Gmail Oauth2 访问 intr.net web 服务器
[英]Gmail Oauth2 Access with intranet web server
问题描述
Does anyone know the correct setup for the cloud project and redirect URL within the application for the following case?
有谁知道云项目的正确设置并在以下情况下在应用程序中重定向 URL?
Setup:设置:
- Spring + Apache Wicket Spring + Apache 检票口
- The application is installed on a server (Windows, Linux*) and accessed on the intr.net via browser.该应用程序安装在服务器(Windows、Linux*)上并通过浏览器访问 intr.net。
*) with or without desktop *)带或不带桌面
Requirements:要求:
- Access to one or more Gmail-Accounts to retrieve emails, mark emails as read and move emails to trash访问一个或多个 Gmail 帐户以检索电子邮件、将电子邮件标记为已读并将电子邮件移至垃圾箱
- Credentials are stored for each account separately on the server每个帐户的凭据分别存储在服务器上
- Creation of the access is done on a client by an admin user in the browser访问权限的创建由浏览器中的管理员用户在客户端上完成
- Consent for an account is done only once on creation, emails are retrieved in a background thread (no user interaction, token is refreshed automatically)对帐户的同意仅在创建时完成一次,在后台线程中检索电子邮件(无用户交互,令牌自动刷新)
- No additional setups on the clients (eg changing the host-file, running a background-process/listener);客户端无需额外设置(例如更改主机文件、运行后台进程/侦听器); Client could also be a mobile device accessing the intr.net客户端也可以是访问 intr.net 的移动设备
Scopes:适用范围:
- Non-Restricted: userinfo.email非限制:userinfo.email
- Restricted: gmail.modify受限:gmail.modify
Cloud projects setups/attempts:云项目设置/尝试:
Cloud project: Desktop-App;云项目:Desktop-App;Application:- Does not work - the consent screen is opened on the server if this is usedAuthorizationCodeInstalledApp.authorize应用程序:- 不起作用 - 如果使用它,则会在服务器上打开同意屏幕AuthorizationCodeInstalledApp.authorizeCloud project: Desktop-App;云项目:Desktop-App;Application:- Worked but Google is discontinuing ooburn:ietf:wg:oauth:2.0:oobas redirect url and popup on the client应用程序:- 工作但谷歌正在停止 ooburn:ietf:wg:oauth:2.0:oob作为重定向 url 并在客户端弹出Current : Cloud project: Web-App with a public redirect url;
当前:云项目:具有公共重定向 url 的 Web 应用程序; Application: redirected to our website - only to show the auth code, which can be pasted in the application open in the browser应用程序:重定向到我们的网站 - 仅显示授权码,可以将其粘贴在浏览器中打开的应用程序中public String getAuthorizationUrl(String clientId, String clientSecret, String credentialPath) { final NetHttpTransport HTTP_TRANSPORT = GoogleNetHttpTransport.newTrustedTransport(); final JsonFactory JSON_FACTORY = GsonFactory.getDefaultInstance(); final List<String> SCOPES = Arrays.asList(new String[] {GmailScopes.GMAIL_MODIFY, Oauth2Scopes.USERINFO_EMAIL}); Details details = new Details(); details.setClientId(clientId); details.setClientSecret(clientSecret); GoogleClientSecrets clientSecrets = new GoogleClientSecrets(); clientSecrets.setInstalled(details); // Build flow and trigger user authorization request. GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder( HTTP_TRANSPORT, JSON_FACTORY, clientSecrets, SCOPES).setDataStoreFactory(new FileDataStoreFactory(new File(credentialPath))).setApprovalPrompt("force").setAccessType("offline").build(); /* approval prompt and access type were not needed for desktop-app; * refresh token was generated anyway, they had to be added for web-app * to get a refresh token */ String redirUri = "https://example.com/redirect"; AuthorizationCodeRequestUrl authorizationUrl = flow.newAuthorizationUrl().setRedirectUri(redirUri); return authorizationUrl.build(); }
Google Oauth verification: Google says that according to the generated traffic, the app is running on a web server and we need to change it to a local URL, otherwise we need a security assessment because the data is stored on a web server.谷歌Oauth验证:谷歌说根据生成的流量,应用程序运行在web服务器上,我们需要将其更改为本地URL,否则我们需要进行安全评估,因为数据存储在web服务器上。 While it's technically true that it's running on a web server, it's an intr.net server.虽然它在 web 服务器上运行在技术上是正确的,但它是一个 intr.net 服务器。 It's not possible to define a fixed local URL since the servers IP could be different for each user that is installing the app on his server.无法定义固定的本地 URL,因为服务器 IP 对于在其服务器上安装应用程序的每个用户来说可能不同。
1 个解决方案
解决方案1
1 2022-04-20 09:27:08
