问题描述

我的认为的我了解的OAuth 2.0可在移动应用或网站的情况下 - 也不是我的情况。

I think I understand how OAuth 2.0 works in the context of a mobile app or website - neither is my case.

我有一个C ++的命令行应用程序，我想给的谷歌服务中的一个（的），但我认为这个问题适用于任何的谷歌服务，或赫克，有对付的OAuth2或许也是任何命令行应用程序。

I have a C++ command line application that I want to give access to one of the Google Services (Google Fusion Tables) but I think this question applies to any of the Google Services, or heck, perhaps also any command line app that has to deal with OAuth2.

我的用户名。我有密码（用户输入的）。我需要得到一个令牌，所以我可以使通过卷曲的电话。什么是完成这一任务的最简单的方法？

I have the username. I have the password (the user typed it). I need to get a token so I can make the calls through Curl. What is the easiest way to accomplish this?

更新1：

通过文档会后，似乎是最不痛苦的OAuth2流程将是之一。

After going through the documentation, it seems that the least painful OAuth2 flow will be the "Installed Application" one.

我在想什么是我的命令行工具将使公共表请求，而不需要一个令牌（但似乎我们仍然需要把从谷歌一个AppID，我可以从谷歌API的仪表板获得）。

What I am thinking is that my command line tool will make requests for public tables without needing a token (but it seems we still need to be sending an AppID from Google which I can get from the Google APIs dashboard).

每当我的命令行工具，需要使用专用的资源，该用户将被要求提供一个谷歌提供的授权code 的（这我的命令行工具，就可以用它来获得一个可用的标记的）。如果用户未提供的授权code 的命令行，我的工具也只是打印一个链接，用户可以粘贴到URL生成授权code。链接应该是这样的：

Whenever my command line tool will need to use a private resource, that user would be required to supply a Google supplied authorization code (which my command line tool can then use to get a usable token). If the user has not supplied the authorization code in the command line, my tool would just print a link that the user can paste to the URL to generate the authorization code. The link would look like this:

<一个href=\"https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/fusiontables&redirect_uri=urn%3aietf%3awg%3aoauth:2.0%3aoob&response_type=$c$c&client_id=812741506391-h38jh0j4fv0ce1krdkiq0hfvt6n5amrf.apps.googleusercontent.com\">https://accounts.google.com/o/oauth2/auth?scope=https://www.googleapis.com/auth/fusiontables&redirect_uri=urn:ietf:wg:oauth:2.0:oob&response_type=$c$c&client_id=812741506391-h38jh0j4fv0ce1krdkiq0hfvt6n5amrf.apps.googleusercontent.com

一旦用户接受，她将不得不说的授权code 的粘贴到终端，因此它可以通过命令行工具可以使用。命令行工具应使用授权code要求谷歌为的标记的，然后，终于，我可以再使用谷歌的令牌，使API调用。

Once the user accepts, she would have to paste that authorization code to the terminal so it can be used by the command line tool. The command line tool would use the authorization code to ask Google for a token and then, finally, I can then use the Google token to make the API calls.

有几件事情还不清楚我。是否授权code改变？如果是这样，看来我需要保存令牌和地方刷新标记，所以我可以重复使用刷新令牌每一​​个令牌到期时间。

A few things are still unclear to me. Does the authorization code change? If so, it seems I would need to save the token and refresh tokens somewhere so I can reuse the refresh token every time the token expires.

难道只是我，还是这整个事情看起来像呓语只是，这样我可以在命令行中使用谷歌API？

Is it just me, or does this whole thing seems like crazy talk just so that I can use a Google API from the command line?

我通常会使用，但一切似乎指出，这将是德$ P很快$ pcated。

I would normally use the ClientLogin flow, but everything seems to point out that it will be deprecated soon.

推荐答案

在授权code 是一次才有效。你已经把它换成之后 - 找来的刷新标记和访问令牌 - 这将无法使用了。刚刚倾倒。这只是一次性使用，你不需要它了。你需要做的只是保持/保存/坚持在刷新标记在一些本地文件中重复使用。

To answer your question about the "Installed application" flow:

The authorization code is only valid once. After you have exchanged it - and got a refresh token and an access token - it won't be usable anymore. Just dump it. It's one-time use only and you don't need it anymore. What you need to do is simply keep/save/persist the refresh token in some local file for reuse.

