[英]Gmail Oauth2 Access with intranet web server
Does anyone know the correct setup for the cloud project and redirect URL within the application for the following case?有谁知道云项目的正确设置并在以下情况下在应用程序中重定向 URL?
Setup:设置:
*) with or without desktop *)带或不带桌面
Requirements:要求:
Scopes:适用范围:
Cloud projects setups/attempts:云项目设置/尝试:
Cloud project: Desktop-App;云项目:Desktop-App; Application: - Does not work - the consent screen is opened on the server if this is usedAuthorizationCodeInstalledApp.authorize
应用程序: - 不起作用 - 如果使用它,则会在服务器上打开同意屏幕AuthorizationCodeInstalledApp.authorize
Cloud project: Desktop-App;云项目:Desktop-App; Application: - Worked but Google is discontinuing ooburn:ietf:wg:oauth:2.0:oob
as redirect url and popup on the client应用程序: - 工作但谷歌正在停止 ooburn:ietf:wg:oauth:2.0:oob
作为重定向 url 并在客户端弹出
Current : Cloud project: Web-App with a public redirect url;当前:云项目:具有公共重定向 url 的 Web 应用程序; Application: redirected to our website - only to show the auth code, which can be pasted in the application open in the browser应用程序:重定向到我们的网站 - 仅显示授权码,可以将其粘贴在浏览器中打开的应用程序中
public String getAuthorizationUrl(String clientId, String clientSecret, String credentialPath) { final NetHttpTransport HTTP_TRANSPORT = GoogleNetHttpTransport.newTrustedTransport(); final JsonFactory JSON_FACTORY = GsonFactory.getDefaultInstance(); final List<String> SCOPES = Arrays.asList(new String[] {GmailScopes.GMAIL_MODIFY, Oauth2Scopes.USERINFO_EMAIL}); Details details = new Details(); details.setClientId(clientId); details.setClientSecret(clientSecret); GoogleClientSecrets clientSecrets = new GoogleClientSecrets(); clientSecrets.setInstalled(details); // Build flow and trigger user authorization request. GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder( HTTP_TRANSPORT, JSON_FACTORY, clientSecrets, SCOPES).setDataStoreFactory(new FileDataStoreFactory(new File(credentialPath))).setApprovalPrompt("force").setAccessType("offline").build(); /* approval prompt and access type were not needed for desktop-app; * refresh token was generated anyway, they had to be added for web-app * to get a refresh token */ String redirUri = "https://example.com/redirect"; AuthorizationCodeRequestUrl authorizationUrl = flow.newAuthorizationUrl().setRedirectUri(redirUri); return authorizationUrl.build(); }
Google Oauth verification: Google says that according to the generated traffic, the app is running on a web server and we need to change it to a local URL, otherwise we need a security assessment because the data is stored on a web server.谷歌Oauth验证:谷歌说根据生成的流量,应用程序运行在web服务器上,我们需要将其更改为本地URL,否则我们需要进行安全评估,因为数据存储在web服务器上。 While it's technically true that it's running on a web server, it's an intr.net server.虽然它在 web 服务器上运行在技术上是正确的,但它是一个 intr.net 服务器。 It's not possible to define a fixed local URL since the servers IP could be different for each user that is installing the app on his server.无法定义固定的本地 URL,因为服务器 IP 对于在其服务器上安装应用程序的每个用户来说可能不同。
You have several issues here.你在这里有几个问题。 The first is that you are using a desktop application to run a web app.首先是您正在使用桌面应用程序运行 web 应用程序。 GoogleAuthorizationCodeFlow.Builder is designed for use with installed apps desktop apps or console applications. GoogleAuthorizationCodeFlow.Builder 设计用于已安装的应用程序桌面应用程序或控制台应用程序。 Its not designed to be run hosted on a web server.它并非设计为在 web 服务器上托管运行。
Follow the following example Web server applications按照以下示例Web 服务器应用
public class CalendarServletSample extends AbstractAuthorizationCodeServlet {
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
// do stuff
}
@Override
protected String getRedirectUri(HttpServletRequest req) throws ServletException, IOException {
GenericUrl url = new GenericUrl(req.getRequestURL().toString());
url.setRawPath("/oauth2callback");
return url.build();
}
@Override
protected AuthorizationCodeFlow initializeFlow() throws IOException {
return new GoogleAuthorizationCodeFlow.Builder(
new NetHttpTransport(), GsonFactory.getDefaultInstance(),
"[[ENTER YOUR CLIENT ID]]", "[[ENTER YOUR CLIENT SECRET]]",
Collections.singleton(CalendarScopes.CALENDAR)).setDataStoreFactory(
DATA_STORE_FACTORY).setAccessType("offline").build();
}
@Override
protected String getUserId(HttpServletRequest req) throws ServletException, IOException {
// return user ID
}
}
public class CalendarServletCallbackSample extends AbstractAuthorizationCodeCallbackServlet {
@Override
protected void onSuccess(HttpServletRequest req, HttpServletResponse resp, Credential credential)
throws ServletException, IOException {
resp.sendRedirect("/");
}
@Override
protected void onError(
HttpServletRequest req, HttpServletResponse resp, AuthorizationCodeResponseUrl errorResponse)
throws ServletException, IOException {
// handle error
}
@Override
protected String getRedirectUri(HttpServletRequest req) throws ServletException, IOException {
GenericUrl url = new GenericUrl(req.getRequestURL().toString());
url.setRawPath("/oauth2callback");
return url.build();
}
@Override
protected AuthorizationCodeFlow initializeFlow() throws IOException {
return new GoogleAuthorizationCodeFlow.Builder(
new NetHttpTransport(), GsonFactory.getDefaultInstance()
"[[ENTER YOUR CLIENT ID]]", "[[ENTER YOUR CLIENT SECRET]]",
Collections.singleton(CalendarScopes.CALENDAR)).setDataStoreFactory(
DATA_STORE_FACTORY).setAccessType("offline").build();
}
@Override
protected String getUserId(HttpServletRequest req) throws ServletException, IOException {
// return user ID
}
}
You have stated this你已经说明了这一点
It's not possible to define a fixed local URL since the servers IP could be different for each user that is installing the app on his server.无法定义固定的本地 URL,因为服务器 IP 对于在其服务器上安装应用程序的每个用户来说可能不同。
Which implies to me that you are giving the code for this app directly to your users with out it being compiled.这对我来说意味着您将此应用程序的代码直接提供给您的用户,而无需对其进行编译。 This includes your credeitnals.json file.这包括您的 credeitnals.json 文件。 YOu may not do this this is against the TOS.你不能这样做,这是违反服务条款的。 Can I really not ship open source with Client ID? 我真的可以不使用客户端 ID 发布开源吗?
Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects.要求开发人员做出合理的努力以保持其私钥的私密性,并且不要将其嵌入开源项目中。
You should be instructing your users in how to create their own client id and client secrete.您应该指导您的用户如何创建他们自己的客户端 ID 和客户端密码。 in order to get their own creditnals.json file.为了得到自己的 creditnals.json 文件。 They can then supply their own ip address of their server.然后他们可以提供自己的服务器地址 ip。
In which case your issue with verification is no longer an issue.在这种情况下,您的验证问题不再是问题。 You dont need to verfy for them.你不需要为他们验证。 They should be doing that themselves.他们应该自己做。
When your users go to verification their app make sure that they are clear with Google that this is an internal app.当您的用户 go 验证他们的应用程序时,请确保他们向 Google 清楚这是一个内部应用程序。 Hosted on their intr.net.托管在他们的 intr.net 上。 They should not need verification.他们应该不需要验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.