英文:
Userless Automated server to server Oauth2 2 legged authentication to Gmail
问题
我找到了很多关于使用用户授权步骤实现Oauth2的信息,但我正在尝试运行一个容器,自动从Gmail收件箱中提取附件并转换它们,然后导出到Prometheus,我在弄清楚如何实现这个库时遇到了问题:https://pkg.go.dev/golang.org/x/oauth2/clientcredentials#Config 或者其他任何库,以便在不涉及手动用户步骤的情况下获取令牌。
在Go中是否需要编写直接的API调用,因为我找不到一个现有的库来处理这种情况?创建一个Google应用程序密码并使用通用的用户名/密码SMTP身份验证是否更合理?
英文:
I've found plenty of information on implementing Oauth2 using a user authorization step, but I'm trying to run a container that automatically scrapes a gmail inbox for attachments transforms them, and exports to prometheus, and I'm having trouble figuring out how to implement this library: https://pkg.go.dev/golang.org/x/oauth2/clientcredentials#Config or any other for that matter to retrieve a token without involving a manual user step.
Will doing this in Go require writing direct API calls since I can't find an existing library to handle this scenario? Would it make more sense to create a Google App password and use generic user/pass SMTP authentication?
答案1
得分: 3
首先,我理解你想要做的事情。
你有一个在容器中运行的后端系统,它将访问一个 Gmail 账户并处理邮件。
现在你需要了解你正在使用的 API 的限制。
有两种类型的授权用于访问私人用户数据:
- 服务帐号 - 仅适用于与工作区域域名进行服务器之间的交互。不需要授权弹窗。
- OAuth2 - 授权普通用户的 Gmail 账户,需要用户交互来授权同意屏幕。
如果你没有工作区域帐户,而是一个普通的 Gmail 用户,那么你别无选择,必须使用 OAuth2,这将要求用户至少授权一次应用程序。
使用 OAuth2,你可以请求离线访问并接收一个刷新令牌,你可以使用该令牌在任何时候请求新的访问令牌。问题在于,你的应用程序需要处于生产状态并经过验证,因为你的刷新令牌只能使用七天,然后它将过期。为了解决这个问题并获得一个不会过期的刷新令牌,意味着你的应用程序必须处于生产状态并经过验证。这意味着你需要通过谷歌的验证流程,使用受限的 Gmail 范围进行第三方安全检查,并且费用在 15,000 到 75,000 之间,具体取决于你的应用程序。
我理解这是一个单用户系统,但这并不意味着你仍然需要经过验证。当谷歌添加了应用程序验证的需求时,他们没有考虑到像你这样的单用户系统。
选项
你考虑过直接通过 SMTP 服务器而不是使用 Gmail API 吗?如果你使用应用程序密码,你应该可以通过使用登录和应用程序密码来绕过所有的东西。
英文:
First off i understand what you are trying to do.
You have a backend system running in a container which will access a single gmail account and process the emails.
Now you need to understand the limitations of the API you are working with.
There are two types of authorization used to access private user data
- service account - server to server interaction only works with workspace domains. No authorization popup required.
- Oauth2 - authorize normal user gmail accounts, requires user interaction to authorize the consent screen
If you do not have a workspace account and this is a normal gmail user then you have no choice you must use Oauth2, which will require that a user authorize the application at least once.
Using Oauth2 you can request offline access and receive a refresh token which you can use to request new access tokens when ever you wish. The catch is that your application will need to be in production and verified, because your refresh token will only work for seven days and then it will expire. To fix this and get a refresh token that does not expire means that your application must in production and verified. This means you need to go though Googles verification process with a restricted gmail scope which requires third party security check and costs between 15k - 75k depending upon your application.
I understand that this is a single user system but that does not mean that you still need to go though verification. When google added the need for application verification they did not take into account single user systems like yours.
Option
Have you considered going directly though the SMPT server instead of using the Gmail api? If you use an apps password you should bypass everything by loging in using the login and the apps password.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论