在刷新标记是的的重要标记。通过它可以访问的API为无限期，因为你可以用它来编程方式获得新的访问令牌（这是有效1H）。检查。

The refresh token is the important token. It gives you access to the API for an unlimited period of time because you can use it to programmatically get new access tokens (which are valid 1h). Check the refresh token doc about that operation.

在谷歌API客户端库通常为您处理自动，透明地刷新令牌，但因为我们没有一个C ++客户端的lib，你需要这个做自己。我们使用一种技术是我们赶上403错误，这样做的API请求来时（这表示无效的访问令牌），在这种情况下，我们做了刷新，以获得一个新的访问令牌，然后自动重新尝试，最初失败的操作。

The Google APIs Client libraries usually handle refreshing the tokens automatically and transparently for you but since we don't have a C++ client lib you need to do this yourself. One technique we use is that we catch 403 errors when doing requests to the API (which indicates an invalid access token), in that case we do the refresh to get a new access token, then automatically re-try the operation that failed initially.

这会给你最好的用户体验的流程是使用服务器端的web应用程序流。它可以使用它的安装和/或命令行应用程序，认为这是更多的工作。方法如下：

The flow that will give you the best user experience is to use the server-side web application flow. It is possible to use it on installed and/or command line application, thought it is more work. Here is how:

1. 使用自由港启动用户计算机上的本地Web服务器（例如：的http：//本地主机：7777 ）


2. 生成一个Web浏览器窗口（或在您的应用程序嵌入）将用户重定向到谷歌的OAuth 2.0授予页面，并设置重定向URI来的http：//本地主机：7777


3. 当用户授权访问，他将被重定向到的http：//本地主机：7777 ，你会检测到由于本地Web服务器在步骤开始1


4. 使用您的本地W​​eb服务器，从URL获得AUTH code和换取你坚持
标记

5. 杀死/关闭您在步骤1
启动本地Web服务器

6. 杀死/关闭您在步骤催生了浏览器实例2

1. Start a local web server on the user's machine using a free port (for instance: http://localhost:7777)
2. Spawn a web browser window (or embed it in your app) redirecting the user to the Google OAuth 2.0 grant page and set the redirect URI to http://localhost:7777
3. When the user grant you access, he will get redirected to http://localhost:7777, you will detect that thanks to the local web server you started in step 1
4. Using your local web server, get the auth code from the URL and exchange it for tokens which you persist
5. Kill/close the local web server you started in step 1
6. Kill/close the browser instance you spawned in step 2

就是这样，你现在有刷新和访问令牌（步骤4），你杀了浏览器之后重新出现在你的应用程序。

That's it, you now have the refresh and the access token (from step 4) and you are back in your app after killing the browser.

客户端登录已经去pcated $ P $（是不使用它：它会离开，并与新的API不工作！）有很好的理由：谷歌不希望用户给你自己的密码，这是危险的（你可能会保存它，你可以得到砍死:)）也通过它可以访问到的信息太多（你可以购买的东西与他们的谷歌Checkout帐户！更改密码窃取其账户......）。目前，去一个安全的角度来看，唯一的办法就是用这3条腿的身份验证系统，如OAuth的2和鼓励使用的密码，使用户松第三方提供用户名和密码的习惯。当然，这是一个很大更难使用桌面/命令行应用程序...

Client Login has been deprecated (yes don't use it: it's going away and doesn't work with newer APIs!) for good reasons: Google doesn't want users to give you their password, it's dangerous (you might be tempted to store it and you could get hacked :)) also it gives you access to too much information (you could buy stuff with their Google Checkout account! Change their password to steal their accounts...). Currently the only way to go on a security standpoint is to use these 3-legged auth systems like OAuth 2 and discourage the use of password so that users loose the habit of providing their username and password to 3rd parties. Of course it's a lot harder to use for desktop/command line applications...

这篇关于授权命令行工具来消耗谷歌的API（通过OAuth2.0的或其他任何东西）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！