时间戳

首页 > 解决方案 > 如何授权服务帐户访问用户云端硬盘帐户?

c# - 如何授权服务帐户访问用户云端硬盘帐户?

问题描述

我正在尝试允许用户与我的网络应用程序共享文件,我的应用程序有一个服务帐户,并且它已成功使用 G Suite 进行配置。

但是,我无法使用以下代码对用户进行身份验证,例如 ServiceAccount 上的 johndoe@gmail.com 以访问他上传的文件:

ServiceAccountCredential serviceAccountCredential = GoogleCredential.FromFile("service_account_secret.json").CreateScoped(DriveServiceScope).CreateWithUser("john_doe@gmail.com").UnderlyingCredential as ServiceAccountCredential;

向 DriveService 发出请求时出现以下异常:

Google.Apis.Auth.OAuth2.Responses.TokenResponseException:'错误:“unauthorized_client”,描述:“客户端未经授权无法使用此方法检索访问令牌。”,Uri:“”'

johndoe@gmail.com 需要做什么才能授权我的 ServiceAccount 访问他的文件?

标签: c#.netgoogle-drive-apigoogle-api-dotnet-clientservice-accounts

解决方案

当您在 Google Developer 控制台上创建服务帐户时,您选择了错误的类型。不同类型的凭证的代码和凭证文件不同。

您可能创建了浏览器或本机应用程序凭据

这是.net的一些垃圾代码

    /// <summary>
    /// Authenticating to Google using a Service account
    /// Documentation: https://developers.google.com/accounts/docs/OAuth2#serviceaccount
    /// </summary>
    /// <param name="serviceAccountEmail">From Google Developer console https://console.developers.google.com</param>
    /// <param name="serviceAccountCredentialFilePath">Location of the .p12 or Json Service account key file downloaded from Google Developer console https://console.developers.google.com</param>
    /// <returns>AnalyticsService used to make requests against the Analytics API</returns>
    public static DriveService AuthenticateServiceAccount(string serviceAccountEmail, string serviceAccountCredentialFilePath, string[] scopes)
    {
        try
        {
            if (string.IsNullOrEmpty(serviceAccountCredentialFilePath))
                throw new Exception("Path to the service account credentials file is required.");
            if (!File.Exists(serviceAccountCredentialFilePath))
                throw new Exception("The service account credentials file does not exist at: " + serviceAccountCredentialFilePath);
            if (string.IsNullOrEmpty(serviceAccountEmail))
                throw new Exception("ServiceAccountEmail is required.");                

            // For Json file
            if (Path.GetExtension(serviceAccountCredentialFilePath).ToLower() == ".json")
            {
                GoogleCredential credential;
                using (var stream = new FileStream(serviceAccountCredentialFilePath, FileMode.Open, FileAccess.Read))
                {
                    credential = GoogleCredential.FromStream(stream)
                         .CreateScoped(scopes);
                }

                // Create the  Analytics service.
                return new DriveService(new BaseClientService.Initializer()
                {
                    HttpClientInitializer = credential,
                    ApplicationName = "Drive Service account Authentication Sample",
                });
            }
            else if (Path.GetExtension(serviceAccountCredentialFilePath).ToLower() == ".p12")
            {   // If its a P12 file

                var certificate = new X509Certificate2(serviceAccountCredentialFilePath, "notasecret", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.Exportable);
                var credential = new ServiceAccountCredential(new ServiceAccountCredential.Initializer(serviceAccountEmail)
                {
                    Scopes = scopes
                }.FromCertificate(certificate));

                // Create the  Drive service.
                return new DriveService(new BaseClientService.Initializer()
                {
                    HttpClientInitializer = credential,
                    ApplicationName = "Drive Authentication Sample",
                });
            }
            else
            {
                throw new Exception("Unsupported Service accounts credentials.");
            }

        }
        catch (Exception ex)
        {                
            throw new Exception("CreateServiceAccountDriveFailed", ex);
        }
    }
}
}

serviceaccount.cs中提取的代码

推荐阅读