I wanna call Google Calendar API's freebusy.query endpoint by service account in server-side with php and google-api-php-client.
First, I opened Google Cloud Platform project page. Then I created service account, downloaded credential JSON file, enabled Calendar API, and allowed delegated authority.
Second, I opened Google Admin. Then I allowed scope:https://www.googleapis.com/auth/calendar for delegated authority.
Third, I wrote the following code. There're some laravel helper functions. I referenced https://github.com/googleapis/google-api-php-client/blob/master/examples/service-account.php to use library for service account.
<?php
use DateTime;
use Google_Client;
use Google_Service_Calendar;
use Google_Service_Calendar_FreeBusyRequest as FreeBusyRequest;
use Google_Service_Calendar_FreeBusyRequestItem as FreeBusyRequestItem;
$calendar = new Calendar();
$busyPeriods = $calendar->getBusyTimes(
[env('GSUITE_MEMBER')],
'2021-03-01 00:00:00',
'2021-04-01 00:00:00'
);
dd($busyPeriods);
class Client {
protected $client;
public function __construct() {
$this->client = new Google_Client();
$credentialsPath = env('GOOGLE_SA_CREDENTIALS');
if (file_exists($credentialsPath)) {
$this->client->setAuthConfig($credentialsPath);
} else {
error_log('Google service account credentials don\'t exist.');
return;
}
}
public function setScopes($scopes) {
$this->client->setScopes($scopes);
}
public function getClient() {
return $this->client;
}
}
class Calendar {
protected $service;
public function __construct() {
$client = new Client();
$client->setScopes([Google_Service_Calendar::CALENDAR]);
$this->service = new Google_Service_Calendar($client->getClient());
}
/**
* #param array $calendarIdList List of calendar identifier.
* #param string $start Start of time period for getting busy times.
* #param string $end End of time period for getting busy times.
* #return Google_Service_Calendar_FreeBusyCalendar[]
*/
public function getBusyTimes($calendarIdList, $start, $end) {
$fbRequestItems = collect($calendarIdList)->map(function ($calendarId) {
$i = new FreeBusyRequestItem();
$i->setId($calendarId);
return $i;
})->toArray();
$fbRequest = new FreeBusyRequest();
$fbRequest->setItems($fbRequestItems);
$fbRequest->setTimeZone(config('app.timezone'));
$fbRequest->setTimeMin(
(new DateTime($start))->format(DateTime::ISO8601)
);
$fbRequest->setTimeMax(
(new DateTime($end))->format(DateTime::ISO8601)
);
return $this->service->freebusy->query($fbRequest)->getCalendars();
}
}
However, Google_Service_Calendar_Error was returned.
Google_Service_Calendar_Error {#347 ▼
+domain: "global"
+reason: "notFound"
#internal_gapi_mappings: []
#modelData: []
#processed: []
}
We should impersonate G Suite member's account.
$this->client->setSubject(
config('google.gsuite_admin_email')
);
Reference
Domain Wide Delegation
Google OAuth using domain wide delegation and service account
Related
I recently changed my DocuSign integration to use the JWT OAuth flow. To achieve this I have a few classes.
OAuth Client
<?php
namespace App\DocuSign;
use DocuSign\eSign\Client\ApiClient;
use DocuSign\eSign\Client\Auth\OAuth;
use DocuSign\eSign\Configuration;
use Exception;
use Illuminate\Support\Facades\Log;
/**
* Helper class to generate a DocuSign Client instance using JWT OAuth2.
*
* #see
*
*/
class OAuthClient
{
/**
* Create a new DocuSign API Client instance using JWT based OAuth2.
*/
public static function createApiClient()
{
$config = (new Configuration())->setHost(config('docusign.host'));
$oAuth = (new OAuth())->setOAuthBasePath(config('docusign.oauth_base_path'));
$apiClient = new ApiClient($config, $oAuth);
try {
$response = $apiClient->requestJWTUserToken(
config('docusign.integrator_key'),
config('docusign.user_id'),
config('docusign.private_key'),
'signature impersonation',
60
);
if ($response) {
$accessToken = $response[0]['access_token'];
$config->addDefaultHeader('Authorization', 'Bearer ' . $accessToken);
$apiClient = new ApiClient($config);
return $apiClient;
}
} catch (Exception $e) {
// If consent is required we just need to give the consent URL.
