作者:泥泥的春天_565_576 | 来源:互联网 | 2023-02-01 19:24
我创建了一个Java应用程序,该程序执行MS Active Directory与Google网上论坛的同步。它是非交互式应用程序,假定由cronjob在夜间执行。它确实可以在我的笔记本电脑(DEV环境)上正常工作。我的问题是,在首次运行时,它会弹出浏览器窗口,并显示要求授权访问Google API的对话框。单击“允许”按钮后,它会愉快地进行到最后。现在,我需要将其移至运行CentOS且没有浏览器的生产服务器。当我在此环境中运行应用程序时,它会显示以下消息:
Please open the following address in your browser:
https://accounts.google.com/o/oauth2/auth?access_type=offline&client_id=520105804541-c7d7bfki88qr8dbkv6oahp22i3oq1jq0.apps.googleusercontent.com&redirect_uri=http://localhost:50089/Callback&response_type=code&scope=https://www.googleapis.com/auth/admin.directory.group.member%20https://www.googleapis.com/auth/admin.directory.orgunit%20https://www.googleapis.com/auth/admin.directory.device.mobile.action%20https://www.googleapis.com/auth/admin.directory.orgunit.readonly%20https://www.googleapis.com/auth/admin.directory.userschema%20https://www.googleapis.com/auth/admin.directory.device.chromeos%20https://www.googleapis.com/auth/admin.directory.notifications%20https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly%20https://www.googleapis.com/auth/admin.directory.device.mobile%20https://www.googleapis.com/auth/admin.directory.group.readonly%20https://www.googleapis.com/auth/admin.directory.group.member.readonly%20https://www.googleapis.com/auth/admin.directory.userschema.readonly%20https://www.googleapis.com/auth/admin.directory.user.alias%20https://www.googleapis.com/auth/admin.directory.user.security%20https://www.googleapis.com/auth/admin.directory.device.mobile.readonly%20https://www.googleapis.com/auth/admin.directory.user%20https://www.googleapis.com/auth/admin.directory.user.readonly%20https://www.googleapis.com/auth/admin.directory.user.alias.readonly%20https://www.googleapis.com/auth/admin.directory.group%20https://www.googleapis.com/auth/apps.groups.settings
这台机器上没有浏览器,但是如果尝试在另一个机器上运行它,则会收到错误400-无效请求。原因很明显,因为它重定向到localhost:50089,并且没有人在另一台计算机上的该端口上侦听。通过在developers.google.com上浏览了多个文档和示例,我找到了一种绕过对话框的方法,方法是创建服务帐户并为其生成主键。
try {
GoogleCredential cr = GoogleCredential
.fromStream(new FileInputStream(keyFile))
.createScoped(SCOPES);
Directory directory = new Directory.Builder(httpTransport, jsonFactory, cr)
.setApplicationName(config.getProperty("google.application.name")).build();
} catch (IOException ex) {
LOG.error("Failed to establish access credentials : ", ex.getMessage());
}
它确实读取了密钥并创建了Directory实例,但是对它的任何请求都将导致403响应代码
{“ code”:403,“ errors”:[{“ domain”:“ global”,“ message”:“未授权访问此资源/ api”,“ reason”:“禁止”
}],“ message”: “未授权访问此资源/ api”}”
但是我已经将该帐户的所有特权委派给了服务帐户。不知道我还能做什么。如果有人可以帮助我摆脱困境,我将不胜感激。
1> Gary Greenbe..:
我找到了解决方案。问题是Google生成的JSON密钥未设置服务帐户用户。您必须像这样手动进行操作:
GoogleCredential cr = GoogleCredential
.fromStream(new FileInputStream(keyFile))
.createScoped(SCOPES);
GoogleCredential.Builder builder = new GoogleCredential.Builder()
.setTransport(httpTransport)
.setJsonFactory(jsonFactory)
.setServiceAccountScopes(SCOPES)
.setServiceAccountId(cr.getServiceAccountId())
.setServiceAccountPrivateKey(cr.getServiceAccountPrivateKey())
.setServiceAccountPrivateKeyId(cr.getServiceAccountPrivateKeyId())
.setTokenServerEncodedUrl(cr.getTokenServerEncodedUrl())
.setServiceAccountUser(user);
Directory directory = new Directory.Builder(
httpTransport, jsonFactory, builder.build())
.setApplicationName(config.getProperty("google.application.name")).build();