GSuite Api访问:未经授权,客户端可以使用此方法检索访问令牌

时间:2018-08-20 22:42:46

标签: python google-cloud-platform service-accounts gsuite

我正在尝试通过python脚本访问组织中Google云端硬盘中存储的文档。

这是我所做的:

  1. 创建一个新的服务帐户,然后选择“启用G Suite域范围委派”
  2. 然后我进入我的帐户的GSuite管理员,并通过安全性->高级设置->管理API客户端访问权限,添加了为新服务帐户生成的客户端ID和以下权限as detailed hereenter image description here

然后,我具有以下python方法来构建用于访问gsuite文档的服务:

def get_service(api_name, api_version, scopes, key_file_location):
    """Get a service that communicates to a Google API.

    Args:
        api_name: The name of the api to connect to.
        api_version: The api version to connect to.
        scopes: A list auth scopes to authorize for the application.
        key_file_location: The path to a valid service account JSON key file.

    Returns:
        A service that is connected to the specified API.
    """

    # credentials = ServiceAccountCredentials.from_json_keyfile_name(
    #         key_file_location, scopes=scopes)
    credentials = service_account.Credentials.from_service_account_file(
        key_file_location, scopes=scopes)

    delegated_credentials = credentials.with_subject('myemail@my-gsuite-domain.com')

    # Build the service object.
    service = build(api_name, api_version, credentials=delegated_credentials)

    return service

当我尝试访问电子表格时,出现以下错误:

  

('unauthorized_client:客户端无权检索访问权限   使用此方法的令牌。',u'{\ n“ error”:“ unauthorized_client”,\ n   “ error_description”:“客户端未经授权检索访问令牌   使用此方法。“ \ n}')

电子表格具有组织中任何人都可以查看的权限。

我也尝试将服务帐户电子邮件地址手动添加到电子表格权限中,这样做使我无需使用委托的凭据即可访问文档,但是我想避免不必将电子邮件地址添加到我想要的每个电子表格中访问。

如何以编程方式查看组织成员可以使用Python查看的所有Google表格?

谢谢。

1 个答案:

答案 0 :(得分:0)

感谢@AChampion指针。当我仅授权范围https://www.googleapis.com/auth/spreadsheets.readonly时,问题就出在请求范围https://www.googleapis.com/auth/spreadsheets上。我以为spreadsheetsspreadsheets.readonly的超集,但事实并非如此。

我的get_service代码:

def get_service(api_name, api_version, scopes, key_file_location):
    """Get a service that communicates to a Google API.

    Args:
        api_name: The name of the api to connect to.
        api_version: The api version to connect to.
        scopes: A list auth scopes to authorize for the application.
        key_file_location: The path to a valid service account JSON key file.

    Returns:
        A service that is connected to the specified API.
    """

    credentials = ServiceAccountCredentials.from_json_keyfile_name(
            key_file_location, scopes=scopes)
    # credentials = service_account.Credentials.from_service_account_file(
    #     key_file_location, scopes=scopes)

    delegated_credentials = credentials.create_delegated('name@example.com')  
    delegated_http = delegated_credentials.authorize(Http())

    # Build the service object.
    service = build(api_name, api_version, http=delegated_http)

    return service

我打给get_service的电话:

scope = 'https://www.googleapis.com/auth/spreadsheets'
key_file_location = '/path/to/keyfile.json'
service = get_service(
            api_name='sheets',
            api_version='v4',
            scopes=[scope],
            key_file_location=key_file_location)
相关问题
最新问题