6

我创建了一个 Java 应用程序,它可以将 MS Active Directory 与 Google Groups 同步。它是非交互式应用程序,假设在夜间由 cronjob 执行。它在我的笔记本电脑(DEV 环境)上运行良好。我的问题是,在第一次运行时,它会弹出浏览器窗口,其中包含要求授权访问 Google API 的对话框。在我点击“允许”按钮后,它愉快地进行到最后。现在我需要将它移动到运行 CentOS 并且没有浏览器的生产服务器。当我在这个环境中运行我的应用程序时,它会打印以下消息:

Please open the following address in your browser:  
https://accounts.google.com/o/oauth2/auth?access_type=offline&client_id=520105804541-c7d7bfki88qr8dbkv6oahp22i3oq1jq0.apps.googleusercontent.com&redirect_uri=http://localhost:50089/Callback&response_type=code&scope=https://www.googleapis.com/auth/admin.directory.group.member%20https://www.googleapis.com/auth/admin.directory.orgunit%20https://www.googleapis.com/auth/admin.directory.device.mobile.action%20https://www.googleapis.com/auth/admin.directory.orgunit.readonly%20https://www.googleapis.com/auth/admin.directory.userschema%20https://www.googleapis.com/auth/admin.directory.device.chromeos%20https://www.googleapis.com/auth/admin.directory.notifications%20https://www.googleapis.com/auth/admin.directory.device.chromeos.readonly%20https://www.googleapis.com/auth/admin.directory.device.mobile%20https://www.googleapis.com/auth/admin.directory.group.readonly%20https://www.googleapis.com/auth/admin.directory.group.member.readonly%20https://www.googleapis.com/auth/admin.directory.userschema.readonly%20https://www.googleapis.com/auth/admin.directory.user.alias%20https://www.googleapis.com/auth/admin.directory.user.security%20https://www.googleapis.com/auth/admin.directory.device.mobile.readonly%20https://www.googleapis.com/auth/admin.directory.user%20https://www.googleapis.com/auth/admin.directory.user.readonly%20https://www.googleapis.com/auth/admin.directory.user.alias.readonly%20https://www.googleapis.com/auth/admin.directory.group%20https://www.googleapis.com/auth/apps.groups.settings

这台机器上没有浏览器,但如果我尝试在另一个机器上运行它,我会收到错误 400 - 无效请求。原因很清楚,因为它重定向到 localhost:50089 并且没有人在另一台机器上监听该端口。通过浏览developers.google.com 上的多个文档和示例,我找到了一种绕过对话框的方法,即创建服务帐户并为其生成主键。

    try {
        GoogleCredential cr = GoogleCredential
             .fromStream(new FileInputStream(keyFile))
             .createScoped(SCOPES);
        Directory directory = new Directory.Builder(httpTransport, jsonFactory, cr)
.setApplicationName(config.getProperty("google.application.name")).build();
    } catch (IOException ex) {
       LOG.error("Failed to establish access credentials : ", ex.getMessage());
    }

它确实读取了密钥并创建了 Directory 实例,但是对它的任何请求都会导致 403 响应代码

{“代码”:403,“错误”:[{“域”:“全局”,“消息”:“未授权访问此资源/api”,“原因”:“禁止”
}],“消息”: "无权访问此资源/api" }"

但我已将此帐户的所有权限委托给服务帐户。不知道我还能做什么。如果有人能帮助我摆脱困境,我将不胜感激。

4

1 回答 1

6

我找到了解决方案。问题是 Google 生成的 JSON 密钥没有设置服务帐户用户。您必须像这样手动执行此操作:

        GoogleCredential cr = GoogleCredential
             .fromStream(new FileInputStream(keyFile))
             .createScoped(SCOPES);
        GoogleCredential.Builder builder = new GoogleCredential.Builder()
             .setTransport(httpTransport)
             .setJsonFactory(jsonFactory)
             .setServiceAccountScopes(SCOPES)
             .setServiceAccountId(cr.getServiceAccountId())
             .setServiceAccountPrivateKey(cr.getServiceAccountPrivateKey())
             .setServiceAccountPrivateKeyId(cr.getServiceAccountPrivateKeyId())
             .setTokenServerEncodedUrl(cr.getTokenServerEncodedUrl())
             .setServiceAccountUser(user);
        Directory directory = new Directory.Builder(
              httpTransport, jsonFactory, builder.build()) 
             .setApplicationName(config.getProperty("google.application.name")).build();
于 2017-06-08T22:21:43.200 回答