。

Following is what shows in irb. 以下是irb中显示的内容。 Of note is line 32. You can clearly see I have an access token. 值得注意的是第32行。您可以清楚地看到我有一个访问令牌。 The results coming back after line 38 still has the access token yet access is denied. 在第38行之后返回的结果仍然具有访问令牌，但访问被拒绝。

2.0.0p195 :021 >     require 'google/api_client/client_secrets'
=> false 
2.0.0p195 :022 > 
2.0.0p195 :023 >       key = Google::APIClient::PKCS12.load_key('privatekey.p12', 'notasecret')
=> #<OpenSSL::PKey::RSA:0x007fe70667bdb8> 
2.0.0p195 :024 >     client = Google::APIClient.new
Google::APIClient - Please provide :application_name and :application_version when initializing the client
=> #<Google::APIClient:0x007fe706680340 @host="www.googleapis.com", @port=443, @discovery_path="/discovery/v1", @user_agent="google-api-ruby-client/0.6.4 Mac OS X/10.8.5", @authorization=#<Signet::OAuth2::Client:0x007fe7067df970 @authorization_uri=#<Addressable::URI:0x3ff3833ef8f8 URI:https://accounts.google.com/o/oauth2/auth>, @token_credential_uri=#<Addressable::URI:0x3ff3833ef3e4 URI:https://accounts.google.com/o/oauth2/token>, @client_id=nil, @client_secret=nil, @scope=nil, @state=nil, @code=nil, @redirect_uri=nil, @username=nil, @password=nil, @issuer=nil, @principal=nil, @expiry=60, @audience=nil, @signing_key=nil, @extension_parameters={}>, @auto_refresh_token=true, @key=nil, @user_ip=nil, @discovery_uris={}, @discovery_documents={}, @discovered_apis={}> 
2.0.0p195 :025 >     client.authorization = Signet::OAuth2::Client.new(
2.0.0p195 :026 >             :token_credential_uri => 'https://accounts.google.com/o/oauth2/token',
2.0.0p195 :027 >             :audience => 'https://accounts.google.com/o/oauth2/token',
2.0.0p195 :028 >             :scope => 'https://www.googleapis.com/auth/coordinate',
2.0.0p195 :029 >             :issuer => '759273242939-7ens86h2qti3610f29v066v9shcq1v2t@developer.gserviceaccount.com',
2.0.0p195 :030 >             :signing_key => key)
=> #<Signet::OAuth2::Client:0x007fe7080ded68 @authorization_uri=nil, @token_credential_uri=#<Addressable::URI:0x3ff38406f024 URI:https://accounts.google.com/o/oauth2/token>, @client_id=nil, @client_secret=nil, @scope=["https://www.googleapis.com/auth/coordinate"], @state=nil, @code=nil, @redirect_uri=nil, @username=nil, @password=nil, @issuer="759273242939-7ens86h2qti3610f29v066v9shcq1v2t@developer.gserviceaccount.com", @principal=nil, @expiry=60, @audience="https://accounts.google.com/o/oauth2/token", @signing_key=#<OpenSSL::PKey::RSA:0x007fe70667bdb8>, @extension_parameters={}> 
2.0.0p195 :031 > 
2.0.0p195 :032 >       client.authorization.fetch_access_token!
=> {"access_token"=>"ya29.AHES6ZQLZdWkZVDdPwLY7rasxjFYKP89GQipfM6wR-EPRdimGA6pdQ", "token_type"=>"Bearer", "expires_in"=>3600} 
2.0.0p195 :033 > 
2.0.0p195 :034 >       coordinate = client.discovered_api('coordinate')
=> #<Google::APIClient::API:0x3ff3805d7b78 ID:coordinate:v1> 
2.0.0p195 :035 > 
2.0.0p195 :036 >       results = client.execute(
2.0.0p195 :037 >             :api_method => coordinate.jobs.list,
2.0.0p195 :038 >             :parameters => {'teamId' => 'ZXJgk_kzS2iy-Z-9yvMTxw'})
=> #<Google::APIClient::Result:0x007fe700c479a0 @request=#<Google::APIClient::Request:0x007fe700c0e6c8 @parameters={"teamId"=>"ZXJgk_kzS2iy-Z-9yvMTxw"}, @headers={"User-Agent"=>"google-api-ruby-client/0.6.4 Mac OS X/10.8.5"}, @api_method=#<Google::APIClient::Method:0x3ff3805da60c ID:coordinate.jobs.list>, @authenticated=nil, @authorization=#<Signet::OAuth2::Client:0x007fe7080ded68 @authorization_uri=nil, @token_credential_uri=#<Addressable::URI:0x3ff38406f024 URI:https://accounts.google.com/o/oauth2/token>, @client_id=nil, @client_secret=nil, @scope=["https://www.googleapis.com/auth/coordinate"], @state=nil, @code=nil, @redirect_uri=nil, @username=nil, @password=nil, @issuer="759273242939-7ens86h2qti3610f29v066v9shcq1v2t@developer.gserviceaccount.com", @principal=nil, @expiry=60, @audience="https://accounts.google.com/o/oauth2/token", @signing_key=#<OpenSSL::PKey::RSA:0x007fe70667bdb8>, @extension_parameters={}, @grant_type=nil, @refresh_token=nil, @issued_at=2013-11-12 11:32:28 +0800, @access_token="ya29.AHES6ZQLZdWkZVDdPwLY7rasxjFYKP89GQipfM6wR-EPRdimGA6pdQ", @expires_in=3600>, @body="">, @response=#<Faraday::Response:0x007fe700c479f0 @env={:method=>:get, :body=>"{\n \"error\": {\n  \"errors\": [\n   {\n    \"domain\": \"global\",\n    \"reason\": \"forbidden\",\n    \"message\": \"Forbidden\"\n   }\n  ],\n  \"code\": 403,\n  \"message\": \"Forbidden\"\n }\n}\n", :url=>#<URI::HTTPS:0x007fe700c24298 URL:https://www.googleapis.com/coordinate/v1/teams/ZXJgk_kzS2iy-Z-9yvMTxw/jobs>, :request_headers=>{"User-Agent"=>"google-api-ruby-client/0.6.4 Mac OS X/10.8.5", "Authorization"=>"Bearer ya29.AHES6ZQLZdWkZVDdPwLY7rasxjFYKP89GQipfM6wR-EPRdimGA6pdQ", "Cache-Control"=>"no-store", "Content-Type"=>"application/x-www-form-urlencoded"}, :parallel_manager=>nil, :request=>{:proxy=>nil}, :ssl=>{}, :status=>403, :response_headers=>{"content-type"=>"application/json; charset=UTF-8", "date"=>"Tue, 12 Nov 2013 03:32:27 GMT", "expires"=>"Tue, 12 Nov 2013 03:32:27 GMT", "cache-control"=>"private, max-age=0", "x-content-type-options"=>"nosniff", "x-frame-options"=>"SAMEORIGIN", "x-xss-protection"=>"1; mode=block", "server"=>"GSE", "alternate-protocol"=>"443:quic", "connection"=>"close"}, :response=>#<Faraday::Response:0x007fe700c479f0 ...>}, @on_complete_callbacks=[]>> 
2.0.0p195 :039 >     
2.0.0p195 :040 >       puts results.data.to_json
{"error":{"errors":[{"domain":"global","reason":"forbidden","message":"Forbidden"}],"code":403,"message":"Forbidden"}}
=> nil 
2.0.0p195 :041 >

