简体繁体 English

使用G-Suite帐户登录自定义Web应用

[英]Signing into custom web app with G-Suite account

原文 2019-02-21 22:56:40 3 1 google-apps-script/ web-applications/ authorization/ google-signin/ gsuite

90% of my Google Apps Script/HTMLService web app is available to anonymous users, however user must be signed in with G-Suite account in order to access the remaining 10%. 我的Google Apps Script / HTMLService网络应用程序的90％可用于匿名用户，但是该用户必须使用G-Suite帐户登录才能访问其余的10％。

Desired behavior is that if user is already logged in to G-Suite (eg read Gmail from that browser), the web app recognizes the user without prompting to log in again – as if you went to Google Calendar just after reading Gmail. 所需的行为是，如果用户已经登录到G-Suite（例如，从该浏览器中读取Gmail），则该Web应用程序会识别该用户，而不会提示您再次登录-就像您在阅读Gmail之后便进入了Google日历一样。 If user isn't logged in yet – he needs to be prompted to log in using @my_g-suite.com account when accessing the restricted features. 如果用户尚未登录-访问受限功能时，需要提示他使用@ my_g-suite.com帐户登录。

My first try was two app approach: one published as “available to anyone including anonymous” and another “available to members of the my_g-suite.com”. 我的第一个尝试是两种应用程序方法：一种发布为“对所有人（包括匿名用户）可用”，另一种“对my_g-suite.com成员可用”。 The problem with this approach is that 2nd app only shows log in screen if browser has no google identity. 这种方法的问题在于，如果浏览器没有Google身份，第二个应用程序只会显示登录屏幕。 If user is logged in to regular, non-g-suite gmail, strange google Driver error is shown instead of login prompt. 如果用户登录到常规的非g套件gmail，则会显示奇怪的google驱动程序错误，而不是登录提示。 I posted question about this a while ago, no solution. 我前不久发布了关于此问题的解决方案。

So instead I implemented a sign-in button using this guide . 因此，我改为使用本指南实现了登录按钮。 Behavior I'm seeing is not what I expected: 我看到的行为不是我所期望的：

If user is already signed in with UserOne@my_g-suite.com prior to accessing the app (eg looked at G-Suite email account), Session.getActiveUser() on server side returns correct user ID, however googleUser.getBasicProfile().getEmail() on client has nothing. 如果在访问应用程序之前用户已经使用UserOne@my_g-suite.com登录（例如查看G-Suite电子邮件帐户），则服务器端的Session.getActiveUser()返回正确的用户ID，但是googleUser.getBasicProfile().getEmail()客户端上的googleUser.getBasicProfile().getEmail()没有任何内容。
If user has not signed in with G-Suite ID using prior to accessing the app and then signs in using the Sign In button on web app, googleUser.getBasicProfile().getEmail() returns correct user ID, however ), Session.getActiveUser() on server side returns nothing. 如果用户在访问应用程序之前未使用G-Suite ID登录，然后使用Web应用程序上的“登录”按钮登录，则googleUser.getBasicProfile().getEmail()返回正确的用户ID，但是， Session.getActiveUser()在服务器端不返回任何内容。
If user has signs in using the button as UserTwo@my_g-suite.com , no other G-Suite app recognizes it. 如果用户使用UserTwo@my_g-suite.com将该按钮登录，则其他G-Suite应用程序均无法识别该按钮。 So if user then signs in to UserOne@my_g-suite.com and comes back to the app, Session.getActiveUser() says it's UserOne@my_g-suite.com and googleUser.getBasicProfile().getEmail() says it's UserTwo@my_g-suite.com . 因此，如果用户随后登录到UserOne@my_g-suite.com并返回到该应用，则Session.getActiveUser()表示它为UserOne@my_g-suite.com，而googleUser.getBasicProfile().getEmail()表示它为UserTwo @ my_g -suite.com 。 Two conflicting identities simultaneously. 两个冲突的身份同时出现。

How do I make sign-in into my app be 1) seamless with other G-Suite services rather than having completely separate, app-only 2nd identity and 2) restricted to @my_g-suite.com ? 如何使我的应用程序登录成为1）与其他G-Suite服务无缝连接，而不是完全独立的仅用于应用程序的第二身份和2）限制为@ my_g-suite.com ？

Following @TheMaster advice I tried this: 遵循@TheMaster建议，我尝试了此操作：

Created a Google Sites site "login.my_g-suite.com" which is only available to g-suite users and has a single page which says "you are logged in to g-suite" 创建了一个Google协作平台网站“ login.my_g-suite.com”，该网站仅对g-suite用户可用，并且只有一个页面显示“您已登录g-suite”
In my web app which runs as "me" and is "available to everyone, even anonymous", I implemented a check if Session.getActiveUser() is g-suite user. 在运行为“我”并且“所有人都可以使用，甚至匿名”的Web应用程序中，我实现了对Session.getActiveUser()是否为g-suite用户的检查。 If not, I do window.open("https://login.my_g-suite.com") which opens log-in screen in the new tab as expected. 如果没有，我执行window.open("https://login.my_g-suite.com") ，这将按预期在新选项卡中打开登录屏幕。
After user logs in, I reload web app. 用户登录后，我会重新加载Web应用程序。 And here's the sad part: 这是可悲的部分：
- If browser hasn't been used for non-G-Suite account (like regular Gmail) - all works great. 如果未将浏览器用于非G-Suite帐户（如常规Gmail），则一切正常。 Session.getActiveUser() shows newly logged in user ID Session.getActiveUser()显示新登录的用户ID
- BUT if that browser has been logged in to non-G-Suite account, Session.getActiveUser() has no idea about the fact that I just logged in G-Suite in another tab (even after reloading web app). 但是，如果该浏览器已登录到非G-Suite帐户， Session.getActiveUser()不会知道我刚刚在另一个选项卡中登录了G-Suite（即使在重新加载Web应用程序之后）。 Which is back to square one. 回到正题。

Comparing this to Google's own apps, this behavior is not much different: eg if you read regular non-g-suite gmail, then go and log in to Google drive using G-Suite account, and then reload gmail - it doesn't take you to G-Suite Gmail automatically just because you logged in to G-Suite account on that browser. 将此与Google自己的应用进行比较，此行为没有太大不同：例如，如果您阅读常规的非g-suite gmail，然后使用G-Suite帐户登录到Google云端硬盘，然后重新加载gmail-不需要您会因为登录到该浏览器上的G-Suite帐户而自动进入G-Suite Gmail。 You need to explicitly tell Gmail that you want to use G-Suite account by invoking active-account-selection menu (round avatar icon on the right upper corner). 您需要通过调用活动帐户选择菜单（右上角的圆形头像图标）明确告知Gmail您要使用G-Suite帐户。

Looks like no matter what approach I take, I hit the same wall: the need to tell stand-alone Google App Script which Google identity is current. 看起来，无论采用哪种方法，我都碰到了墙：需要告诉独立的Google App脚本哪个Google身份是最新的。 And I don't see any way of doing that. 而且我看不到这样做的任何方法。

What I stated above is no longer true due to recent change by Google. 由于Google最近做出的更改，我上面所说的不再正确。 (2) now results in Error 404 instead of login screen. （2）现在导致错误404，而不是登录屏幕。

Sign-in issues which a few days ago were only affecting stand-alone Google App Script apps now are plaguing entire G-Suite. 几天前仅影响独立Google App Script应用程序的登录问题现在困扰着整个G-Suite。 Our volunteer first-responder organization got G-Suite mainly for the secure intranet site (members.my_g-suite.com) where we share internal protocols and documentation. 我们的志愿者急救组织主要在安全的Intranet网站（members.my_g-suite.com）上获得G-Suite，我们在该网站上共享内部协议和文档。 It's built on new Google Sites and Google Team Drive. 它基于新的Google协作平台和Google Team Drive构建。 Before Wednesday attempt to access members.my_g-suite.com used to take to G-Suite login screen. 在星期三之前，尝试访问members.my_g-suite.com，以转到G-Suite登录屏幕。 Now it takes them to "404. That's an error. The requested URL / was not found on this server. That's all we know." 现在将它们带到"404. That's an error. The requested URL / was not found on this server. That's all we know." . 。 The only workaround is to force users to log out of personal Gmail each time before accessing G-Suite, which is not a reasonable request for a volunteer using personal device. 唯一的解决方法是强制每次访问G-Suite之前，用户都退出个人Gmail，对于使用个人设备的志愿者来说，这不是合理的要求。 We feel like Google pulled the rug from under our feet. 我们感觉就像Google从我们脚下拉下了地毯。 The only hope is that this is a temporary change and they'll revert it to how it was in the beginning of the week. 唯一的希望是这是暂时的更改，他们会将其恢复为本周初的状态。 We also confirmed that this change is not limited to our G-Suite. 我们还确认，此更改不仅限于我们的G-Suite。

1 个解决方案

This is because your web-app runs inside a iframe. 这是因为您的网络应用程序在iframe中运行。 You can force login by denying access to the web-app manually. 您可以通过手动拒绝访问Web应用程序来强制登录。

onload , Check Session.getActiveUser().getEmail() server side and see if it matches your domain, onload ，检查Session.getActiveUser().getEmail()服务器端，看它是否与您的域匹配，
- If it does, proceed to load your actual web-app 如果是这样，请继续加载您的实际网络应用
- If not, just provide the information that the user needs to login to your gsuite to access. 如果没有，只需提供用户登录您的gsuite所需的信息即可访问。

You can also 你也可以

Proceed to open https://admin.google.com (or any url specific to your domain) in a another tab 在另一个标签中继续打开https://admin.google.com （或您的域专用的任何网址）
See whether it's open and use setInterval to check the other window.close property. 查看它是否已打开，并使用setInterval检查另一个window.close属性。 When closed, reload your web-app. 关闭后，重新加载您的网络应用程序。