I've currently got around 100 sites in Analytics across a few different Google Accounts and one single account has full permissions for every site. If possible I'd like to avoid having to manually add permissions for the Google Service account to each analytics profile.
I'm using the Google Analytics PHP Interface
When attempting to impersonate a user using the $delegate_email argument, I get the following exception:
GAPI: Failed to authenticate user. Error: "{
"error": "unauthorized_client",
"error_description": "Unauthorized client or scope in request."
}
I have read elsewhere about needing to 'Delegate domain-wide authority to the service account' using the Google Apps admin console. However we don't have Google Apps at all. Is there any way around this?
tl;dr
Is there a way to get read only access to Google analytics using a service account and impersonating a user without Google Apps?
I would first encourage you to go through the various Scenarios listed on Google OAuth 2.0 documentation and decide which is best for your application.
Service account require that you add a user to each account you wish to access, but with a web server application the end user simply authorizes your application to read their Google analytics data.
The scope you are looking for is:
https://www.googleapis.com/auth/analytics.readonly
Related
I use Google OAuth to sign in my Web Application which was created as a project in Google Cloud Platform i.e. Project1.
I have a user with custom role in this project. After I logged in with my Google account, I'm able to get userinfo using Google_Client (PHP library - google/apiclient). However, I'm having a hard time figuring out how to get the custom role for the logged in user. I tried using Google_Service_iam but get Uncaught Google_Service_Exception: 404 Not Found.
Is this a correct way of building a role based control web app utilizing Google IAM?
Although it would be somehow possible by building it yourself, I would not directly use IAM as an authentication provider. Instead, use the Identity Platform or something like Auth0 or Okta. Myself, I prefer Firebase Authentication, which integrates easily with all popular languages and frameworks.
IAM is meant to authorize users within GCP, and not in a custom web-app. In your setup, you would have to add every future user to Gsuite and IAM, which is very costly and not designed for this purpose.
I would recommend taking a look at the Authentication Strategies for application developers.
Since you need to grant to Google Cloud APIs on behalf of an end user, you may use the protocol OAuth 2.0 protocol. The application initiates an OAuth consent flow where you application will receive the user's credentials. With these credentials, it can call Google Cloud APIs on behalf of the user.
Another solutino as Nebulastic also suggested, is the Cloud Identity Platform, where you can configure custom claims to restrict a user's access to a resource depending on their role.
I've followed the google analytics tutorial and created a PHP file with and added service key. But now I get this error:
User does not have any Google Analytics account
For the website where I'm given the access to view the traffic data for, I'm not given access to add new user. But my email(gmail) already added to their google analytics and I have access.
I did research online and came across this: Analytics Google API Error 403: “User does not have any Google Analytics Account”
Here They ask to add the email created upon the service key generation into the google analytics platform. Since I don't have access to add new user I couldn't do this.
What is the correct way for me to read the data?
User does not have any Google Analytics account
Means exactly that. The user you are authenticating does not have access to any google analytics accounts. You need to remember that a service account is not you. A service account is like a dummy user. It has its on google drive account, Google calendar account and probably a bunch more.
Service accounts need to be pre approved this is why you dont get the normal pop up Oauth2 consent screen.
To do this you go to the google analtyics website under the admin section for the account you wish to access using the service account. At the account level take the service account email address and grant it access like you would any other user.
It will then have access to read from your Google analytics account.
Looks like you need access the analytics API but instead, you were just given access to the Google Analytics tool.
For you to use the google analytics api, you need to create a service account and ask your admin to add the service account to GA, just like how they added your account to GA.
detailed documentation
Can not access the AdSense API no matter what I try. I have tried both service account and OAuth authentications.
What I am trying to accomplish:
Creating a bot that will grab the Adsense revenue earned and store it in an in-house database for tracking revenue over time. I do not want to have authentication issues, I want a server-to-server configuration.
What I do know is you can have access tokens and refresh tokens under OAuth. I've yet to be able to make them work under any available APIs with Adsense. Note: I have built an API to work with AdWords no problem.
Errors: (Between the types of authentication, I can not pass these)
"Account Not Found"
"Client is unauthorized to retrieve access tokens using this method."
What I have done so far:
The Adsense Management API is enabled.
Credentials Created: Service Account
Credentials Created: oAuth 2.0 Client ID
The GSuite account has access to APIs (includes "enabled api access" and "managed API client access")
Libraries (trying) to use:
https://developers.google.com/api-client-library/php/
https://github.com/google/google-api-php-client
https://github.com/google/google-api-php-client-services
(outdated) https://github.com/googleads/googleads-adsense-examples
Example code: (using the service account)
$client = new \Google_Client();
$client->setAuthConfig(WRITEPATH . 'auth/adsense-client.json');
$client->setIncludeGrantedScopes(true);
$client->addScope('https://www.googleapis.com/auth/adsense');
$client->setSubject('email#example.com');
// trying to fire the services
$service = new \Google_Service_AdSense($client);
$report = $service->accounts_reports->generate('clientId', $startDate, $endDate, $optParams);
This script fires the "Client is unauthorized to retrieve access tokens using this method." error message. However, the email address being used is able to access the adsense account, the APIs are enabled and configured on the admin domain level.
Is there an easier way? is there anyone who can lead me in the right direction?
Service account
I am not all that sure that Service accounts work with adsence. You can try by going to the adsence website and under manageUsers add the service account email address. The issue here is its going to sit there at pending i think because the service account needs to confirm that it has been added. There is no way to do that.
Admin domain level
If you are trying to add domain wide delegation to this i wouldn't bother with that either as far as i can see its not supported either.
Client is unauthorized to retrieve access tokens using this method.
As for that error i may be able to help. It means that you have taken the credentials file you downloaded for a service account and are trying to use it with the code for Oauth2. or visa versa. Download the credentials file again and try again.
I have some sample code that may help here
My boss registered an Google Analytics account and shared his website Analytics account with me.
Now I have the authority to see all data about the website. I want to use the Google Analytics API to request data from Google Analytics with my php script.
Authorization is done without any problems, until the script tries to access data. The return code is 403, and error message is :
User does not have any Google Analytics account。
This will depend on what method of authentication you are using.
Oauth2:
When your PHP script pops up and asks a user to authenticate the Google account the user users to authenticate must have access to a Google analytics account. In this case it doesn't. Note: the user is only going to be able to see there own Google Analytics data not date for your website unless your boss goes and grants them access as well.
service account:
In the event you are using a service account to authenticate. The service account by default doesn't have access to any Google Analytics accounts you need to grant it access just like your boss granted you access. Take the service account email address from Google Developer console and add it at the ACCOUNT level it must be the ACCOUNT level to the Google Analytics website. then the service account will have access to the data for that account.
Hi guys I'm working on my google apps application - currently I've build the authentication upon the example available at google namely this url
The problem is that the session seems to time out and that everytime I am logged into my google apps account and go to my application I need to authenticate again and go through the screen where google asks me if I should allow the application to access the services like GMAIL, Docs etc listed in the manifest xml file. I don't think I'm doing it right as other applications allow instant access.
Any ideas
you should store and reuse the oauth access & secret key. this should avoid the re-authentication with google (or other oauth based services) - unless your access key has been revoked of course.
Cheers!