Answer 1

You might be having trouble because your Service Account doesn't have a Google Maps Coordinate license. 您可能会遇到麻烦，因为您的服务帐户没有Google Maps Coordinate许可证。 I don't know of a way to give a Service Account access to Coordinate, but I have used these 2 potential workarounds: 我不知道如何授予服务帐户访问协调中心的权限，但是我使用了以下两种可能的解决方法：

Switch from using a Service Account to the Installed Application flow, when you script starts it will need to prompt a user who has access to the Coordinate team to login and give the application access but after this point it should be good to go. 从使用服务帐户切换到“已安装的应用程序”流，在脚本启动时，将需要提示有权访问Coordinate小组的用户登录并授予应用程序访问权限，但是在此之后应该可以进行。
Have your service account act on behalf of a user who has Coordinate. 让您的服务帐户代表拥有协调中心的用户行事。 You can enable a setting on your domain to let a service account act on behalf of users for certain scopes, this is documented here: https://developers.google.com/drive/delegation . 您可以在您的域上启用设置，以允许服务帐户代表用户在特定范围内采取行动，具体说明请参见： https : //developers.google.com/drive/delegation 。

Google Maps Coordinate API客户端可以通过身份验证，但执行时返回403禁止

问题描述

1 个解决方案

解决方案1
2 已采纳 2013-11-12 23:28:50

Google Maps Coordinate API客户端可以通过身份验证，但执行时返回403禁止

问题描述

1 个解决方案

解决方案1 2 已采纳 2013-11-12 23:28:50

解决方案1
2 已采纳 2013-11-12 23:28:50