if (strpos($e->getMessage(), 'consent_required') !== false) {
$authorizationUrl = config('docusign.oauth_base_path') . '/oauth/auth?' . http_build_query([
'scope' => 'signature impersonation',
'redirect_uri' => config('docusign.redirect_url'),
'client_id' => config('docusign.integrator_key'),
'response_type' => 'code'
]);
Log::critical('Consent not given for DocuSign API', [
'authorization_url' => $authorizationUrl
]);
abort(500, 'Consent has not been given to use the DocuSign API');
}
throw $e;
}
}
}
Signature Client Service
<?php
namespace App\DocuSign;
use DocuSign\eSign\Api\EnvelopesApi;
use DocuSign\eSign\Client\ApiClient;
class SignatureClientService
{
/**
* DocuSign API Client
*/
public ApiClient $apiClient;
/**
* Create a new instance of our class.
*/
public function __construct()
{
$this->apiClient = OAuthClient::createApiClient();
}
/**
* Getter for the EnvelopesApi
*/
public function getEnvelopeApi(): EnvelopesApi
{
return new EnvelopesApi($this->apiClient);
}
}
Then, in my constructors where I want to use it I'm doing
/**
* Create a new controller instance
*/
public function __construct()
{
$this->clientService = new SignatureClientService();
$this->envelopesApi = $this->clientService->getEnvelopeApi();
}
Finally, I use it like so
$envelopeSummary = $this->envelopesApi->createEnvelope(config('docusign.api_account_id'), $envelopeDefinition);
But I get an error that reads
DocuSign\eSign\Client\ApiException: Error while requesting server,
received a non successful HTTP code [400] with response Body:
O:8:"stdClass":2:{s:9:"errorCode";s:21:"USER_LACKS_MEMBERSHIP";s:7:"message";s:60:"The
UserID does not have a valid membership in this Account.";} in
/homepages/45/d641872465/htdocs/sites/ita-portal/vendor/docusign/esign-client/src/Client/ApiClient.php:344
I researched this and this would imply that the user is not within the account, but they are. I also checked that this account owns the envelopes that I'm trying to send.
For reference I took inspiration for envelope sending from here: https://developers.docusign.com/docs/esign-rest-api/how-to/request-signature-template-remote/
What I think is happening is that the request is going to the wrong server or the wrong account.
I'd suggest using a packet analyser like Fiddler or Wireshark to log where your requests are headed (or just log the request within your application)
The auth URLs seem to be correct since you're not getting a 401 unauthorised error but the envelopes and other queries' must match the base URL located in your account under the Apps and Keys page. It would be of the form demo.docusign.net for our demo environment or xxx.docusign.net for our production environment
i use the latest v2 paypal php sdk sandbox and samples with laravel framework, the create order always success but when capture the order it always fails
and return this error:
"{"name":"UNPROCESSABLE_ENTITY",
"details":[
{"issue":"COMPLIANCE_VIOLATION",
"description":"Transaction cannot be processed due to a possible compliance violation. To get more information about the transaction, call Customer Support."}],
"message":"The requested action could not be performed, semantically incorrect, or failed business validation.",
"debug_id":"d701744348160",
"links":[{"href":"https://developer.paypal.com/docs/api/orders/v2/#error-COMPLIANCE_VIOLATION","rel":"information_link","method":"GET"}]}
my web.php file :
Route::get('capture_order', 'PayController#capture_order')->name('capture_order');
Route::get('create_order', 'PayController#create_order')->name('create_order');
Route::get('cancel', 'PayController#cancel')->name('payment.cancel');
Route::get('return', 'PayController#return')->name('payment.return');
Route::get('success', 'PayController#success')->name('payment.success');
& the PayController :
<?php
namespace App\Http\Controllers;
use Illuminate\Http\Request;
use PayPalCheckoutSdk\Core\PayPalHttpClient;
use PayPalCheckoutSdk\Core\SandboxEnvironment;
use PayPalCheckoutSdk\Orders\OrdersCreateRequest;
use PayPalCheckoutSdk\Orders\OrdersCaptureRequest;
class PayController extends Controller
{
public $clientId;
public $clientSecret;
public $client;
public $cancel_url = 'http://localhost:8000/cancel';
public $return_url = 'http://localhost:8000/return';
public function __construct()
{
$mode = config('paypal.mode', 'sandbox');
if ($mode == "live") {
$this->clientId = config('paypal.live.client_id');
$this->clientSecret = config('paypal.live.client_secret');
} else {
$this->clientId = config('paypal.sandbox.client_id');
$this->clientSecret = config('paypal.sandbox.client_secret');
}
$environment = new SandboxEnvironment($this->clientId, $this->clientSecret);
$this->client = new PayPalHttpClient($environment);
}
private function buildRequestBody()
{
return [
'intent' => 'CAPTURE',
'application_context' =>[ "cancel_url" => $this->cancel_url,
"return_url" => $this->return_url],
'purchase_units' =>
[
0 => [
'amount' =>
[
'currency_code' => 'USD',
'value' => '20'
]
]
]
];
}
public function create_order()