You have several issues here.你在这里有几个问题。 The first is that you are using a desktop application to run a web app.首先是您正在使用桌面应用程序运行 web 应用程序。 GoogleAuthorizationCodeFlow.Builder is designed for use with installed apps desktop apps or console applications. GoogleAuthorizationCodeFlow.Builder 设计用于已安装的应用程序桌面应用程序或控制台应用程序。 Its not designed to be run hosted on a web server.它并非设计为在 web 服务器上托管运行。
Follow the following example Web server applications按照以下示例Web 服务器应用
public class CalendarServletSample extends AbstractAuthorizationCodeServlet {
@Override
protected void doGet(HttpServletRequest request, HttpServletResponse response)
throws IOException {
// do stuff
}
@Override
protected String getRedirectUri(HttpServletRequest req) throws ServletException, IOException {
GenericUrl url = new GenericUrl(req.getRequestURL().toString());
url.setRawPath("/oauth2callback");
return url.build();
}
@Override
protected AuthorizationCodeFlow initializeFlow() throws IOException {
return new GoogleAuthorizationCodeFlow.Builder(
new NetHttpTransport(), GsonFactory.getDefaultInstance(),
"[[ENTER YOUR CLIENT ID]]", "[[ENTER YOUR CLIENT SECRET]]",
Collections.singleton(CalendarScopes.CALENDAR)).setDataStoreFactory(
DATA_STORE_FACTORY).setAccessType("offline").build();
}
@Override
protected String getUserId(HttpServletRequest req) throws ServletException, IOException {
// return user ID
}
}
public class CalendarServletCallbackSample extends AbstractAuthorizationCodeCallbackServlet {
@Override
protected void onSuccess(HttpServletRequest req, HttpServletResponse resp, Credential credential)
throws ServletException, IOException {
resp.sendRedirect("/");
}
@Override
protected void onError(
HttpServletRequest req, HttpServletResponse resp, AuthorizationCodeResponseUrl errorResponse)
throws ServletException, IOException {
// handle error
}
@Override
protected String getRedirectUri(HttpServletRequest req) throws ServletException, IOException {
GenericUrl url = new GenericUrl(req.getRequestURL().toString());
url.setRawPath("/oauth2callback");
return url.build();
}
@Override
protected AuthorizationCodeFlow initializeFlow() throws IOException {
return new GoogleAuthorizationCodeFlow.Builder(
new NetHttpTransport(), GsonFactory.getDefaultInstance()
"[[ENTER YOUR CLIENT ID]]", "[[ENTER YOUR CLIENT SECRET]]",
Collections.singleton(CalendarScopes.CALENDAR)).setDataStoreFactory(
DATA_STORE_FACTORY).setAccessType("offline").build();
}
@Override
protected String getUserId(HttpServletRequest req) throws ServletException, IOException {
// return user ID
}
}
installing app.安装应用程序。
You have stated this你已经说明了这一点
It's not possible to define a fixed local URL since the servers IP could be different for each user that is installing the app on his server.
Which implies to me that you are giving the code for this app directly to your users with out it being compiled.这对我来说意味着您将此应用程序的代码直接提供给您的用户,而无需对其进行编译。 This includes your credeitnals.json file.这包括您的 credeitnals.json 文件。 YOu may not do this this is against the TOS.你不能这样做,这是违反服务条款的。 Can I really not ship open source with Client ID? 我真的可以不使用客户端 ID 发布开源吗?
Asking developers to make reasonable efforts to keep their private keys private and not embed them in open source projects.
You should be instructing your users in how to create their own client id and client secrete.您应该指导您的用户如何创建他们自己的客户端 ID 和客户端密码。 in order to get their own creditnals.json file.为了得到自己的 creditnals.json 文件。 They can then supply their own ip address of their server.然后他们可以提供自己的服务器地址 ip。
In which case your issue with verification is no longer an issue.在这种情况下,您的验证问题不再是问题。 You dont need to verfy for them.你不需要为他们验证。 They should be doing that themselves.他们应该自己做。
push back on internal app推回内部应用程序
When your users go to verification their app make sure that they are clear with Google that this is an internal app.当您的用户 go 验证他们的应用程序时,请确保他们向 Google 清楚这是一个内部应用程序。 Hosted on their intr.net.托管在他们的 intr.net 上。 They should not need verification.他们应该不需要验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.