我正在编写一个页面,该页面使用OAuth 2.0通过gap.auth.authorize对Google+用户进行身份验证,并请求运行Google Fusion Tables sqlGet查询。我发现我的查询在身份验证之前运行良好,但在运行超过30秒时失败,出现403"权限不足"错误在验证之后。
此页面演示了该问题:https://googledrive.com/host/0B5Urq1jZb1MYSWloU3NTY2M4Qnc/test3b.htm
请遵循以下步骤:
-
点击"查询"运行一个gap.client.request Google Fusion Table SQL get查询,返回行数。这将成功运行,直到在步骤2和3中使用OAuth为止。
-
单击"启动OAuth"以针对Google+运行即时:真实授权。如果您当前已登录Google+,您的用户名和ID将显示在第三个按钮中。
-
如果您的Google+用户名没有显示在第三个按钮中,请单击按钮("授权")并登录Google+。
-
再次单击"查询"按钮。当在OAuth授权后约30秒内按下时,查询将无错误运行。之后,查询失败,返回403错误。为什么?
以下是演示页面的来源:
<!DOCTYPE html>
<html>
<head>
<meta name="viewport" content="user-scalable=no, width=device-width, initial-scale=1.0, maximum-scale=1.0" />
<title>Test3b</title>
<style type="text/css">
</style>
<script src="scripts/jquery-1.10.2.min.js" type="text/javascript"></script>
<script type="text/javascript">
var g_domIsReady = false;
var g_gapiIsReady = false;
$(function () {
log("@$(function())");
g_domIsReady = true;
start();
});
function gapiIsReady() {
log("@gapiIsReady");
g_gapiIsReady = true;
start();
}
function start() {
// Make sure both the gapi.client and the DOM (per jquery) are ready.
if (!(g_gapiIsReady && g_domIsReady)) return;
// Define members.
log("@start - gapi and DOM are ready");
var m_apiKey = "AIzaSyAvb0NHQMwyPbMJRtz2zRL4wTiVjZDiois"; // Points to Google account (including Google Drive) at paloalto@geodesy.net.
var m_clientId = "868768273487-q295tdfr54uvo98v74891qakcr9ci0pf.apps.googleusercontent.com";
var m_scopes = "https://www.googleapis.com/auth/plus.me";
// Wire buttons.
var queryButton = document.getElementById('query-button');
queryButton.onclick = function () { runGetRequest(); return false; };
var startOAuthButton = document.getElementById('startOAuth-button');
startOAuthButton.onclick = function () { startOAuth(); return false; };
// Set-up the gapi.
gapi.client.setApiKey(m_apiKey);
//----------------------------------------------------------------------------
// gapi.client.request query functions.
//----------------------------------------------------------------------------
function runGetRequest() {
log("@runGetRequest");
var tableId = "1VZgvKyuh9uHXkQawpxg1MU8AlO8Mngl-sx7SP74"; // TR_TREE_E
var sql = "select count(GID) from " + tableId + " where GID > 50000";
var path = "/fusiontables/v1/query";
var restRequest = gapi.client.request({
path: path,
params: { 'sql': sql }
});
restRequest.execute(jsonCallback);
}
function jsonCallback(json) {
log("@jsonCallback");
var output = JSON.stringify(json);
log(output);
alert(output);
}
//----------------------------------------------------------------------------
// OAuth functions.
//----------------------------------------------------------------------------
function startOAuth() {
log("@startOAuth");
var authorizeButton = document.getElementById('authorize-button');
window.setTimeout(checkAuth, 1); // check auth in 1 ms
function checkAuth() {
log("@checkAuth");
gapi.auth.authorize({
client_id: m_clientId,
scope: m_scopes,
immediate: true
}, handleAuthResult);
}
function handleAuthResult(authResult) {
log("@handleAuthResult");
if (authResult && !authResult.error) {
log("@handleAuthResult - authResult=true");
log(authResult); // authResult is a token (with 3600 second expiration).
authorizeButton.disabled = true;
useAuthResults();
} else {
log("@handleAuthResult - authResult=false");
authorizeButton.disabled = false;
authorizeButton.onclick = handleAuthClick;
}
}
function handleAuthClick() {
log("@handleAuthClick");
gapi.auth.authorize({
client_id: m_clientId,
scope: m_scopes,
immediate: false
}, handleAuthResult);
return false;
}
function useAuthResults() {
log("@useAuthResults");
// Get the Google+ user's ID and name (member info).
gapi.client.load('plus', 'v1', function () {
log("@gapi.client.load callback");
var request = gapi.client.plus.people.get({ 'userId': 'me' });
request.execute(function (aInfo) {
log("@request.execute callback");
if (aInfo.code !== undefined) {
alert('Google+ API returned ' + aInfo.code + ': ' + aInfo.message);
} else {
// Here with successful sign-in. Display the user name.
log('Google+ user id, name: ' + aInfo.id + ', ' + aInfo.displayName);
authorizeButton.value = aInfo.displayName + " +" + aInfo.id;
}
});
});
}
}
}
function log(msg) {
if (console) console.log(msg);
}
</script>
<script src="https://apis.google.com/js/client.js?onload=gapiIsReady" type="text/javascript"></script>
</head>
<body>
<h1>Test3a</h1>
<p>This pages demonstrates a problem I am having using gapi.client.request with gapi.auth.</p>
<input type="button" id="query-button" value="Query"><br>
<input type="button" id="startOAuth-button" value="Start OAuth"><br>
<input type="button" id="authorize-button" value="Authorize"><br>
<p>Steps...</p>
<p>1. Click "Query" to run a gapi.client.request Google Fusion Table SQL-get query returning
a count of rows. This will run successfully until OAuth is used in steps 2 and 3.</p>
<p>2. Click "Start OAuth" to run an immediate:true authorization against Google+. If you
are currently signed into Google+, your user name will be displayed in the third button.</p>
<p>3. If your Google+ user name is not displayed in the third button, press it ("Authorize")
and sign into Google+.</p>
<p>4. Click the "Query" button again.
The query will run without error when pressed within about 30 seconds of OAuth authorization.
After that, the query fails with a 403 error. WHY?</p>
</body>
</html>
请注意,我打算使用Google+登录来跟踪用户的页面使用情况,而不是启用Fusion Tables查询。
我是OAuth和gap.client.request的新手,所以这可能是我的一个简单误解
感谢您的真知灼见。
我没有所有的答案,但我认为这里有一些可能会有所帮助:
-
在用户使用G+登录之前,gap.client.request对象会在每个请求中添加一个"key=yourAPIKey"参数。
-
用户使用G+登录后,gap.client.request对象将向每个请求添加一个"key=yourAPIKey"参数,将在每个请求中发送一个"Authorization:Bearer ya.xxxxxxx"标头,代表登录用户的访问令牌。
我认为您看到403的原因是访问令牌正在发送到服务器,但该令牌不包括授权访问FusionTables数据的范围。如果未发送访问令牌,则不执行此验证。
如果您确实想访问用户拥有的数据,那么您需要征得用户同意,通过在您的gap.auth.authorize调用中包含适当的范围(例如"https://www.googleapis.com/auth/fusiontables").
然而,由于我不认为您试图代表特定用户访问数据,因此我认为您真正想做的是在调用Fusion Table API期间防止发送"授权"标头。
我看不出有什么简单的方法可以防止用户登录时gap.client.request库发送该标头,因此另一种解决方案可能是创建一个不使用gap.client-request库的HTTP对象(例如,直接使用XMLHttpRequest),并手动在每个请求中包含"key=yourAPIKey"。
(我无法解释为什么你会看到30秒的不同行为…)