google oauth2使用user@gmail.com模拟服务帐户
[英]google oauth2 impersonate service account with user@gmail.com
问题描述
I wanted to access some google api services: 
我想访问一些Google API服务:
- GDrive API GDrive API
- Contact API 联系API
- People API 人物API
And I'm struggeling with the oauth2 impersonate service account flow (you know that one: Google Oauth v2 - service account description . For impersonification you need to apply the "Delegating domain-wide authority" in the google apps console, download the correspoding pk12 file and activate the api in a google console project. 而且,我正在努力使用oauth2模拟服务帐户流程(您知道一个: Google Oauth v2- 服务帐户说明 。要进行模拟,您需要在google应用程序控制台中应用“委派整个域的权限”,请下载相应的pk12文件并在Google控制台项目中激活api。
At the moment I always get: 此刻我总是得到:
com.google.api.client.auth.oauth2.TokenResponseException: 401 Unauthorized
at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)
at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307)
at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:384)
at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489)
at oauthsample.GDriveAPI.<init>(GDriveAPI.java:50)
at oauthsample.GDriveAPI.main(GDriveAPI.java:85)
Here is my code: 这是我的代码:
HttpTransport httpTransport = new NetHttpTransport();
JacksonFactory jsonFactory = new JacksonFactory();
Set<String> scopes = new HashSet<String>();
scopes.add("https://www.google.com/m8/feeds");
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId("myserviceuser@xxxxxx.iam.account.com")
.setServiceAccountPrivateKeyFromP12File(new File("somep12key.p12"))
.setServiceAccountScopes(scopes)
.setServiceAccountUser("my_user_name@gmail.com")
.build();
credential.refreshToken();
ContactsService service = new ContactsService("MYAPP");
service.getRequestFactory().setHeader("User-Agent", "MYAPP");
service.setHeader("GData-Version", "3.0");
service.setOAuth2Credentials(credential);
URL feedUrl = new URL("https://www.google.com/m8/feeds/contacts/default/full");
ContactFeed resultFeed = service.getFeed(feedUrl, ContactFeed.class);
I also searched heavily through stackoverflow (can't list all references and checked the responses and solutions). 我还通过stackoverflow进行了大量搜索(无法列出所有引用并检查响应和解决方案)。 But one question was never clearly answered - nor in googles documentaiont nor on all the stackoverflow posts: 但是从来没有一个人清楚地回答过一个问题-在Google documentaiont或所有stackoverflow帖子中都没有:
- Is it realy possible to impersonate a serviceaccount with a normal user@gmail.com user (I mean a normal gmail account with no access to the mentioned admin console in the chapter "Delegating domain-wide authority to the service account" and withouth having a own domain )? 是否真的可以用普通的user@gmail.com用户模拟服务帐户(我的意思是普通的gmail帐户,无法访问“将域范围的权限委派给服务帐户”一章中提到的管理控制台,自己的域)?
Some say yes, some say no. 有人说是,有人说不。 So what's the absolute truth? 那么什么是绝对真理?
As far as I understand when reading the google docs: The service account can only impersonate on users when you in charge of a own domain and you need to have a google work account with your own domain registered. 据我在阅读google文档时所了解的:仅当您负责自己的域并且您需要注册自己的域的Google工作帐户时,该服务帐户才能模拟用户。 Then you're able to access the admin console and can grant access to the service account. 然后,您可以访问管理控制台,并可以授予对服务帐户的访问权限。
Thanks for your patience and for your time to answer. 感谢您的耐心配合和宝贵的回答时间。
Best regards Matt 最好的问候马特
1 个解决方案
解决方案1
5 已采纳 2016-09-16 14:51:23
The short answer is no, it's not possible to perform service-account impersonate of a @gmail.com account. 简短的答案是“否”,无法对@ gmail.com帐户进行模拟服务帐户。 The key reason is that although the service account OAuth flow doesn't involve an authorization screen, at the end of the day someone must still say "I authorize this application to impersonate this user." 关键原因是,尽管服务帐户OAuth流程不涉及授权屏幕,但最终还是必须有人说“我授权此应用程序来模拟该用户”。
In the case of a Google Apps domain that person is the domain administrator, who has the authority to approve apps for all users in the domain. 如果是Google Apps域,则该人是域管理员,他有权为域中的所有用户批准应用。 For an @gmail.com account, there is no other authority that can approve this on your behalf. 对于@ gmail.com帐户,没有其他机构可以代表您批准该帐户。 And if you have to ask the user for authorization anyway, they it just makes sense to use the regular 3-legged OAuth flow to prompt the user for authorization, get a refresh token, etc. 而且,无论如何,如果您必须要询问用户授权,那么使用常规的三足式OAuth流来提示用户进行授权,获取刷新令牌等都是有意义的。
Now for a while there was a trick where you could take an @gmail.com user through the regular 3-legged flow, and once they approved it use the service account flow from then on. 现在有一段时间,您可以使用一个技巧,让@ gmail.com用户通过常规的三足流程进行操作,一旦他们批准,便可以使用此服务帐户流程。 This lead to some strange problems however, so we've disabled that option. 但是,这会导致一些奇怪的问题,因此我们禁用了该选项。 This may be why there was disagreement in the past about if this is possible. 这可能就是为什么在过去可能存在分歧的原因。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.