我正在尝试在我的应用服务帐户和我的组织之间(在admin.google.com上)执行域范围的授权。我跟着this指南,大约三次,我不知道我错过了哪里,它不起作用。我的应用程序无法对组织内的用户进行拟人化。
API的回应说:
Exception in thread "main" com.google.api.client.auth.oauth2.TokenResponseException: 403 Forbidden
{
"error" : "access_denied",
"error_description" : "Requested client not authorized."
}
at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:105)
at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:287)
at com.google.api.client.auth.oauth2.TokenRequest.execute(TokenRequest.java:307)
at com.google.api.client.googleapis.auth.oauth2.GoogleCredential.executeRefreshToken(GoogleCredential.java:268)
at com.google.api.client.auth.oauth2.Credential.refreshToken(Credential.java:489)
at com.google.api.client.auth.oauth2.Credential.intercept(Credential.java:217)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:859)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:410)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:343)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:460)
at StorageSample.main(StorageSample.java:156)
这是我的唯一代码,用于测试:
String emailAddress = "zzzzzzzzzzzzz@developer.gserviceaccount.com";
JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance();
HttpTransport httpTransport = GoogleNetHttpTransport.newTrustedTransport();
//scopes
List scopes = new ArrayList();
scopes.add(DriveScopes.DRIVE);
scopes.add(DriveScopes.DRIVE_APPDATA);
scopes.add(DriveScopes.DRIVE_APPS_READONLY);
scopes.add(DriveScopes.DRIVE_FILE);
GoogleCredential credential = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId(emailAddress)
.setServiceAccountPrivateKeyFromP12File(new File("valid_path_to_secrets.p12"))
.setServiceAccountScopes(scopes)
.setServiceAccountUser("test@mydomain.com.br") // HERE THE USER I WANT TO PERSONIFICATE
.build();
Drive drive = new Drive.Builder(httpTransport, JSON_FACTORY, credential).setApplicationName("Test").build();
String myName = drive.about().get().execute().getName();
com.google.api.services.drive.Drive.Files.List files = drive.files().list();
FileList fileList = files.execute();
List<com.google.api.services.drive.model.File> xFiles = fileList.getItems();
System.out.println("here");
for (com.google.api.services.drive.model.File f : xFiles){
System.out.println("DEBUG "+f.getOriginalFilename());
System.out.println(f.getDownloadUrl());
System.out.println(f.getAlternateLink());
System.out.println(f.getOwnerNames().get(0));
System.out.println(f.getFileSize());
}
}
}
如果我对标记为(setServiceAccountUser("test@mydomain.com.br")
)的行进行评论,则该应用程序可以正常运行,但我想对此用户test
进行拟人化。这是本指南的目的,即授予mydomain.com.br
内所有用户的访问权限。
在Google指南的Delegate domain-wide authority to your service account
部分,如上所述,我按照所有步骤操作,注意步骤编号6
:在admin.google.com
下添加范围{ {1}}部分。
(该应用程序的谷歌管理员配置)
答案 0 :(得分:3)
您已授权1个驱动器范围的客户端ID:
https://www.googleapis.com/auth/drive
此范围以常量DriveScopes.DRIVE
。
但是当您在代码中创建凭证时,您需要4个范围:
scopes.add(DriveScopes.DRIVE);
scopes.add(DriveScopes.DRIVE_APPDATA);
scopes.add(DriveScopes.DRIVE_APPS_READONLY);
scopes.add(DriveScopes.DRIVE_FILE);
我同意,由于DriveScopes.DRIVE
是包含云端硬盘中其他范围的范围,因此获得DriveScopes.DRIVE
授权意味着您获得所有其他云端硬盘范围的授权似乎是正常的
但事实并非如此,您必须在Security
部分所有中指定您计划使用的范围。在你的情况下:
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/drive.appdata
https://www.googleapis.com/auth/drive.apps.readonly
https://www.googleapis.com/auth/drive.file
但是由于所有这些范围都已包含在https://www.googleapis.com/auth/drive
中,您还可以简单地从Java代码中删除其他范围。这就是我要做的事情:
...
List scopes = new ArrayList();
scopes.add(DriveScopes.DRIVE);
//No other scope
GoogleCredential credential = new GoogleCredential.Builder()
...