在python中使用OAuth2和gdata上的服務帳戶

Question

我想使用data.photos.service.PhotosService來推送和從Picasa中提取照片。我從Google控制檯獲得了一個服務密鑰文件XXXXXXXX-privatekey.p12，現在正在嘗試使用所述密鑰與Google進行身份驗證。

的OAuth2用戶使用AppEngine上的文檔已經使我相信，使用下面的是使用：

f = file(settings.SITE_ROOT + '/aurora/' + settings.PRIVATE_KEY, 'rb') 
key = f.read() 
f.close() 

credentials = SignedJwtAssertionCredentials(settings.SERVICE_ACCOUNT_NAME, key, scope = 'http://picasaweb.google.com/data https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile') 
http = httplib2.Http() 
http = credentials.authorize(http) 
service = build("oauth2", "v2", http=http) 
user_info = None 
try: 
    user_info = service.userinfo().get().execute() 
    # neither of these two methods work 
    #gd_client.SetOAuthInputParameters(signature_method = gdata.auth.OAuthSignatureMethod.RSA_SHA1, consumer_key = "asdfasdfasdf.apps.googleusercontent.com", rsa_key = key, two_legged_oauth = True, requestor_id = user_info.get('email')) 
    #gd_client.auth_token = gdata.gauth.TwoLeggedOAuthRsaToken(consumer_key = user_info.get('email'), rsa_private_key = key, requestor_id = user_info.get('email')) 
except errors.HttpError, e: 
    logging.error('An error occurred: %s', e) 

user_inf0 = {u'verified_email': True, u'id': u'1234', u'name': u'asdfasdfasdf@developer.gserviceaccount.com', u'email': u'asdfasdfasdf@developer.gserviceaccount.com'} 

的問題是，使用SetOAuthInputParameters方法1返回一個無效的令牌或方法2個回報403 restricted。

我在我束手無策通過代碼山區，所有做定期的3條腿OAuth的時候我實實在在地不想這樣做的閱讀。任何想法/文章我還沒有看到？

Answer 1

使用gdata.gauth.OAuth2TokenFromCredentials。

auth2token = gdata.gauth.OAuth2TokenFromCredentials(credentials) 
gd_client = auth2token.authorize(gd_client) 

OAuth2TokenFromCredentials旨在幫助您同時使用apiclient和gdata。在封面之下，它使用憑證來確保它具有執行gdata調用所需的auth信息。

請注意，如果您仍然得到403，則可能完全是其他情況。我正在使用服務帳戶訪問用戶的數據，因爲我沒有在SignedJwtAssertionCredentials調用中正確指定用戶，所以獲得了403。

更新：這是我使用的基本模式：

from oauth2client.client import SignedJwtAssertionCredentials 
credentials = SignedJwtAssertionCredentials(
    "XXXXXXXXXXX@developer.gserviceaccount.com", 
    open("keyfile").read(), 
    scope=(
        "https://www.googleapis.com/auth/drive", 
        "https://spreadsheets.google.com/feeds", 
        "https://docs.google.com/feeds" 
    ), # For example. 
    sub="user@gmail.com" 
) 
http = httplib2.Http() 
http = credentials.authorize(http) # Not needed? See comment below. 
auth2token = gdata.gauth.OAuth2TokenFromCredentials(credentials) 
gd_client = gdata.photos.service.PhotosService() # For example. 
gd_client = auth2token.authorize(gd_client) 

Answer 2

如果你在你的谷歌賬戶使用MFA，您需要使用同意畫面身份驗證方法。使用Picassa API時，它不能正常工作，因爲請求API稍有不同。

import gdata.gauth 
import os 
import pickle 
import gdata.photos.service 

clientid='xxx' # https://console.developers.google.com/apis/credentials 
clientsecret='xxx' 
Scope='https://picasaweb.google.com/data/' 
User_agent='myself' 

def GetAuthToken(): 
    if os.path.exists(".token"): 
     with open(".token") as f: 
      token = pickle.load(f) 
    else: 
     token = gdata.gauth.OAuth2Token(client_id=clientid,client_secret=clientsecret,scope=Scope,user_agent=User_agent) 
     print token.generate_authorize_url(redirect_uri='urn:ietf:wg:oauth:2.0:oob') 
     code = raw_input('What is the verification code? ').strip() 
     token.get_access_token(code) 
     with open(".token", 'w') as f: 
      pickle.dump(token, f) 
    return token 


token = GetAuthToken() 

gd_client = gdata.photos.service.PhotosService() 
old_request = gd_client.request 


def request(operation, url, data=None, headers=None): 
    headers = headers or {} 
    headers['Authorization'] = 'Bearer ' + token.access_token 
    return old_request(operation, url, data=data, headers=headers) 


gd_client.request = request 
photos = gd_client.GetUserFeed(kind='photo', limit='10') 
for photo in photos.entry: 
    print 'Recently added photo title:', photo.title.text