使用 JSON 密钥文件而不是 p12 的 Google 服务帐户域范围委派集服务帐户

Question

我可以使用 .p12 密钥文件来使用具有域范围委派的 Google 服务帐户。

我想使用 JSON 密钥文件而不是 p12 文件，但我不知道在使用 JSON 密钥时如何设置服务帐户 ID。

如何设置用户使用 JSON 密钥文件进行模拟？

工作正常：

File p12File = new File(...);
GoogleCredential.Builder b = new GoogleCredential.Builder().setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY).setServiceAccountId(properties.getServiceAccountId())
                  .setServiceAccountPrivateKey(SecurityUtils.loadPrivateKeyFromKeyStore(SecurityUtils.getPkcs12KeyStore(),
                      new FileInputStream(p12File), "notasecret",
                      "privatekey", "notasecret"))
                  .setServiceAccountScopes(GOOGLE_SCOPE_LIST);
              if (properties.getServiceAccountEmail() != null) {
                b = b.setServiceAccountUser(properties.getServiceAccountEmail());
              }
              credential = b.build();

不起作用：

String jsonKeyContents = "{\n" +
            "  \"type\": \"service_account\",\n" +
            "  \"project_id\": \"sxxxxxxx0\",\n" +
            "  \"private_key_id\": \"csxxxxxxxxxxxxxxxx\",\n" +
            "  \"private_key\": \"-----BEGIN PRIVATE " +
            "KEY-----\\nMIIxxxxxxxxxxsTbwzsbw" +
            "==\\n-----END PRIVATE KEY-----\\n\",\n" +
            "  \"client_email\": \"xxxxx@xxxxxx-123456.iam.gserviceaccount.com\",\n" +
            "  \"client_id\": \"1111111111111111111\",\n" +
            "  \"auth_uri\": \"https://accounts.google.com/o/oauth2/auth\",\n" +
            "  \"token_uri\": \"https://accounts.google.com/o/oauth2/token\",\n" +
            "  \"auth_provider_x509_cert_url\": \"https://www.googleapis.com/oauth2/v1/certs\",\n" +
            "  \"client_x509_cert_url\": \"https://www.googleapis" +
            ".com/robot/v1/metadata/x509/xxxxx%40xxxxxx-xxxxx-123456.iam.gserviceaccount.com\"\n" +
            "}";
try (InputStream privateKeyInputStream = new ByteArrayInputStream(jsonKeyContents
          .getBytes("UTF-8") )) {
        credential = GoogleCredential.fromStream(privateKeyInputStream).createScoped(GOOGLE_SCOPE_LIST);
}

当使用 JSON 密钥使用 Directory API 列出所有企业用户时，我收到一条错误消息：

Caused by: com.google.api.client.googleapis.json.GoogleJsonResponseException: 404 Not Found
{
  "code" : 404,
  "errors" : [ {
    "domain" : "global",
    "message" : "Domain not found.",
    "reason" : "notFound"
  } ],
  "message" : "Domain not found."
}
at com.google.api.client.googleapis.json.GoogleJsonResponseException.from(GoogleJsonResponseException.java:146)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:113)
at com.google.api.client.googleapis.services.json.AbstractGoogleJsonClientRequest.newExceptionOnError(AbstractGoogleJsonClientRequest.java:40)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest$1.interceptResponse(AbstractGoogleClientRequest.java:321)
at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:1065)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:419)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.executeUnparsed(AbstractGoogleClientRequest.java:352)
at com.google.api.client.googleapis.services.AbstractGoogleClientRequest.execute(AbstractGoogleClientRequest.java:469)
...

所有问题似乎都与没有地方放置服务帐户电子邮件有关。

我在这里缺少什么？有没有人可以分享一些代码的工作示例？

Answer 1

毕竟，我自己找到了答案。

见https://github.com/google/google-api-java-client/issues/1007#issuecomment-264157989

修复它：

1. 使用上面指定的 JSON 密钥创建 GoogleCredential credentialFromJson。 IE。 credential = GoogleCredential.fromStream(privateKeyInputStream).createScoped(GOOGLE_SCOPE_LIST)

2. 使用我们使用 P12 的代码创建构建器但是而不是从 p12 文件创建私钥...使用此行：.setServiceAccountPrivateKey(credentialFromJson.getServiceAccountPrivateKey())

现在可以了！ \m/

Answer 2

您的 JSON 文件必须包含所有必需的键值对

跟随键

{
"type": "service_account",
"project_id": "your project Id",
"private_key_id": "private key id",
"private_key": "Private key",
"client_email": "Client email ending with .iam.gserviceaccount.com",
"client_id": "client -id",
"auth_uri": "accounts.google.com/o/oauth2/auth",
"token_uri": "accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "www.googleapis.com/robot/v1/metadata/x509/?????
-170710.iam.gserviceaccount.com"
}

然后使用下面的代码：

private GoogleCredential authorize1() {

    GoogleCredential credential = null;

    HttpTransport = GoogleNetHttpTransport.newTrustedTransport();

    JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance();

    try {

      InputStream jsonFileStream =
          DriveSample.class.getClassLoader().getResourceAsStream("client_secrets.json");

      GoogleCredential readJsonFile = GoogleCredential
          .fromStream(jsonFileStream, httpTransport, JSON_FACTORY).createScoped(DriveScopes.all());

      credential = new GoogleCredential.Builder().setTransport(readJsonFile.getTransport())
          .setJsonFactory(readJsonFile.getJsonFactory())
          .setServiceAccountId(readJsonFile.getServiceAccountId())
          .setServiceAccountScopes(readJsonFile.getServiceAccountScopes())
          .setServiceAccountPrivateKey(readJsonFile.getServiceAccountPrivateKey()).build();
    } catch (IOException exception) {
      exception.printStackTrace();
    }
    return credential;
}