{
$request = new OrdersCreateRequest();
$request->prefer('return=representation');
$request->body = $this->buildRequestBody();
try {
$response = $this->client->execute($request);
foreach ($response->result->links as $key => $value) {
if ($value->rel == "approve")
{
return redirect($value->href);
}
}
}catch (\Exception $ex) {
echo $ex->statusCode;
print_r($ex->getMessage());
}
}
public function capture_order(Request $request)
{
// if ($request->token) {
$request = new OrdersCaptureRequest($request->token);
$request->prefer('return=representation');
try {
$response = $this->client->execute($request);
}catch (\Exception $ex) {
echo $ex->statusCode;
dd($ex->getMessage());
}
// }
}
/**
* Responds with a welcome message with instructions
*
* #return \Illuminate\Http\Response
*/
public function cancel(Request $request)
{
dump($request->all());
dd('Your payment is canceled. You can create cancel page here.');
}
/**
* Responds with a welcome message with instructions
*
* #return \Illuminate\Http\Response
*/
public function return(Request $request)
{
if ($request->token) {
return redirect()->route('capture_order', [
'token' => $request->token,
'PayerID' => $request->PayerID
]);
}
dd($request->all());
}
}
i use paypal php sdk with a sandbox account.
can i use the old paypal version or it's completely deprecated ?
waiting your help :)
COMPLIANCE_VIOLATION
This problem is most likely related to the country of the receiving sandbox Business account. Create a new account for a different country such as US, then create a new REST app that uses that sandbox account, and test its sandbox clientid/secret in sandbox mode instead.
For later use in live mode, ensure that if the live business account is from one of the countries that require it, that the live account has a valid auto sweep withdrawal method active and enabled on the account, such as a US bank or local visa card. If you need help configuring auto sweep for live mode, contact PayPal's business support
i call the support and the response was:
Funds received into Egyptian accounts need to be automatically withdrawn to an attached funding source, such as a bank. You can set this up by going into the account settings section of the account, then the "money, banks and cards" section and at the bottom of that page you'll find "automatic withdrawal" where you can specify a financial instrument to use for automatic withdrawals -- https://www.sandbox.paypal.com/businessmanage/account/money
thanks for u all :)
So I'm working with Google API Client for PHP and I have an OAuth flow that works,
class GoogleClient {
private static $client_id = "1050479587066-f64vq210hc2m15fdj4r77g8ml7jin30d.apps.googleusercontent.com";
private static $client_Secret = "CK8orQfPNpD9UgF0bqNJinVI";
private static $redirect_uri = '/return.php';
private static $access;
private static $client = null;
private static function checkForAccess(){
if(isset(self::$access)){
return true;
}
if(isset($_SESSION['GoogleAuth'])){
self::$access = $_SESSION['GoogleAuth'];
return true;
}
return false;
}
public static function GetClient(){
if(is_null(self::$client)){
$params = [
"client_id" => self::$client_id,
"client_secret" => self::$client_Secret,
"redirect_uri" => self::$redirect_uri,
"application_name" => "Test AdWords System"
];
if(self::checkForAccess() && self::isLoggedIn()){
$param["access_token"] = self::$access['access_token'];
}
//Create and Request to access Google API
$client = new Google_Client($params);
}
return $client;
}
public static function doLogin(){
$scopes = [ 'https://www.googleapis.com/auth/adwords', 'https://www.googleapis.com/auth/dfp', "https://www.googleapis.com/auth/userinfo.email"];
return self::GetClient()->createAuthUrl($scopes);
}
public static function doLoginFinal(){
if (!$code = $_GET['code']) {
throw new Exception("Auth Code is missing.");
}
$authResponse = self::GetClient()->authenticate($code);
if (isset($authResponse['error'])) {
throw new Exception(
"Unable to get access token.",
null,
new Exception(
"{$authResponse['error']} {$authResponse['error_description']}"
)
);
}
$_SESSION['GoogleAuth'] = $authResponse;
self::$access = $authResponse;
}
public static function isLoggedIn(){
if(self::checkForAccess()){
if(isset(self::$access)){
$expiresAt = #self::$access['created']+#self::$access['expires_in'];
return (time() < $expiresAt);
}
}
return false;
}
public static function GetExpiry(){
if(self::checkForAccess()){
return self::$access['created']+self::$access['expires_in'];
}
throw new Exception("The User is not logged into a google account.");
}
}
now this class is working I'm able to log in and I have the scope for google-adwords the problem comes about due to poor documentation for the googleads-php-lib
So from the example to getCampaigns it uses $oAuth2Credential = (new OAuth2TokenBuilder())->fromFile()->build(); but i don't have a file so i went into the OAuth2TokenBuilder file I'm unable to work out how i could give the already generated access tokens to the googleads objects.
