"Authorisation is required to perform that action" 消息,即使在点击 "Allow" 之后
"Authorisation is required to perform that action" message, even after clicking "Allow"
我最近 运行 遇到了一个授权新的 Google App Script 项目的问题,特别是使用 Cloud SQL admin API 的项目。
同样的代码在之前授权的GAS项目中存在并且可以正常工作,但是如果我复制GAS项目并第一次尝试运行一个功能我无法完成授权过程。下面列出了我正在浏览的屏幕:
- 需要授权。 - 点击 "Review Permissions"
- 选择一个帐户来授权Google 项目。 - 点击我的帐户
- 此应用未经验证! - 单击“转到项目
(不安全)”
- Google 项目想要访问此范围列表。- 单击 "Allow"
- 执行该操作需要授权。
警告屏幕 (3) 是最近添加到进程中的。我不记得在今年早些时候创建和 运行 个新项目时遇到过它。我想知道 Google 最近是否对其 OAuth2.0 的安全实施进行了任何更改。
此外,此问题似乎只影响对云 SQL 管理员 API 的 REST 调用。在上面提到的同一个项目中,我能够 运行 函数将数据写入同一个 Google 项目中的 BigQuery 表,该项目也托管云 SQL 实例。显然可以使某些范围和代码起作用。
“https://www.googleapis.com/auth/sqlservice.admin”范围包含在我请求并批准的列表中。我什至尝试手动编辑 URL 以添加更多请求的范围,但它仍然没有让我通过 "Authorisation is required to perform that action" 屏幕。
有人知道吗?
编辑:
触发身份验证的相关代码。
// Function to get the ip address of a given CloudSQL instance
function _getInstanceIpAddress_(projectId, sqlInstance) {
var token = _getAuthenticationToken_();
// Create the header authorisation
var headers = {
"Authorization": "Bearer " + token
};
// Create the Cloud SQL instances get parameters
var parameters = {
"method": "get",
"headers": headers,
"instance": sqlInstance,
"project": projectId,
"muteHttpExceptions": true
};
// Create the url of the sql instances get API
var api = "https://www.googleapis.com/sql/v1beta4/projects/" + projectId + "/instances/" + sqlInstance + "?fields=ipAddresses";
try {
// Use the url fetch service to issue the https request and capture the response
var response = UrlFetchApp.fetch(api, parameters);
// Extract the ip address of the instance from the response
var content = JSON.parse(response.getContentText());
return content.ipAddresses[0].ipAddress;
} catch(err) {
_log_('ERROR', 'Getting ' + sqlInstance + ' instance ip address failed: ' + err);
return null;
}
}
function _getAuthenticationToken_() {
// Check we have access to the service
var service = getService();
if (!service.hasAccess()) {
var authorizationUrl = service.getAuthorizationUrl();
_log_('INFO', 'Open the following URL and re-run the script: ' + authorizationUrl);
return;
}
Logger.log('Passed Authentication');
//Get the Access Token
return service.getAccessToken();
function getService() {
// Create a new service with the given name. The name will be used when
// persisting the authorized token, so ensure it is unique within the
// scope of the property store.
return OAuth2.createService('companyName-dev-service')
// Set the endpoint URLs, which are the same for all Google services.
.setAuthorizationBaseUrl('https://accounts.google.com/o/oauth2/auth')
.setTokenUrl('https://accounts.google.com/o/oauth2/token')
// Set the client ID and secret, from the Google Developers Console.
.setClientId(CLIENT_ID)
.setClientSecret(CLIENT_SECRET)
// Set the name of the callback function in the script referenced
// above that should be invoked to complete the OAuth flow.
.setCallbackFunction('authCallback')
// Set the property store where authorized tokens should be persisted.
.setPropertyStore(PropertiesService.getUserProperties())
// Set the scopes to request (space-separated for Google services).
// this is admin access for the sqlservice and access to the cloud-platform:
.setScope(
'https://www.googleapis.com/auth/sqlservice.admin ' +
'https://www.googleapis.com/auth/cloud-platform')
//Removed because this Should be covered by cloud-platform
//'https://www.googleapis.com/auth/devstorage.read_write '
// Below are Google-specific OAuth2 parameters.
// Sets the login hint, which will prevent the account chooser screen
// from being shown to users logged in with multiple accounts.
.setParam('login_hint', Session.getActiveUser().getEmail())
// Requests offline access.
.setParam('access_type', 'offline')
// Forces the approval prompt every time. This is useful for testing,
// but not desirable in a production application.
.setParam('approval_prompt', 'force');
}
function authCallback(request) {
var cloudSQLService = getService();
var isAuthorized = cloudSQLService.handleCallback(request);
if (isAuthorized) {
_log_('INFO', 'Access Approved');
return HtmlService.createHtmlOutput('Success! You can close this tab.');
} else {
_log_('INFO', 'Access Denied');
return HtmlService.createHtmlOutput('Denied. You can close this tab');
}
}
}
如果回想一年前,您可能还记得 Massive Phishing Attack Targets Gmail Users 您看到的是 Google 对此的回应。
使用特定范围的 Web 凭据需要 Google 批准它们,除创建相关凭据的开发人员以外的任何人都可以使用它。 Google 表示,通常需要大约一周的时间才能获得批准。
你之前没有看到它,因为这只是最近才点击应用脚本 OAuth client verification
Starting July 18, 2017, Google OAuth clients that request certain sensitive OAuth scopes will be subject to review by Google.
