如何使用服务帐户创建Gmail委派?

时间:2015-11-24 18:24:53

标签: google-admin-sdk

我们使用Google电子邮件设置API创建电子邮件代理,但在弃用OAuth 1.0后,我们无法再正常进行身份验证。在做了一些研究之后,我认为我们应该创建一个服务帐户,为该服务帐户委派域范围的访问权限,然后使用它进行身份验证。但是,我似乎无法将其付诸实施,我从Google收到的所有内容都是未经授权的。有人知道我做错了什么吗?以下是大部分代码,我使用.Net / c#和我使用Google Apps进行商务活动。 

ServiceAccountCredential credential = new ServiceAccountCredential(new ServiceAccountCredential.Initializer("serviceAccountEmail")
                {
                    Scopes = new[] { "https://apps-apis.google.com/a/feeds/emailsettings/2.0/ " },
                    User = "admin email string"
                }.FromCertificate({X509 certificate from service account p12 file}));

credential.RequestAccessTokenAsync(System.Threading.CancellationToken.None).Wait(-1);

GoogleMailSettingsService service = new GoogleMailSettingsService("domain name", "appname");
                service.SetAuthenticationToken(credential.Token.AccessToken);

                service.CreateDelegate("delegator", "delegate");

2 个答案:

答案 0 :(得分:2)

For those who may need this answer in the future, I was able to provide a solution through the following. For reference I am running a web app using MVC framework, but the solution could be tweaked for a console or GUI standalone app as well.

Basically, I was able to authenticate the GoogleMailSettingsService.Service.RequestFactory with a GOAuth2RequestFactory object.

For instance:

GoogleMailSettingsService service = new GoogleMailSettingsService("domain", "applicationName");
service.RequestFactory = new GOAuth2RequestFactory("service", "AppName", new OAuth2Parameters() { AccessToken = AuthorizationCodeWebApp.AuthResult.Credential.Token.AccessToken });

Now for the AuthorizationCodeWebApp.AuthResult I implemented the following:

public async Task<ActionResult> DelegationMenu(CancellationToken cancellationToken)
{
        var result = await new AuthorizationCodeMvcApp(this, new AppFlowMetadata()).AuthorizeAsync(cancellationToken);

        if (result.Credential == null)
            return new RedirectResult(result.RedirectUri); //Will redirect to login page for Google Admin to authenticate.

        Session["AuthResult"] = result;
        return View();
}

public class AppFlowMetadata : FlowMetadata
{
    private static readonly IAuthorizationCodeFlow flow =
        new GoogleAuthorizationCodeFlow(new GoogleAuthorizationCodeFlow.Initializer
        {
            ClientSecrets = new ClientSecrets
            {
                ClientId = "ClientId",
                ClientSecret = "ClientSecret"
            },
            Scopes = new[] { "https://apps-apis.google.com/a/feeds/emailsettings/2.0/" },
            DataStore = new FileDataStore("C:\\OAuth2.0Tokens")
        });

    public override string GetUserId(Controller controller)
    {
        var user = controller.Session["user"];
        if (user == null)
        {
            user = Guid.NewGuid();
            controller.Session["user"] = user;
        }

        return user.ToString();
    }

    public override IAuthorizationCodeFlow Flow
    {
        get { return flow; }
    }
}

答案 1 :(得分:0)

此操作不需要服务帐户。 Admin SDK中的电子邮件设置API允许超级管理员为域内的帐户设置委派,而无需通过服务帐户模拟用户。

查看开发人员网站的this section,了解有关此API的更多信息。您也可以在OAuth Playground上对此进行测试,然后直接添加代理。

相关问题
最新问题