I have double checked the google-php-api-client services repo and there is no adwords Service I can use.
I have been digging through the source files of the googleads-php-lib to see if I can find a method to implement this but so far I'm just getting stuck as everything seems to require specific parameter types so I can rig something to provide the details, but the code always seems to rely on multiple classes so I can't just build one that extends a class. and i pass that through.
Keys will be destoried after this test is working!
Well after days of digging around source files and hacking this and that I finally found an implementation that works.
After creating my manager account:
https://developers.google.com/adwords/api/docs/guides/signup
So this is the two new methods added to my GoogleClient Static Class
private static $developerToken = "";
private static function GetUserRefreshCredentials(){
return new UserRefreshCredentials(
null,
[
'client_id' => self::$client_id,
'client_secret' => self::$client_secret,
'refresh_token' => self::$access['refresh_token']
]
);
}
public function GetAdwordsSession(){
$builder = new AdWordsSessionBuilder();
$builder->defaultOptionals();
$builder->withDeveloperToken(slef::$developerToken);
return $builder->withOAuth2Credential(self::GetUserRefreshCredentials())->build();
}
I am using Amazon ElasticSearch Service and when i tried to create SignatureV4 Request it is working fine for search operations (GET Requests). But when i tried to do some operations like create indices (Using PUT request), it will trough the Signature mismatch error.
I am using Amazon SDK version 2 SignatureV4 library for signing the requests. Also created a custom Elasticsearch handler to add tokens to the request.
Does anybody have such issue with SignatureV4 library in Amazon SDK php V2.
{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'PUT\n/test_index_2\n\nhost:search-test-gps2gj4zx654muo6a5m3vxm3cy.eu-west-1.es.amazonaws.com\nx-amz-date:XXXXXXXXXXXX\n\nhost;x-amz-date\n271d5ef919251148dc0b5b3f3968c3debc911a41b60ef4e92c55b98057d6cdd4'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\XXXXXXXXXXXX\n20170511/eu-west-1/es/aws4_request\n0bd34812e0727fba7c54068b0ae1114db235cfc2f97059b88be43e8b264e1d57'\n"}
This tweak only necessary for the users who are still using Amazon SDK PHP version 2. In version 3, it supported by default.
For signed request i updated the current elsticsearch client handler by adding a middle ware for signing the request.