Google Compute Engine API 我们遇到了类似的问题。根据 this article 在 appsscript.json 文件中明确设置范围为我们解决了这个问题:
"oauthScopes": [
"https://www.googleapis.com/auth/spreadsheets.readonly",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/script.container.ui",
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/spreadsheets",
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/cloud-platform"
],
我最近 运行 遇到了一个授权新的 Google App Script 项目的问题,特别是使用 Cloud SQL admin API 的项目。
同样的代码在之前授权的GAS项目中存在并且可以正常工作,但是如果我复制GAS项目并第一次尝试运行一个功能我无法完成授权过程。下面列出了我正在浏览的屏幕:
- 需要授权。 - 点击 "Review Permissions"
- 选择一个帐户来授权Google 项目。 - 点击我的帐户
- 此应用未经验证! - 单击“转到项目 (不安全)”
- Google 项目想要访问此范围列表。- 单击 "Allow"
- 执行该操作需要授权。
警告屏幕 (3) 是最近添加到进程中的。我不记得在今年早些时候创建和 运行 个新项目时遇到过它。我想知道 Google 最近是否对其 OAuth2.0 的安全实施进行了任何更改。
此外,此问题似乎只影响对云 SQL 管理员 API 的 REST 调用。在上面提到的同一个项目中,我能够 运行 函数将数据写入同一个 Google 项目中的 BigQuery 表,该项目也托管云 SQL 实例。显然可以使某些范围和代码起作用。
“https://www.googleapis.com/auth/sqlservice.admin”范围包含在我请求并批准的列表中。我什至尝试手动编辑 URL 以添加更多请求的范围,但它仍然没有让我通过 "Authorisation is required to perform that action" 屏幕。
有人知道吗?
编辑:
触发身份验证的相关代码。
// Function to get the ip address of a given CloudSQL instance
function _getInstanceIpAddress_(projectId, sqlInstance) {
var token = _getAuthenticationToken_();
// Create the header authorisation
var headers = {
"Authorization": "Bearer " + token
};
// Create the Cloud SQL instances get parameters
var parameters = {
"method": "get",
"headers": headers,
"instance": sqlInstance,
"project": projectId,
"muteHttpExceptions": true
};
// Create the url of the sql instances get API
var api = "https://www.googleapis.com/sql/v1beta4/projects/" + projectId + "/instances/" + sqlInstance + "?fields=ipAddresses";
try {
// Use the url fetch service to issue the https request and capture the response
var response = UrlFetchApp.fetch(api, parameters);
// Extract the ip address of the instance from the response
var content = JSON.parse(response.getContentText());
return content.ipAddresses[0].ipAddress;
} catch(err) {
_log_('ERROR', 'Getting ' + sqlInstance + ' instance ip address failed: ' + err);
return null;
}
}
function _getAuthenticationToken_() {
// Check we have access to the service
var service = getService();
if (!service.hasAccess()) {
var authorizationUrl = service.getAuthorizationUrl();
_log_('INFO', 'Open the following URL and re-run the script: ' + authorizationUrl);
return;
}
Logger.log('Passed Authentication');
//Get the Access Token
return service.getAccessToken();
function getService() {
// Create a new service with the given name. The name will be used when
// persisting the authorized token, so ensure it is unique within the
// scope of the property store.
return OAuth2.createService('companyName-dev-service')
// Set the endpoint URLs, which are the same for all Google services.
.setAuthorizationBaseUrl('https://accounts.google.com/o/oauth2/auth')
.setTokenUrl('https://accounts.google.com/o/oauth2/token')
// Set the client ID and secret, from the Google Developers Console.
.setClientId(CLIENT_ID)
.setClientSecret(CLIENT_SECRET)
// Set the name of the callback function in the script referenced
// above that should be invoked to complete the OAuth flow.
.setCallbackFunction('authCallback')
// Set the property store where authorized tokens should be persisted.
.setPropertyStore(PropertiesService.getUserProperties())
// Set the scopes to request (space-separated for Google services).
// this is admin access for the sqlservice and access to the cloud-platform:
.setScope(
'https://www.googleapis.com/auth/sqlservice.admin ' +
'https://www.googleapis.com/auth/cloud-platform')
//Removed because this Should be covered by cloud-platform
//'https://www.googleapis.com/auth/devstorage.read_write '
// Below are Google-specific OAuth2 parameters.
// Sets the login hint, which will prevent the account chooser screen
// from being shown to users logged in with multiple accounts.
.setParam('login_hint', Session.getActiveUser().getEmail())
// Requests offline access.
.setParam('access_type', 'offline')
// Forces the approval prompt every time. This is useful for testing,
// but not desirable in a production application.
.setParam('approval_prompt', 'force');
}
function authCallback(request) {
var cloudSQLService = getService();
var isAuthorized = cloudSQLService.handleCallback(request);
if (isAuthorized) {
_log_('INFO', 'Access Approved');
return HtmlService.createHtmlOutput('Success! You can close this tab.');
} else {
_log_('INFO', 'Access Denied');
return HtmlService.createHtmlOutput('Denied. You can close this tab');
}
}
}
如果回想一年前,您可能还记得 Massive Phishing Attack Targets Gmail Users 您看到的是 Google 对此的回应。
使用特定范围的 Web 凭据需要 Google 批准它们,除创建相关凭据的开发人员以外的任何人都可以使用它。 Google 表示,通常需要大约一周的时间才能获得批准。
你之前没有看到它,因为这只是最近才点击应用脚本 OAuth client verification
Starting July 18, 2017, Google OAuth clients that request certain sensitive OAuth scopes will be subject to review by Google.
Google Compute Engine API 我们遇到了类似的问题。根据 this article 在 appsscript.json 文件中明确设置范围为我们解决了这个问题:
"oauthScopes": [
"https://www.googleapis.com/auth/spreadsheets.readonly",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/script.container.ui",
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/spreadsheets",
"https://www.googleapis.com/auth/compute",
"https://www.googleapis.com/auth/cloud-platform"
],