简体繁体 English

Google Cloud端点和服务帐户返回：Oauth框架用户与oauth令牌用户不匹配

[英]Google Cloud endpoints and service accounts returning :Oauth framework user didn't match oauth token user

原文 2014-01-02 17:33:54 0 2 python/ google-app-engine/ oauth/ google-cloud-endpoints/ endpoints-proto-datastore

Im trying to access a google cloud endpoint from a cmdline using service account similar to 我试图使用类似的服务帐户从cmdline访问谷歌云端点

https://code.google.com/p/google-api-python-client/source/browse/samples/service_account/tasks.py https://code.google.com/p/google-api-python-client/source/browse/samples/service_account/tasks.py

As instructed from the example, I created a clientid + pk12 cert and using them to create the credential with the SignedJwtAsertionCredential call from the oauth2client.client module. 根据示例的说明，我创建了一个clientid + pk12证书，并使用它们通过oauth2client.client模块中的SignedJwtAsertionCredential调用创建凭证。

Works as expected when I call my cloud endpoint running on my local devserver however when I call the deployed gae cloud endpoint I get 当我在我的本地devserver上调用我的云端点运行时，按预期工作，但是当我调用已部署的gae云端点时

Oauth framework user didn't match oauth token user. Oauth框架用户与oauth令牌用户不匹配。

Seems to be failing on the oauth.get_client_id(scope) call from user_id_token._set_bearer_user_vars(). 似乎是对来自user_id_token._set_bearer_user_vars（）的oauth.get_client_id（范围）调用失败了。

When I added a traceback on the exception, it looks to be coming from _maybe_raise_exception 当我在异常上添加回溯时，它看起来来自_maybe_raise_exception

E 2014-01-02 10:30:53.926 raise NotAllowedError(error_detail) E 2014-01-02 10:30:53.926 NotAllowedError E 2014-01-02 10：30：53.926 raise NotAllowedError（error_detail）E 2014-01-02 10：30：53.926 NotAllowedError

Is there a way to resolve this error without changing the app's authentication type? 有没有办法在不更改应用程序的身份验证类型的情况下解决此错误？ Seems to be not allowing the request due to the domain restriction? 由于域名限制，似乎不允许请求？

My goal is to call the cloud-endpoint without having a user involved, not sure if i'm the right path using the SignedJwtAsertionCredential call or if possible? 我的目标是在没有用户参与的情况下调用云端点，不确定我是否使用SignedJwtAsertionCredential调用是正确的路径，或者如果可能的话？

Additional info. 附加信息。

The authentication type of the endpoint is set to "Google App Domain" 端点的身份验证类型设置为“Google App Domain”

The user_required is True on the endpoint method 端点方法上的user_required为True

The access token generated from the SignedJwtAssertCredential is as expected when i use https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29 . 当我使用https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=ya29时，从SignedJwtAssertCredential生成的访问令牌是预期的。

The endpoint works as expected from the api explorer and when there is the auth flow involved. 端点在api资源管理器中按预期工作，并且当涉及auth流时。

Using the endpoints_proto_datastore library. 使用endpoints_proto_datastore库。

2 个解决方案

From extensive research I have come to the conclusion that implementing OAuth is not a viable authentication method for apps because of the simple fact that it is horrible to implement. 通过广泛的研究，我得出的结论是，实施OAuth对于应用程序来说不是一种可行的身份验证方法，因为它实现起来非常糟糕。 After spending countless hours debugging and asking questions on Stackoverflow about a simple Twitter oAuth implementation, all while receiving countless wrong answers(which safely lets me deduce that a large percentage of developers don't know how to use OAuth) I decided to never again use OAUTH. 花了无数个小时调试并在Stackoverflow上询问有关简单的Twitter oAuth实现的问题，同时收到无数错误的答案（这可以让我推断出大部分开发人员不知道如何使用OAuth）我决定永远不再使用OAUTH。

So I leave you with the words of the great French Emperor Napoleon Bonaparte 所以我告诉你伟大的法国皇帝拿破仑波拿巴的话

"Una retirada a tiempo es una victoria" -Napoleon Bonaparte “Una retirada a tiempo es una victoria” -Napoleon Bonaparte

which basically means get out while your ahead and dont waste your time with OAUTH! 这基本上意味着在你前进的时候离开，不要浪费你的OAUTH时间！

Additional information 附加信息

while experiencing my frustrations with OAUTH I ended up doing some research on who actually came up with this headache inducing concept, and it turns out that the creator has quit this project and has actually publicly denounced OAUTH in his blog: 在体验我对OAUTH的挫败感的同时，我最终做了一些关于谁真正想出这个令人头疼的诱导概念的研究，结果发现创建者已退出这个项目并且实际上在他的博客中公开谴责OAUTH：

http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/ interestingly titled the road the hell. http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/有趣地将这条道路命名为地狱之路。 So if the creator is not using OAUTH then you definitely shouldn't either. 因此，如果创建者没有使用OAUTH，那么你绝对不应该。 I have started a petition on https://petitions.whitehouse.gov/ to make the use of OAUTH illegal, so if you like you can join the fight and give us a vote, it is currently gaining traction and we appreciate any support, so go ahead and give it a vote. 我已经开始在https://petitions.whitehouse.gov/上提出申请，要求使用OAUTH非法，所以如果你愿意，你可以加入战斗并给我们投票，它目前正在获得牵引力，我们感谢任何支持，所以继续进行投票。

在此输入图像描述

The issue was due to the "Google Apps" Authentication Type selected for the application. 问题是由于为应用程序选择了“Google Apps”身份验证类型。 This setting requires all accounts using the users api to be example.com accounts and the service account is obviously not one. 此设置要求使用用户api的所有帐户都是example.com帐户，而服务帐户显然不是一个帐户。

Once we changed the Auth Type to Google accounts, there was no issue with using service account and validating the client_id. 我们将Auth Type更改为Google帐户后，使用服务帐户并验证client_id时没有任何问题。