如何在不使用谷歌应用程序的情况下授权谷歌驱动器服务帐户访问谷歌帐户?

时间:2021-08-24 15:16:15

I'd like to use Google Drive to work as a quasi-CMS for a website I'm making so that the content owners can edit their content using Google Drive. I'd like to use a specific user account that has access to Google Drive (as of writing this post, service accounts DO NOT have direct access to Google Drive) and is able to share documents with the content owners.

我想使用谷歌驱动器作为我正在制作的网站的准cms,以便内容所有者可以使用谷歌驱动器编辑他们的内容。我想使用一个可以访问谷歌驱动器的特定用户帐户(在撰写本文时,服务帐户没有直接访问谷歌驱动器),并且能够与内容所有者共享文档。

After reading through the API and tutorials, I have found the answer in delegation: https://developers.google.com/drive/delegation

在阅读了API和教程之后,我找到了一个代表团的答案:https://developers.google.com/drive/delegate。

My main issue with this process is that the website is not managed by Google Apps and therefore the steps outlined in 'Delegate domain-wide authority to your service account' confuse me - it seems like it should be possible to handle this delegation without using Google Apps, but after searching through the settings in Google Drive for my specific user account, I can't seem to find the ability to authorize impersonation.

在这一过程中我的主要问题是,网站不是由Google Apps,因此中概述的步骤将域方面权力委托给你的服务帐户的混淆我——这似乎应该可以处理这个代表团不使用Google应用程序,但在谷歌搜索设置后推动我特定的用户帐户,我似乎无法找到授权模拟的能力。

A snippet of the code I'm using:

我正在使用的代码片段:

static public function getService() {
  $key = file_get_contents(GOOGLEAPI_KEYFILE);
  $auth = new Google_AssertionCredentials(GOOGLEAPI_SERVICE_EMAIL, array(GOOGLEAPI_SCOPE), $key);
  $auth->setPrn(GOOGLEAPI_IMPERSONATION);
  self::$apiClient = new Google_Client();
  self::$apiClient->setUseObjects(true);
  self::$apiClient->setAssertionCredentials($auth);
  return new Google_DriveService(self::$apiClient);
}

GOOGLEAPI_IMPERSONATION is the specific user account and when I run this code, the exception states:

googleapi_ation是特定的用户帐户,当我运行这段代码时,异常说明:

Error refreshing the OAuth2 token, message: '{ "error" : "access_denied" }

刷新OAuth2标记的错误,消息:'{" Error ": "access_denied"}

Anyone offer any assistance? Am I misunderstanding a fundamental concept of how oAuth works in terms of delegation?

任何人提供任何援助?我是否误解了oAuth在授权方面的基本概念?

1 个解决方案

#1


5  

Service accounts are meant for two different cases:

服务帐户适用于两种不同的情况:

  • Authorizing an app/process to authenticate & invoke services using its own identity. Think of services like prediction, cloud storage, etc. where the data is owned by the app.
  • 授权应用程序/进程使用自己的标识对服务进行身份验证和调用。想想预测、云存储等服务,在这些服务中,数据属于应用程序。
  • Impersonating users in a google apps domain where the domain admin can pre-authorize the app to act on behalf of users in their domain.
  • 在谷歌应用程序域中模拟用户,域管理员可以预先授权该应用程序代表其域中的用户。

Impersonation works for Google Apps domains because the admins have a mechanism to authorize the app out of band for their users via the control panel. Of course they can only authorize the app to access the data for the accounts they managed. For individual users not part of an organization, apps need to use the normal OAuth flows to request authorization from each user.

模拟功能适用于谷歌应用程序域,因为管理员有一种机制,可以通过控制面板为用户授权该应用程序。当然,他们只能授权应用程序访问他们管理的账户的数据。对于不属于组织的单个用户,应用程序需要使用正常的OAuth流来请求每个用户的授权。

I haven't tested it in a while, but last I checked it is possible to use Drive with a service account acting as itself. The only limitation I ran into was it wasn't possible to purchase additional quota and the app was limited to the initial 5gb free storage.

我已经有一段时间没有对它进行测试了,但是最后我检查了是否可以使用具有服务帐户本身的驱动器。我遇到的唯一限制是无法购买额外的配额,而且这个应用程序仅限于最初的5gb的免费存储空间。

#1


5  

Service accounts are meant for two different cases:

服务帐户适用于两种不同的情况:

  • Authorizing an app/process to authenticate & invoke services using its own identity. Think of services like prediction, cloud storage, etc. where the data is owned by the app.
  • 授权应用程序/进程使用自己的标识对服务进行身份验证和调用。想想预测、云存储等服务,在这些服务中,数据属于应用程序。
  • Impersonating users in a google apps domain where the domain admin can pre-authorize the app to act on behalf of users in their domain.
  • 在谷歌应用程序域中模拟用户,域管理员可以预先授权该应用程序代表其域中的用户。

Impersonation works for Google Apps domains because the admins have a mechanism to authorize the app out of band for their users via the control panel. Of course they can only authorize the app to access the data for the accounts they managed. For individual users not part of an organization, apps need to use the normal OAuth flows to request authorization from each user.

模拟功能适用于谷歌应用程序域,因为管理员有一种机制,可以通过控制面板为用户授权该应用程序。当然,他们只能授权应用程序访问他们管理的账户的数据。对于不属于组织的单个用户,应用程序需要使用正常的OAuth流来请求每个用户的授权。

I haven't tested it in a while, but last I checked it is possible to use Drive with a service account acting as itself. The only limitation I ran into was it wasn't possible to purchase additional quota and the app was limited to the initial 5gb free storage.

我已经有一段时间没有对它进行测试了,但是最后我检查了是否可以使用具有服务帐户本身的驱动器。我遇到的唯一限制是无法购买额外的配额,而且这个应用程序仅限于最初的5gb的免费存储空间。