英文:
User Impersonation with Service Account using Application Default Credentials
问题
我正在尝试在使用Go的App Engine部署中使用具有域范围委派(DwD)的服务帐号。
我已经按照使用Google应用程序默认凭据的步骤来使用App Engine的服务帐号。
我已经在我的开发机上成功运行了代码,但是在检索来自我的域的实际数据时遇到了问题。
我正在使用Admin SDK。在将域范围的权限委派给您的服务帐号部分中,它说我的“服务帐号需要模拟其中一个用户以访问Admin SDK Directory API”。
我已经查阅了关于使用服务帐号和用户模拟的Go文档,并且还仔细研究了源代码。但是没有任何地方指示我可以输入用户的电子邮件地址/身份来进行模拟。
这是我得到的错误:
googleapi: Error 404: Domain not found., notFound
源代码确实显示了一些线索,但是当我尝试使用除了应用程序默认凭据之外的其他内容时,我遇到了其他障碍。
有人有任何想法吗?提前谢谢。
英文:
I'm trying to use a service account with domain-wide delegation (DwD) on an App Engine deployment with Go.
I've followed the steps for using Google Application Default Credentials to use a service account with App Engine.
I got the code running locally on my dev machine but I'm stuck at retrieving the actual data from my domain.
I'm using the Admin SDK. Under the section Delegate domain-wide authority to your service account, it says that my "service account needs to impersonate one of those users to access the Admin SDK Directory API".
I've looked through the documentation for Go on using service account and user impersonation, AND I've also pored through the source code. Nowhere does it indicate where I can enter the user's email address/identity to impersonate.
Here is the error that I got:
googleapi: Error 404: Domain not found., notFound
The source code does show some clue but I faced other obstacles when trying to use something other than the Application Default Credentials.
Does anyone have any idea? Thanks in advance.
1: http://developers.google.com/identity/protocols/application-default-credentials "Google Application Default Credentials"
2: https://developers.google.com/admin-sdk/directory/v1/guides/delegation
3: https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account
答案1
得分: 1
今天刚遇到了同样的问题,但是使用三脚本OAuth2并不是很可行,因为我们不想通过API修改目录,而是要检查通过App Engine Users API登录的用户的组成员身份。
这促使我创建了这个库:https://github.com/iamacarpet/go-gae-dwd-tokensource
它创建了一个支持模拟身份的自定义JWT,使用内置功能使用默认服务帐户对其进行签名,然后将其发送到令牌端点以获取访问令牌。
它的效率不如默认的获取访问令牌的函数,但在我的测试中,组成员身份检查的延迟约为20毫秒,而默认函数的延迟约为450毫秒,所以这不是一个问题。
我在GitHub页面中提供了一个在negroni中间件中使用它的示例。
英文:
Just come across this same problem today, but using 3-pronged OAuth2 wasn't really feasible, as we didn't want to alter the directory using the API, but rather check group membership for users who signed in via the App Engine Users API.
That led me to create this library: https://github.com/iamacarpet/go-gae-dwd-tokensource
It creates a custom JWT that supports impersonation, signs it with the default service account using the built in functionality, then fires it across to the token endpoint to get an access_token.
It isn't as efficient as the default function to get an access token, but in my testing, it was ~20ms latency vs ~450ms for a group membership check, so it wasn't an issue.
I've included an example of using it in a negroni middleware on the GitHub page.
答案2
得分: 0
似乎对于 Admin SDK,我需要请求用户(管理员)权限来访问 Directory API。这与其他 API 有很大不同,其他 API 中我只需设置用户电子邮件地址即可访问指定用户的数据。
我猜这是可以理解的,因为 Admin SDK 是一个更强大的 API,影响的是整个域而不仅仅是个别用户。
英文:
It seems that for the Admin SDK I need to ask for the user (the administrator) permissions to access the Directory API. This is quite different from the other APIs where I simply just set the user email address to access the specified user's data.
It's understandable I guess since the Admin SDK is a far more powerful API affecting the domain and not just the individual user.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论