如何在 Google 日历中使用 OAuth 以仅访问一个日历?
我正在为客户构建一个 Web 应用程序,但我不确定我是否在做正确的事情...
I'm building a web application for a customer and I'm not really sure I'm doing the right thing...
基本上,我创建了一个 PHP 应用程序,它可以读取、编辑、删除 Google 上的日历,并在我自己的 Web 应用程序数据库中保留一个副本(出于各种原因).现在,我阅读了 OAuth 2.0 并意识到使用它比直接在我的网络应用程序中的 PHP 文件(在其他也就是说,如果黑客进入服务器,他就可以窃取她的密码……)
Basically, I created a PHP application that read, edit, delete calendars on Google and keeps a copy on my own web application DB (for various reasons). Now, I read about the OAuth 2.0 and realise it could be safer to use this than have my client general Google password (that access ALL google services (calendar, email, etc)) directly in my web app in a PHP file (in other words, if a hacker enter the server than he can steal her password...).
所以我创建了 OAuth 2.0 帐户,从这个页面添加类/文件夹 http://code.google.com/apis/calendar/v3/using.html#setup
并添加了测试页面上的适当脚本以授权访问您的信息"(请参阅同一页面中的实例化客户端")
...
So I created the OAuth 2.0 account, add the classes/folders from this page http://code.google.com/apis/calendar/v3/using.html#setup
and added the proper scripts on a test page to "authorize access to your information" (see "Instantiating the client " in the same page)
...
这是我的问题:如果我使用我的登录信息(不是我的客户)登录我的 gmail 并转到我的测试页面,它会要求我授权访问我的 Google 日历.但我想要我客户的日历,而不是我的!所以,让我们假设我退出,使用我的客户信息登录并转到测试页面:这很完美,我授权了帐户,然后我被重定向到我的应用程序,我可以在其中看到她的日历.
Here is my questions: If I am logged in my gmail with MY login info (not my Client) and I go to my test page, it will ask ME to authorize access to my Google Calendar. But I want my client's calendar, NOT MINE! So, let's pretend I logout, log in with my customer info and go to the test page : it's perfect, I authorize the account, then I'm redirected to my app where i can see HER calendar.
但这不切实际或不合逻辑...因为,例如,我希望她的 GENERAL PUBLIC 网站上的人进入一个页面,并填写表格以自动安排她的约会.该脚本必须检查她的谷歌日历....并要求他们的 gmail 帐户许可?不,我想要她的日历.
But this is not practical OR logical... Since, for example, I want people on her GENERAL PUBLIC website to go on a page, and fill a form in order to automate her appointments. The script must check her google calendar.... and ask permission for THEIR gmail accounts? No, I want HER calendar.
这是我的问题/问题.我究竟做错了什么?这是正确的方法还是我错过了一步?这个 API 是用来做这个的吗?
So this is my problem / question. What am I doing wrong? Is this the right way to do so or did I miss a step? Was this API meant to do this?
如何使用 API 以上述方式工作?
How can I use the API to work in the way described above?
感谢大家点燃我的蜡烛
乔尔
推荐答案
如果我没理解错,那么您就已经获得了正确的身份验证.问题是你不想显示登录用户的日历;您想显示客户的日历.
If I'm understanding you correctly, you've got the authentication right. The problem is that you don't want to display the calendar of the logged-in user; you want to display your client's calendar.
用户可以在以下两种情况之一写入日历:
A user can write to a calendar in one of two circumstances:
- 用户拥有日历,或
- 所有者通过指定用户的电子邮件地址明确授予用户写入权限.
显然第二种情况不能扩展.无论哪种情况,您都需要将客户的凭据嵌入到应用程序中,然后使用它们代表经过身份验证的用户创建约会,或者与用户共享日历.当然,您需要对客户的凭据进行加密——不要简单地在您的应用中对其进行硬编码!
Clearly the second situation doesn't scale. And in either case, you'd need to embed your client's credentials in your application, then use them either to create appointments on behalf of an authenticated user, or to share the calendar with the user. Of course, you'll want to encrypt your client's credentials--don't simply hard-code them in your app!
与使用您客户的真实"帐户相比,专门为此日历创建一个新帐户(使用唯一的电子邮件地址和密码)似乎更安全.然后,您的客户可以像她的客户一样通过您的应用程序访问它,或者您可以与她共享日历并授予她写入权限.
Rather than using your client's "real" account, it would seem more secure to create a new account (with a unique email address and password) specifically for this calendar. Your client could then access it through your application as her customers would, or you could share the calendar with her and give her write access.
另一种可能性可能是将日历设置为对用户只读,而不是允许他们直接在您客户的日历上创建约会,您的应用可以让他们请求em>约会:它会在用户的日历上创建事件并将邀请发送到您客户的日历.那么您的应用程序将不需要任何嵌入式凭据.它还可以让您的客户有机会确认或拒绝每个约会,自动将她的回复发送给她的用户.另一个好处是每个用户的约会都会出现在他/她自己的个人 Google 日历上.
Another possibility might be to make the calendar read-only to the users, and rather than allowing them to create appointments directly on your client's calendar, your app could let them request appointments: it would create the events on the users' calendars and send invitations to your client's calendar. Then your app won't need any embedded credentials. It would also give your client the opportunity to confirm or decline each appointment, automatically sending her response to her users. Another benefit is that each user's appointments would appear on his/her own personal Google calendar.
我很想知道您(或其他任何人)是否找到了更好的解决方案.
I'd be interested to know if you (or anyone else) finds a better solution.
相关文章