用於 admin.directory.user.readonly 的 Rails Omniauth google_oauth2 scope

Question

omniauth.rb 中有我的設置：

provider :google_oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'],
       {
         scope: 'https://www.googleapis.com/auth/admin.directory.user.readonly',
         provider_ignores_state: true,
         prompt: 'select_account consent',
         callback_path: '/auth/google_oauth2/callback'
       }

嘗試打開 localhost:5000/omniauth/google_oauth2, select gmail 帳戶，接受See info about users on your domain ，點擊Allow得到：

{"code"=>403, "message"=>"Request had insufficient authentication scopes.", "status"=>"PERMISSION_DENIED", "details"=>[{"@type"=>"type.googleapis.com/google.rpc.ErrorInfo", "reason"=>"ACCESS_TOKEN_SCOPE_INSUFFICIENT", "domain"=>"googleapis.com", "metadata"=>{"method"=>"google.social.boq.socialgraph.peopleapis.legacy.service.people.proto.LegacyPeople1Service.JsonGetOpenIdConnect", "service"=>"legacypeople.googleapis.com"}}]}: { "error": { "code": 403, "message": "Request had insufficient authentication scopes.", "status": "PERMISSION_DENIED", "details": [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT", "domain": "googleapis.com", "metadata": { "method": "google.social.boq.socialgraph.peopleapis.legacy.service.people.proto.LegacyPeople1Service.JsonGetOpenIdConnect", "service": "legacypeople.googleapis.com" } } ] } } 

不確定我需要修復什么。 有人幫忙嗎？

Answer 1

請看這個答案。

看起來您需要向用於發出請求的任何帳戶添加管理員權限，因此我建議調查您的 Google 管理控制台是否存在任何可能的 OAuth 客戶端憑據配置錯誤。