3 条腿的 OAuth 和使用 google-auth-library-ruby 和 google-api-ruby-client 的一次性代码流

Question

Quick Overview : I have a ruby app that runs nightly and does something with a user's google calendar. The user has already given access via a separate react app. I'm having trouble getting the ruby app to access the user's calendar with the authorization code from the react app.

Details : I have a React front-end that can sign in a user using gapi and subsequently sign the user into Firebase. Here is how I configure the gapi obj:

this.auth2 = await loadAuth2WithProps({
  apiKey: config.apiKey,      // from firebase
  clientId: config.clientId,  // from gcp
  // ....
  access_type: "offline",     // so we get get authorization code
})

Here is sign in:

doSignInWithGoogle =  async () => {
  const googleUser = await this.auth2.signIn();
  const token = googleUser.getAuthResponse().id_token;
  const credential = app.auth.GoogleAuthProvider.credential(token);
  return this.auth.signInWithCredential(credential);
};

The user's next step is to grant the app offline access to their calendar:

doConnectGoogleCalendar =  async () => {
  const params = {scope:scopes};
  const result = await this.auth2.grantOfflineAccess(params);
  console.log(result.code); // logs: "4/ygFsjdK....."
};

At this point the front end has the authorization code that can be passed to a server-side application to be exchanged for access and refresh tokens. I haven't been able to find a good way to use a user supplied auth-code to make calls to available scopes. This is how I've configured the oauth client:

auth_client = Google::APIClient::ClientSecrets.load(
  File.join(Rails.root,'config','client_secrets.json') // downloaded from GCP
).to_authorization

^ I'm using the same GCP Credentials on the backend that I'm using for the frontend. It is a "OAuth 2.0 Client ID" type of credential. I'm unsure if this is good practice or not. Also, do I need to define the same config that I do on the frontend (like access_type and scope)?.

Next I do what the docs say to get the access and refresh tokens (click Ruby):

auth_client.code = authorization_code_from_frontend
auth_client.fetch_access_token!
---------
Signet::AuthorizationError (Authorization failed.  Server message:)
{
  "error": "invalid_grant",
  "error_description": "Bad Request"
}

Is there something I'm missing in setting up a separate backend application that can handle offline access to a user granted scope? There is so much different information on these libraries but I haven't been able to distill it down to something that works.

UPDATE I found this page describing the " one-time-code flow " which I haven't found anywhere else is all of the docs I've gone through. It does answer one of my minor questions above: Yes, you can use the same client secrets as the web application for the backend. (see the full example at the bottom where they do just that). I'll explore it more and see if my bigger problem can be resolved. Also going to update the title to include one-time-code flow.

Answer 1

After a good amount of digging through code samples and source code, I have a clean working solution. Once I found the page in my "update" it led me to finding out that ClientSecrets way I was doing things had been deprecated in favor of the google-auth-library-ruby project. I'm glad I found it because it seems to be a more complete solution as it handles all of the token management for you. Here is code to setup everything:

def authorizer
    client_secrets_path = File.join(Rails.root,'config','client_secrets.json')
    client_id = Google::Auth::ClientId.from_file(client_secrets_path)
    scope = [Google::Apis::CalendarV3::AUTH_CALENDAR_READONLY]
    redis = Redis.new(url: Rails.application.secrets.redis_url)
    token_store = Google::Auth::Stores::RedisTokenStore.new(redis: redis)
    Google::Auth::WebUserAuthorizer.new(client_id, scope, token_store, "postmessage")
end

and then this is how I use the authorization code :

def exchange_for_token(user_id,auth_code) 
    credentials_opts = {user_id:user_id,code:auth_code}
    credentials = authorizer.get_and_store_credentials_from_code(credentials_opts)
end

after calling that method the library will store the exchanged tokens in Redis (you can configure where to store) for later use like this:

def run_job(user_id)
    credentials = authorizer.get_credentials(user_id)
    service = Google::Apis::CalendarV3::CalendarService.new
    service.authorization = credentials
    calendar_list = service.list_calendar_lists.items
    # ... do more things ...
end

There is so much info out there that it is difficult to isolate what applies to each condition. Hopefully this helps anyone else that gets stuck with the "one-time-code flow" so they don't spend days banging their head on their desk.