[英]Authorizing with Google APIs using a service account
I'm trying to access some google groups from the google-api using nodeJS and a service account file.我正在尝试使用 nodeJS 和服务帐户文件从 google-api 访问一些 google 组。 I can't find a code sample that works quite like this.我找不到像这样工作的代码示例。 I've put together some code that seems to be working, but I keep getting an error 400 - Bad Request from the API without any clues what's wrong.我整理了一些似乎有效的代码,但我不断收到错误 400 - 来自 API 的错误请求,但没有任何线索表明出了什么问题。
Am I using the right classes?我使用的是正确的课程吗? Can I use a service account here?我可以在这里使用服务帐户吗? Am I missing scopes or something?我是不是缺少示波器之类的?
My code:我的代码:
import { Auth, google } from "googleapis";
const main = async () => {
const auth = new Auth.GoogleAuth({
keyFile: "/path-to-service-account-file.json",
scopes: "https://www.googleapis.com/auth/admin.directory.group.readonly",
});
const client = await auth.getClient();
// Obtain a new drive client, making sure you pass along the auth client
const admin = google.admin({ version: 'directory_v1', auth: client });
const groups = await admin.groups.list();
console.log(groups.data.groups);
}
main().then(() => process.exit(0)).catch(err => {
console.error(err);
process.exit(1);
});
The file is (I think) a standard service account file:该文件(我认为)是一个标准的服务帐户文件:
{
"type": "service_account",
"project_id": "groupmembers-*******",
"private_key_id": "*********",
"private_key": ...,
"client_email": "test-admin-nodejs@groupmembers-****.iam.gserviceaccount.com",
"client_id": "*****",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-admin-nodejs%40groupmembers-******.iam.gserviceaccount.com"
}
When I run this code, I get the following response:当我运行这段代码时,我得到以下响应:
status: 400,
statusText: 'Bad Request',
request: {
responseURL: 'https://admin.googleapis.com/admin/directory/v1/groups'
}
What's interesting to me is the bearer token it generates for me.我感兴趣的是它为我生成的不记名令牌。 The error also prints out the request info:该错误还打印出请求信息:
config: {
url: 'https://admin.googleapis.com/admin/directory/v1/groups',
method: 'GET',
userAgentDirectives: [ [Object] ],
paramsSerializer: [Function (anonymous)],
headers: {
'x-goog-api-client': 'gdcl/5.1.0 gl-node/17.4.0 auth/7.14.1',
'Accept-Encoding': 'gzip',
'User-Agent': 'google-api-nodejs-client/5.1.0 (gzip)',
Authorization: 'Bearer ya29.c.b0AX***********************************************jzxc........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................',
Accept: 'application/json'
},
I don't know if this is normal or relevant, but I've never seen a bearer token with a bunch of dots at the end.我不知道这是否正常或相关,但我从未见过末尾带有一堆点的不记名令牌。
A 400 error is not an authorization/authentication issue, but instead is a client request issue. 400 错误不是授权/认证问题,而是客户端请求问题。 According to the official documentation , there are some query parameters required for the api call.根据官方文档,api调用需要一些查询参数。 One of them is the customer
query parameter:其中之一是customer
查询参数:
The unique ID for the customer's Google Workspace account.客户的 Google Workspace 帐号的唯一 ID。 In case of a multi-domain account, to fetch all groups for a customer, fill this field instead of domain.如果是多域帐户,要获取客户的所有组,请填写此字段而不是域。 As an account administrator, you can also use the my_customer alias to represent your account's customerId.作为账户管理员,您还可以使用 my_customer 别名来表示您账户的 customerId。 The customerId is also returned as part of the Users customerId 也作为用户的一部分返回
Based on experience, it is implied you must use this value.根据经验,暗示您必须使用此值。 Although the documentation should be better and it should explicitly say this is required.尽管文档应该更好,并且应该明确说明这是必需的。 So, in summary, your request should look like this:因此,总而言之,您的请求应如下所示:
const groups = await admin.groups.list({
customer: "my_customer"
});
console.log(groups.data.groups);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.