$elasticConfig = Configure::read('ElasticSearch');
$middleware = new AwsSignatureMiddleware();
$defaultHandler = \Elasticsearch\ClientBuilder::defaultHandler();
$awsHandler = $middleware($defaultHandler);
$clientBuilder = \Elasticsearch\ClientBuilder::create();
$clientBuilder->setHandler($awsHandler)
->setHosts([$elasticConfig['host'].':'.$elasticConfig['port']]);
$client = $clientBuilder->build();
I used the following library for this purpose
use Aws\Common\Credentials\CredentialsInterface;
use Aws\Common\Signature\SignatureInterface;
use Guzzle\Http\Message\Request;
class AwsSignatureMiddleware
{
/**
* #var \Aws\Credentials\CredentialsInterface
*/
protected $credentials;
/**
* #var \Aws\Signature\SignatureInterface
*/
protected $signature;
/**
* #param CredentialsInterface $credentials
* #param SignatureInterface $signature
*/
public function __construct()
{
$amazonConf = Configure::read('AmazonSDK');
$this->credentials = new \Aws\Common\Credentials\Credentials($amazonConf['key'], $amazonConf['secret']);
$this->signature = new \Aws\Common\Signature\SignatureV4('es', 'eu-west-1');
}
/**
* #param $handler
* #return callable
*/
public function __invoke($handler)
{
return function ($request) use ($handler) {
$headers = $request['headers'];
if ($headers['host']) {
if (is_array($headers['host'])) {
$headers['host'] = array_map([$this, 'removePort'], $headers['host']);
} else {
$headers['host'] = $this->removePort($headers['host']);
}
}
if (!empty($request['body'])) {
$headers['x-amz-content-sha256'] = hash('sha256', $request['body']);
}
$psrRequest = new Request($request['http_method'], $request['uri'], $headers);
$this->signature->signRequest($psrRequest, $this->credentials);
$headerObj = $psrRequest->getHeaders();
$allHeaders = $headerObj->getAll();
$signedHeaders = array();
foreach ($allHeaders as $header => $allHeader) {
$signedHeaders[$header] = $allHeader->toArray();
}
$request['headers'] = array_merge($signedHeaders, $request['headers']);
return $handler($request);
};
}
protected function removePort($host)
{
return parse_url($host)['host'];
}
}
The exact line i tweaked for this purpose is
if (!empty($request['body'])) {
$headers['x-amz-content-sha256'] = hash('sha256', $request['body']);
}
For PUT and POST request the payload hash was wrong because i was not considering the request body while generating payload.
Hope this code is beneficial for anyone who is using Amazon SDK PHP version 2 and using the IAM based authentication for Elasticsearch Hosted service in Amazon cloud.
I am using Symfony2.3 and I want to access Google Calendar API, here what i did
1-I installed HIWO Bundle and FOSUser Bundle
2-Integrated both bundles and now i have user authenticated and inserted into database with access token
3-I have installed Google API library and auto-loaded it
4-created a Service wrapper class to access
Problem 1 :
Seems now i m using Oauth2 found in HIWO Bundle while logging in and I will be using Oauth2 in Google API library while making request, which dosent make any sense and not sure what should be done in this matter
Trials:
-I found out that token provided by HIW Oauth is not the same as the one in code parameter in URL while redirecting back
-Tried to set token manually and try to intiat simulate Google client request $cal = new \Google_Calendar($this->googleClient) as below but
$this->googleClient->authenticate('4/PmsUDPCbxWgL1X_akVYAhvnVWqpn.ErqFdB3R6wMTOl05ti8ZT3Zpgre8fgI');
return $cal->calendarList->listCalendarList();`
Error received:
Error fetching OAuth2 access token, message: 'redirect_uri_mismatch'
and i made sure i have redirect_uri matched
My Service code is as below :
<?php
namespace Clinic\MainBundle\Services;
use Clinic\MainBundle\Entity\Patient;
use Doctrine\Common\Persistence\ObjectManager;
/*
* #author: Ahmed Samy
*/
class GoogleInterfaceService {
/*
* Entity manager
*/
protected $em;
/*
* instance of Symfphony session
*/
protected $session;
/*
* Service container
*/
protected $container;
/*
* Google client instance
*/
protected $googleClient;
public function __construct(ObjectManager $em, $container) {
$this->em = $em;
$this->container = $container;
$this->googleClient = new \Google_Client();
$this->googleClient->setClientId('xxxxxxxx.apps.googleusercontent.com');
$this->googleClient->setClientSecret('uNnaK1o-sGH_pa6Je2jfahpz');
$this->googleClient->setRedirectUri('http://hacdc.com/app_dev.php/login/check-google');
$this->googleClient->setDeveloperKey('xxxxxxxxxxxxxxxxxxxx');
$this->googleClient->setApplicationName("Google Calendar PHP Starter Application");
}
public function getCalendar() {
$cal = new \Google_Calendar($this->googleClient);
//setting token manually
$this->googleClient->authenticate('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx');
return $cal->calendarList->listCalendarList();
}
}
and when i dump $this->googleClient i get
protected 'scopes' =>
array (size=0)
empty
protected 'useObjects' => boolean false
protected 'services' =>
array (size=0)
empty
private 'authenticated' => boolean false
The HWIOAuthBundle's token is missing the created array segment, but you could force that in there, and then just feed that token to the client like so:
$googleAccessToken = $this->get('security.context')->getToken()->getRawToken();
$googleAccessToken['created'] = time(); // This is obviously wrong... but you get the poing
$this->google_client->setAccessToken(json_encode($googleAccessToken));
$activities = $this->google_plusservice->activities->listActivities('me', 'public');
var_dump($activities);die();