Google使用服务帐户协调OAuth2
我有一个带有Google Coordinate .Net库和服务帐户开放认证的C#控制台应用程序。
private const string SERVICE_ACCOUNT_EMAIL = "XXX@developer.gserviceaccount.com"; private const string SERVICE_ACCOUNT_PKCS12_FILE_PATH = @"\YYY-privatekey.p12"; private const string GOOGLE_COORDINATE_TEAM_ID = "ZZZ"; private CoordinateService BuildService() { X509Certificate2 certificate = new X509Certificate2(SERVICE_ACCOUNT_PKCS12_FILE_PATH, "notasecret", X509KeyStorageFlags.Exportable); var provider = new AssertionFlowClient(GoogleAuthenticationServer.Description, certificate){ ServiceAccountId = SERVICE_ACCOUNT_EMAIL, Scope = CoordinateService.Scopes.Coordinate.GetStringValue() }; var auth = new OAuth2Authenticator(provider, AssertionFlowClient.GetState); return new CoordinateService(new BaseClientService.Initializer(){ Authenticator = auth }); } //some code that retrieves data from coordinate service public void DoSomething() { CoordinateService service = BuildService(); var response = service.Jobs.List(GOOGLE_COORDINATE_TEAM_ID).Fetch(); ... } 在从Coordinate Service检索作业列表时,发生了DotNetOpenAuth.Messaging.ProtocolException(内部exception“远程服务器返回错误:(400)错误请求”)。 使用Fiddler我设法看到来自Google OAuth服务的响应。 JSON响应对象:
{ "error" : "invalid_grant" }
我已阅读一些建议更改本地服务器时间以便与Google OAth服务器时间匹配的文章。 但是在将时间改为一方和另一方后,问题仍然存在。 你能告诉我为什么会这样吗? 感谢所有回复!
服务帐户不能与Coordinate API一起使用。 [这是因为Coordinate API要求经过身份validation的API用户拥有Coordinate许可证,但无法将Coordinate许可证附加到服务帐户]
您可以使用Web服务器流程,请在下面找到示例。
请务必更新下面的代码,其中包含“TO UPDATE”的评论。
using System; using System.Diagnostics; using System.Collections.Generic; using DotNetOpenAuth.OAuth2; using Google.Apis.Authentication.OAuth2; using Google.Apis.Authentication.OAuth2.DotNetOpenAuth; using Google.Apis.Coordinate.v1; using Google.Apis.Coordinate.v1.Data; namespace Google.Apis.Samples.CoordinateOAuth2 { /// /// This sample demonstrates the simplest use case for an OAuth2 service. /// The schema provided here can be applied to every request requiring authentication. /// public class ProgramWebServer { public static void Main (string[] args) { // TO UPDATE, can be found in the Coordinate application URL String TEAM_ID = "jskdQ--xKjFiFqLO-IpIlg"; // Register the authenticator. var provider = new WebServerClient (GoogleAuthenticationServer.Description); // TO UPDATE, can be found in the APIs Console. provider.ClientIdentifier = "335858260352.apps.googleusercontent.com"; // TO UPDATE, can be found in the APIs Console. provider.ClientSecret = "yAMx-sR[truncated]fX9ghtPRI"; var auth = new OAuth2Authenticator (provider, GetAuthorization); // Create the service. var service = new CoordinateService(new BaseClientService.Initializer() { Authenticator = auth }); //Create a Job Resource for optional parameters https://developers.google.com/coordinate/v1/jobs#resource Job jobBody = new Job (); jobBody.Kind = "Coordinate#job"; jobBody.State = new JobState (); jobBody.State.Kind = "coordinate#jobState"; jobBody.State.Assignee = "user@example.com"; //Create the Job JobsResource.InsertRequest ins = service.Jobs.Insert (jobBody, TEAM_ID, "My Home", "51", "0", "Created this Job with the .Net Client Library"); Job results = ins.Fetch (); //Display the response Console.WriteLine ("Job ID:"); Console.WriteLine (results.Id.ToString ()); Console.WriteLine ("Press any Key to Continue"); Console.ReadKey (); } private static IAuthorizationState GetAuthorization (WebServerClient client) { IAuthorizationState state = new AuthorizationState (new[] { "https://www.googleapis.com/auth/coordinate" }); // The refresh token has already been retrieved offline // In a real-world application, this has to be stored securely, since this token // gives access to all user data on the Coordinate scope, for the user who accepted the OAuth2 flow // TO UPDATE (see below the sample for instructions) state.RefreshToken = "1/0KuRg-fh9yO[truncated]yNVQcXcVYlfXg"; return state; } } }
可以使用OAuth2 Playground检索刷新令牌:
- 在API控制台中,将OAuth Playgroundurlhttps://developers.google.com/oauthplayground添加为授权重定向URI(当我们在OAuth Playground中检索刷新令牌时,我们需要这样做,如下所示)
- 转到OAuth Playground,在您的API用户通过身份validation的浏览器会话中(此用户需要具有坐标许可证)。 确保为您提供自己的OAuth2客户端ID(设置>使用您自己的OAuth凭据) 。 否则,您的刷新令牌将绑定到OAuth2 playground的内部OAuth2客户端ID,并且当您希望将刷新令牌与您自己的客户端ID一起使用以获取访问令牌时,将拒绝该刷新令牌。
- 使用范围https://www.googleapis.com/auth/coordinate在步骤1中,点击“授权API”在步骤2中,点击“令牌的Exchange授权码”
- 复制代码中的刷新令牌。 保持安全。
- 此刷新令牌不会过期,因此您的应用将保持身份validation状态。