堆栈内存溢出
  简体   繁体   English

G-Suite 用户访问 G-Suite 可信应用脚本时,如何避免脚本授权提示?

[英]How to avoid script authorization prompt when G-Suite user is accessing G-Suite trusted app script?

 原文  2019-02-07 04:45:02       authentication/ google-apps-script/ google-workspace

问题描述

I wrote an app script which provides a web UI for data entry into a team calendar.我编写了一个应用程序脚本,它提供了一个 Web UI,用于将数据输入到团队日历中。 I published it using G-Suite super admin account and added it as Trusted App under Security/API Permissions.我使用 G-Suite 超级管理员帐户发布了它,并将其添加为安全/API 权限下的受信任应用程序。 "Trust domain owned apps" is checked under "Internal App Settings".在“内部应用程序设置”下选中“信任域拥有的应用程序”。

When a G-Suite user in our organization tries to access the app, he sees当我们组织中的 G-Suite 用户尝试访问该应用程序时,他会看到

"The developer of ShiftSchedulingApp, admin@_our_organization_.org, needs your permission to access your data on Google." “ShiftSchedulingApp 的开发者 admin@_our_organization_.org,需要您的许可才能访问您在 Google 上的数据。”

Those brave enough to click "Review Permissions" are taken to the next message:那些勇敢地点击“查看权限”的人会被带到下一条消息:

"ShiftSchedulingApp wants to access your Google Account. See, edit, share, and permanently delete all the calendars you can access using Google Calendar" “ShiftSchedulingApp 想要访问您的 Google 帐户。查看、编辑、共享和永久删除您可以使用 Google 日历访问的所有日历”

Of course nobody wants to risk losing all the calendars on their Google Account and this is where it ends.当然,没有人愿意冒险丢失他们 Google 帐户中的所有日历,这就是结束的地方。

How do I get rid of this misleading message?我如何摆脱这种误导性信息? It's not Google account, it's their organization account on G-Suite.这不是 Google 帐户,而是他们在 G-Suite 上的组织帐户。 It's not all their calendars, it's the shared team calendar only.这不是他们所有的日历,只是共享的团队日历。 It's adding data, not permanently deleting calendars.它正在添加数据,而不是永久删除日历。 It's published by their administrator in their G-Suite, not an unknown 3rd party.它是由他们的管理员在他们的 G-Suite 中发布的,而不是一个未知的 3rd 方。

I spent days trying to make this message go away but no luck.我花了几天时间试图让这条消息消失,但没有运气。 App must be executed as an accessing user and not as publishing user because their user ID determines what shifts they can fill on a calendar.应用程序必须作为访问用户而不是发布用户执行,因为他们的用户 ID 决定了他们可以在日历上填写哪些班次。

I'd appreciate any hints pointing me the right direction.我很感激任何为我指明正确方向的提示。

I experimented with variations of the two-app approach as suggested.我按照建议尝试了两种应用程序方法的变体。

The app which provides the UI needs to read the calendar to display available shifts - so I can't get away from the user authorization prompt.提供 UI 的应用程序需要读取日历以显示可用的班次 - 所以我无法摆脱用户授权提示。

Another variation I tried was having one app do everything and run as me, and another do nothing but return Session.getActiveUser().我尝试的另一种变化是让一个应用程序做所有事情并像我一样运行,而另一个应用程序只做返回 Session.getActiveUser()。 I tried calling the 2nd one from the 1st one on the client side via XMLHttpRequest.我尝试通过 XMLHttpRequest 在客户端从第一个调用第二个。 It would be ideal for my needs - but I hit CORS error as apps URL is script.google.com but it actually gets redirected to script.googleusercontent.com.它非常适合我的需求 - 但我遇到了 CORS 错误,因为应用程序 URL 是 script.google.com 但它实际上被重定向到了 script.googleusercontent.com。 There doesn't seem to be a way to set CORS in Google App Script.似乎没有办法在 Google App Script 中设置 CORS。

2 个解决方案

解决方案1
 1  2019-02-10 02:42:52

Although I was not able to find a way to avoid prompting users for authorization when executing the app as accessing user, it turns out my reasons for doing that were based on a false premise.虽然我无法找到一种方法来避免在以访问用户身份执行应用程序时提示用户进行授权,但事实证明我这样做的原因是基于错误的前提。

I chose to publish app as accessing user because I thought that's the only way to get accessing user Id - which is true for non-G Suite accounts.我选择将应用发布为访问用户,因为我认为这是获取访问用户 ID 的唯一方法——这对于非 G Suite 帐户来说是正确的。

However, when app is published by a G Suite account, the app can get accessing user ids within the same G Suite domain even when it's set to execute as publishing user.但是,当应用程序由 G Suite 帐户发布时,即使该应用程序设置为以发布用户身份执行,该应用程序也可以访问同一 G Suite 域内的用户 ID。

Thanks Niek and TheMaster for your help!感谢 Niek 和 TheMaster 的帮助!

解决方案2
 0  2019-02-07 08:21:53

If you just need user ID , why do you ask for all those permissions?如果您只需要user ID ,为什么要要求所有这些权限?

Possible Solutions:可能的解决方案:

  • 2 web-apps- One running as you and another as user accessing (with only profile) permission. 2 个网络应用程序 - 一个作为您运行,另一个作为用户访问(仅具有个人资料)权限。 The second one will be the actual web interface and POST necessary information to the first one with privileges.第二个将是实际的 Web 界面,并将必要的信息 POST 到具有特权的第一个。 OR或者

  • Implement your own web-app Google-sign in1实施您自己的网络应用程序 Google 登录1

  • Use the least permissive 2 scope 3使用最宽松的2范围3

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我的 django smtp g-suite 设置似乎不起作用 - My django smtp g-suite settings don't seem to be working G Suite SSO,仅限于公司帐户,使用Python和Flask? - G Suite SSO, restricted to company accounts, in Python and Flask? Facebook,在没有提示的情况下检查用户对应用的授权 - Facebook, Check user authorization to app without prompt 通过Google Apps脚本将JSON作为“用户访问网络应用程序”提供 - Serving JSON from Google Apps Script as “user accessing the web-app” C#:应用程序套件的安全性/用户权限,ldap适合吗? - C#: Security / user rights for an application suite, ldap suitable? Keycloak Action Tokens:当用户请求多个(例如重置密码)时如何使用户之前的操作无效 - Keycloak Action Tokens: How to invalidate user's previous action when they request multiple (e.g. Reset Password) 报告服务(SSRS) - 访问报告时避免询问用户/密码 - Reportings Services (SSRS) - Avoid asking user/password when accessing reports Google 应用程序脚本的授权错误 - Authorization error with Google apps script 如何将AWS服务限制为由Google Suite维护的组织用户? - How to limit an AWS service to an organisation's users maintained by the Google Suite? Tomcat URL身份验证例如:https:// user:password@app.wibble.com - Tomcat URL Authentication e.g: https://user:password@app.wibble.com
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM