正确且安全地登录(登录)到部署为 Web 应用程序的 Google Apps 脚本项目
[英]Proper and safe Sign-in (login) to Google Apps Script project deployed as web app
问题描述
I´m working on a Google Apps Script project (can be bound to a Spreadsheet or standalone) that will be deployed as webapp and I want to grant users access based on
我正在处理将作为 webapp 部署的 Google Apps 脚本项目(可以绑定到电子表格或独立),我想根据以下内容授予用户访问权限
- 1) Google Sign-In (some users will be granted access or some will be prevented from access) for some users and 1)某些用户的Google 登录(某些用户将被授予访问权限或某些用户将被阻止访问)
- 2) username/password for the others. 2)其他人的用户名/密码。
1) Google Sign-In 1) 谷歌登录
I found it more tricky than I presumed.我发现它比我想象的更棘手。 I expected existence of some simple functions/methods that can make it work like I want with Google guaranteed security level.我希望存在一些简单的功能/方法,可以让它像我想要的那样工作,谷歌保证安全级别。 What I found first was this: https://developers.google.com/identity/sign-in/web/ .我首先发现的是: https : //developers.google.com/identity/sign-in/web/ 。 First it looked very simple, so I tried to implement this code:https://developers.google.com/identity/sign-in/web/build-button , but I´ve got stuck on step after filling content="YOUR_CLIENT_ID.apps.googleusercontent.com" .首先它看起来很简单,所以我尝试实现以下代码:https ://developers.google.com/identity/sign-in/web/build-button ,但在填写content="YOUR_CLIENT_ID.apps.googleusercontent.com"后我陷入了content="YOUR_CLIENT_ID.apps.googleusercontent.com" 。 I filled proper CLIENT_ID from Google Cloud Platform section Credentials and tried to sign in into my published project.我从Google Cloud Platform部分Credentials填写了正确的CLIENT_ID并尝试登录到我发布的项目。 I got this:我懂了:
Error: redirect_uri_mismatch
The JavaScript origin in the request, https://n-__________________________________-script.googleusercontent.com , does not match the ones authorized for the OAuth client.
So I copied the first link, then I put googleuser.com to Authorized domains and then I pasted the link into Authorized JavaScript origins .因此,我复制了第一个链接,然后将googleuser.com放入Authorized domains ,然后将该链接粘贴到Authorized JavaScript origins 。 But I wasn't allowed to save it and this popped out:但我不允许保存它,这突然出现:
Error
You do not have permission to perform this action.
Tracking Number: c411401060
I don´t know why.我不知道为什么。 A few months ago something similar wasn´ta problem.几个月前,类似的事情还不是问题。 I suppose it has something to do with Google´s new restricted scopes policy.我想这与 Google 的新限制范围政策有关。 I tried to make it work for bound and standalone project with no difference in results.我试图让它适用于绑定和独立项目,结果没有区别。 So finally (partially because of this schema: https://developers.google.com/identity/sign-in/web/server-side-flow ) I came to the conclusion that the whole concept of Sign-In for Websites is not intended to be used in published Apps Script Project.所以最后(部分是因为这个架构: https://developers.google.com/identity/sign-in/web/server-side-flow : https://developers.google.com/identity/sign-in/web/server-side-flow )我得出的结论是,网站登录的整个概念不是旨在用于已发布的 Apps 脚本项目。
a) Am I wrong? a) 我错了吗? If not, how can I make it work please?如果没有,我该如何使它工作?
b) Why I got the Error - Tracking Number: c411401060? b) 为什么我收到错误 - 跟踪号:c411401060? Does anybody know?有人知道吗?
So I continued looking for solution somewhere else.所以我继续在其他地方寻找解决方案。 The most similar question I found is here Google app script web app, how to create a login button?我发现的最相似的问题是这里Google app script web app, how to create a login button? . . But it´s over three years old with not very satisfying answers (or I don´t understand them):但是它已经超过三年了,答案不是很令人满意(或者我不理解它们):
c) Do I really have to publish more than one project at the same time to grant access for some users with and for some without google account? c) 我是否真的必须同时发布多个项目才能为某些有 Google 帐户的用户和某些没有 Google 帐户的用户授予访问权限? Once a user is signed in, how can they be signed out?用户登录后,如何退出? Isn´t there a simple way how to reliably check users ID or gmail?没有一种简单的方法可以可靠地检查用户 ID 或 gmail 吗?
d) Does somebody have working example of code? d)有人有代码的工作示例吗? As a beginner I´ll apreciate example very much, because I bet that if there is a simple solution, I´ve already read about it, but i didn´t notice it´s what I need.作为初学者,我会非常欣赏示例,因为我敢打赌,如果有一个简单的解决方案,我已经阅读过它,但我没有注意到它是我需要的。
2) username/password 2) 用户名/密码
Although ten years old, I found useful to read this The definitive guide to form-based website authentication .尽管已有 10 年的历史,但我发现阅读此基于表单的网站身份验证权威指南很有用。 Or at least I didn´t know better article where to start.或者至少我不知道更好的文章从哪里开始。 Links appreciated.链接赞赏。
My idea of how to make username/password login is that I´ll make a server side function called by user via google.script.run and the function will check validity of username and password.我关于如何进行用户名/密码登录的想法是,我将创建一个由用户通过google.script.run调用的服务器端函数,该函数将检查用户名和密码的有效性。 a) Is it safe? a) 安全吗? Now when the user is signed in, can I just let the webapp work?现在当用户登录时,我可以让 webapp 工作吗? I mean user sent a username and password, so the app will just continue working with no other technique involved?我的意思是用户发送了用户名和密码,所以该应用程序将继续工作而不涉及其他技术? b) Or will I make the app safer if after signing in I let some server side function generate a random string which will be sent to a client and serve as a token for a session? b) 或者,如果在登录后我让某些服务器端函数生成一个随机字符串,该字符串将被发送到客户端并作为会话的令牌,我会让应用程序更安全吗?
Best practices, hints, codes, sources appreciated!最佳实践、提示、代码、来源表示赞赏!
Thank you谢谢
2 个解决方案
解决方案1
1 已采纳 2019-03-08 08:57:44
May be I can give You answer for the first question . 我可以给你第一个问题的答案。
1) Google Sign-In . 1)Google登录。 Before you begin add this Google Oauth2 link 在您开始添加此Google Oauth2 链接之前
1B7FSrk5Zi6L1rSxxTDgDEUsPzlukDsi4KGuTMorsTQHhGBzBkMun4iDF 1B7FSrk5Zi6L1rSxxTDgDEUsPzlukDsi4KGuTMorsTQHhGBzBkMun4iDF
This will solve some login issues 这将解决一些登录问题
You need to add a new OAuth 2.0 client ID apart from the default Apps Script ID in your cloud console also you should enable required APIs from the API consoles . 除了需要在云控制台中添加默认的Apps脚本ID之外,还需要添加新的OAuth 2.0客户端ID,并且还应从API控制台启用所需的API。
In App Script ID you can add this url https://script.google.com/oauthcallback 在应用脚本ID中,您可以添加以下网址https://script.google.com/oauthcallback
under Authorized callback urls 在授权的回调网址下
After this in your newly created oauth client you can add your script app url like this as redirect url 之后,您可以在新创建的oauth客户端中添加脚本应用程序网址,例如重定向网址
https://script.google.com/d/projectid/usercallback https://script.google.com/d/projectid/usercallback
After copy paste the client id and client secret of the newly created Oauth into your project . 复制后,将新创建的Oauth的客户端ID和客户端密钥粘贴到您的项目中。
解决方案2
0 2021-08-21 01:51:12
Bitz Trail answer is unfortunately no longer valid.不幸的是,Bitz Trail 答案不再有效。 It is not longer possible to add the origin of a google WebApp in the "Authorized redirect URI" in the "OAuth 2.0 Client IDs"不再可能在“OAuth 2.0 客户端 ID”的“授权重定向 URI”中添加 google WebApp 的来源
see this link for more details.有关更多详细信息,请参阅此链接。 Why webapp can no longer use client side authentification为什么 webapp 不能再使用客户端身份验证
However, in the googleissue tracker, there was a mention of this repo with a full write-up on how to use the server side authentification但是,在 googleissue tracker 中,提到了这个 repo,其中有一篇关于如何使用服务器端身份验证的完整文章
< sp...@easton-consulting.com > Jun 4, 2021 - For anyone still struggling with this I moved from client side authentication to a server side OAuth flow.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.