如何使用Google API Explorer使用OAuth测试自己的App Engine端点?

时间:2023-01-22 08:47:05

I have an Endpoints API deployed on App Engine. I have no problem using the Google API Explorer to make requests to API methods that do NOT require being logged in. The URL I'm using for that is:

我在App Engine上部署了一个Endpoints API。我没有问题使用Google API Explorer向不需要登录的API方法发出请求。我使用的URL是:

https://developers.google.com/apis-explorer/?base=https://[MY_APP_ID].appspot.com/_ah/api

https://developers.google.com/apis-explorer/?base=https://[MY_APP_ID].appspot.com/_ah/api

Where I am stuck is calling API methods that require the user to be logged in, such as this one:

我遇到的问题是调用需要用户登录的API方法,例如:

@ApiMethod(name = "config.get",
        clientIds = {"[MY_CLIENT_ID].apps.googleusercontent.com", "com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID"},
        audiences = {"[MY_APP_ID].appspot.com"},
        scopes = {"https://www.googleapis.com/auth/userinfo.email"})
public Config getConfig(User user) throws OAuthRequestException {
    log.fine("user: " + user);

    if (user == null) {
        throw new OAuthRequestException("You must be logged in in order to get config.");
    }

    if (!userService.isUserAdmin()) {
        throw new OAuthRequestException("You must be an App Engine admin in order to get config.");
    }
    ...

On the API Explorer there's a switch top right that, when clicked, allows me to specify scopes and authorise. I'm doing that with just the userinfo.email scope checked. It makes no difference. The response I get from my call is:

在API资源管理器上有一个右上角的开关,当单击它时,允许我指定范围和授权。我只是检查了userinfo.email范围。没什么区别。我从电话中得到的回应是:

503 Service Unavailable

- Show headers -

{
 "error": {
  "errors": [
   {
    "domain": "global",
    "reason": "backendError",
    "message": "java.lang.IllegalStateException: The current user is not logged in."
   }
  ],
  "code": 503,
  "message": "java.lang.IllegalStateException: The current user is not logged in."
 }
}

Back when Endpoints was in Trusted Tester phase, I remember there being a manual step in the OAuth2 Playground to get an ID token instead of an access token or some such thing. If that is still required, any mention of that seems to have disappeared from the Endpoints docs now and I see now way to swap out tokens in the API Explorer either.

当Endpoints处于Trusted Tester阶段时,我记得在OAuth2 Playground中有一个手动步骤来获取ID令牌而不是访问令牌或某些此类东西。如果仍然需要,那么任何提及它的内容似乎都已从Endpoints文档中消失了,我现在看到了在API Explorer中交换令牌的方法。

2 个解决方案

#1


12  

I see you've got "com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID" in quotes. If that's not a typo in your transcription to Stack Overflow, that's a problem. The value is already a string, so you're just passing in the text com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID (not the actual client ID) as the whitelisted scope. That won't work. Try this instead:

我看到你的引号中有“com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID”。如果这不是你的Stack Overflow转录中的拼写错误,那就是一个问题。该值已经是一个字符串,因此您只需将文本com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID(不是实际的客户端ID)作为白名单范围传递。那不行。试试这个:

@ApiMethod(name = "config.get",
        clientIds = {"[MY_CLIENT_ID].apps.googleusercontent.com", com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID},
        audiences = {"[MY_APP_ID].appspot.com"},
        scopes = {"https://www.googleapis.com/auth/userinfo.email"})

Edit: isUserAdmin is unsupported within Endpoints, and is likely a secondary cause of error. I'd suggest filing a feature request for supporting this method on the provided User object (we likely won't provide support for the user service itself, so it's separate from OAuth login.)

编辑:isUserAdmin在端点中不受支持,可能是导致错误的次要原因。我建议在提供的User对象上提交支持此方法的功能请求(我们可能不会为用户服务本身提供支持,因此它与OAuth登录分开。)

#2


0  

I don't know when this was introduced, but if you use OAuth2, instead of UserService.isUserAdmin() you can use OAuthServiceFactory.getOAuthService().isUserAdmin(EMAIL_SCOPE) where EMAIL_SCOPE is "https://www.googleapis.com/auth/userinfo.email".

我不知道何时引入,但如果你使用OAuth2而不是UserService.isUserAdmin(),你可以使用OAuthServiceFactory.getOAuthService()。isUserAdmin(EMAIL_SCOPE),其中EMAIL_SCOPE是“https://www.googleapis.com/ AUTH / userinfo.email”。

This makes it easy to use the old OpenId or OAUth2:

这样可以很容易地使用旧的OpenId或OAUth2:

boolean isAdmin = false;
try {
  isAdmin = userService.isUserAdmin());
} catch (IllegalStateException e1) {
  try {
    isAdmin = OAuthServiceFactory.getOAuthService().isUserAdmin(EMAIL_SCOPE);
  } catch (Exception e2) {}
}

The original question was asked several years ago, but maybe this will help others.

几年前问过原来的问题,但也许这会对其他人有所帮助。

#1


12  

I see you've got "com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID" in quotes. If that's not a typo in your transcription to Stack Overflow, that's a problem. The value is already a string, so you're just passing in the text com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID (not the actual client ID) as the whitelisted scope. That won't work. Try this instead:

我看到你的引号中有“com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID”。如果这不是你的Stack Overflow转录中的拼写错误,那就是一个问题。该值已经是一个字符串,因此您只需将文本com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID(不是实际的客户端ID)作为白名单范围传递。那不行。试试这个:

@ApiMethod(name = "config.get",
        clientIds = {"[MY_CLIENT_ID].apps.googleusercontent.com", com.google.api.server.spi.Constant.API_EXPLORER_CLIENT_ID},
        audiences = {"[MY_APP_ID].appspot.com"},
        scopes = {"https://www.googleapis.com/auth/userinfo.email"})

Edit: isUserAdmin is unsupported within Endpoints, and is likely a secondary cause of error. I'd suggest filing a feature request for supporting this method on the provided User object (we likely won't provide support for the user service itself, so it's separate from OAuth login.)

编辑:isUserAdmin在端点中不受支持,可能是导致错误的次要原因。我建议在提供的User对象上提交支持此方法的功能请求(我们可能不会为用户服务本身提供支持,因此它与OAuth登录分开。)

#2


0  

I don't know when this was introduced, but if you use OAuth2, instead of UserService.isUserAdmin() you can use OAuthServiceFactory.getOAuthService().isUserAdmin(EMAIL_SCOPE) where EMAIL_SCOPE is "https://www.googleapis.com/auth/userinfo.email".

我不知道何时引入,但如果你使用OAuth2而不是UserService.isUserAdmin(),你可以使用OAuthServiceFactory.getOAuthService()。isUserAdmin(EMAIL_SCOPE),其中EMAIL_SCOPE是“https://www.googleapis.com/ AUTH / userinfo.email”。

This makes it easy to use the old OpenId or OAUth2:

这样可以很容易地使用旧的OpenId或OAUth2:

boolean isAdmin = false;
try {
  isAdmin = userService.isUserAdmin());
} catch (IllegalStateException e1) {
  try {
    isAdmin = OAuthServiceFactory.getOAuthService().isUserAdmin(EMAIL_SCOPE);
  } catch (Exception e2) {}
}

The original question was asked several years ago, but maybe this will help others.

几年前问过原来的问题,但也许这会对其他人有所帮助。