简体繁体 English

Google App Engine服务器到服务器OAuth Python

[英]Google App Engine Server to Server OAuth Python

原文 2015-09-11 13:04:33 0 2 python/ google-app-engine/ gmail/ google-oauth/ service-accounts

I can't find a solution to authorize server-to-server authentication using Google SDK + Python + MAC OSx + GMAIL API. 我找不到使用Google SDK + Python + MAC OSx + GMAIL API授权服务器到服务器身份验证的解决方案。

I would like testing GMail API integration in my local environment, before publishing my application in GAE, but until now I have no results using samples that I have found in GMail API or OAuth API documentation. 在将应用程序发布到GAE之前，我想在本地环境中测试GMail API集成，但是到目前为止，使用在GMail API或OAuth API文档中找到的示例仍然没有结果。 During all tests I received the same error "403-Insufficient Permission" when my application was using GCP Service Account, but if I convert the application to use User Account everything was fine. 在所有测试中，当我的应用程序使用GCP服务帐户时，我收到相同的错误“ 403-权限不足”，但是如果我将应用程序转换为使用用户帐户，则一切都很好。

2 个解决方案

A service account isn't you its it's own user. 服务帐户不是您，它是它自己的用户。 Even if you could access Gmail with a service account which I doubt you would only be accessing the service accounts GMail account (Which I don't think it has) and not your own. 即使您可以使用服务帐户访问Gmail，但我怀疑您只会访问服务帐户的GMail帐户（我认为没有），而不能访问您自己的帐户。

To my knowledge the only way to access Gmail API is with Oauth2. 据我所知，访问Gmail API的唯一方法是使用Oauth2。

Service accounts can be used to access some of the Google APIs for example Google drive. 服务帐户可用于访问某些Google API，例如Google驱动器。 The service account his its own Google drive account files will be uploaded to its drive account. 该服务帐户及其自己的Google云端硬盘帐户文件将上传到其云端硬盘帐户。 I can give it permission to upload to my google drive account by adding it as a user on a folder in Google drive. 我可以通过将其作为用户添加到Google云端硬盘中的文件夹中，来授予其上传到我的google云端硬盘帐户的权限。

You cant give another user permission to read your Gmail Account so again the only way to access the Gmail API will be to use Oauth2. 您无法授予其他用户读取您的Gmail帐户的权限，因此再次访问Gmail API的唯一方法是使用Oauth2。

I suggest you go for thre-legged OAUTH 2.0 . 我建议您选择OAUTH 2.0 。 For more information on this, please visit my answer here 有关此的更多信息，请在此处访问我的答案

The related term "three-legged OAuth" refers to scenarios in which your application calls Google APIs on behalf of end users, and in which user consent is sometimes required. 相关术语“三足式OAuth”是指您的应用程序代表最终用户调用Google API且有时需要用户同意的情况。

I think you have to use three-legged OAUTH 2.0, two-legged OAUTH 2.0 will not work in your case 我认为您必须使用三足OAUTH 2.0，两足OAUTH 2.0在您的情况下不起作用

Please read this from developers.google.com 请从developers.google.com阅读

Recommendation: Your application can complete these tasks either by using the Google APIs client library for your language, or by directly interacting with the OAuth 2.0 system using HTTP. 建议：您的应用程序可以通过使用您所用语言的Google API客户端库，或者通过使用HTTP与OAuth 2.0系统直接交互来完成这些任务。 However, the mechanics of server-to-server authentication interactions require applications to create and cryptographically sign JSON Web Tokens (JWTs), and it's easy to make serious errors that can have a severe impact on the security of your application. 但是，服务器到服务器身份验证交互的机制要求应用程序创建并用密码对JSON Web令牌（JWT）进行签名，并且很容易犯下严重错误，从而严重影响应用程序的安全性。

For this reason, we strongly encourage you to use libraries, such as the Google APIs client libraries, that abstract the cryptography away from your application code. 因此，我们强烈建议您使用诸如Google API客户端库之类的库，该库将加密技术从您的应用程序代码中抽象出来。