I'm using a service account to delegate domain wide security in order to pull a user listing from our Google Apps for Education instance via the Directory API and the PHP client library.
I'm fairly certain my service account has all the correct security because it's able to pull a listing using the API reference's "try it" feature.
So, at this point, everything is pointing toward an issue with my code but I can't seem to figure out where:
<?php
require 'vendor/autoload.php';
$clientEmail = '<>#developer.gserviceaccount.com';
$privateKey = file_get_contents(__DIR__ . '/access.p12');
$scopes = array(
'https://www.googleapis.com/auth/admin.directory.user.readonly',
);
$credentials = new Google_Auth_AssertionCredentials($clientEmail, $scopes, $privateKey);
$credentials->sub = 'service.account#my.domain';
$client = new Google_Client();
$client->setAssertionCredentials($credentials);
if ($client->getAuth()->isAccessTokenExpired())
{
$client->getAuth()->refreshTokenWithAssertion();
}
$directory = new Google_Service_Directory($client);
$result = $directory->users->listUsers(array('domain' => 'my.domain'));
var_dump($result);
The code above throws the following error:
Fatal error: Uncaught exception 'Google_Auth_Exception' with message 'Error refreshing the OAuth2 token, message: ' in C:\wamp\www\quick\vendor\google\apiclient\src\Google\Auth\OAuth2.php on line 358
Google_Auth_Exception: Error refreshing the OAuth2 token, message: '{
"error" : "access_denied",
"error_description" : "Requested client not authorized."
}' in C:\wamp\www\quick\vendor\google\apiclient\src\Google\Auth\OAuth2.php on line 358
Call Stack:
0.0010 132792 1. {main}() C:\wamp\www\quick\index.php:0
0.0260 1060248 2. Google_Auth_OAuth2->refreshTokenWithAssertion() C:\wamp\www\quick\index.php:18
0.9230 1163560 3. Google_Auth_OAuth2->refreshTokenRequest() C:\wamp\www\quick\vendor\google\apiclient\src\Google\Auth\OAuth2.php:309
The call stack should identify the specific line where this error occurred. Note that the second line in the stack seems to point to line 18 of your script, where the code indeed relates to OAuth verification:
$client->getAuth()->refreshTokenWithAssertion();
In other words, when you try to refreshTokenWithAssertion, Google says "access_denied because Requested client not authorized". If you're trying to identify where in your script you hit the error, I think that should answer your question.
If you want to figure out why it got an error, I'd do some google searches for refreshTokenWithAssertion plus that error message and see if you find any other developers working through a similar problem. For example by doing that google search I found this other page on SO that may help you.
Good luck!
Related
I'm not very good with PHP, and I am trying to create a webpage where I will navigate to the page and it will show a list of events from my private google calendar. This used to work years ago, but Google has changed the API so my old solution is broken. I saw this thread:
How do I connect to the Google Calendar API without the oAuth authentication?
and I tried it, but it looks like that method also doesn't work anymore. (When I say "doesn't work" I mean that I currently have the latest google-api-php-client-2.0.3 installed at public_html/includes/google-api-php-client-2.0.3/. I found the client.php referenced in the above link, but the other files are not in the new API.
Basically, I am trying to figure out what the PHP would look like to achieve what you can do on this page when you put in your calendar ID:
https://developers.google.com/google-apps/calendar/v3/reference/events/list#request
So I think this is a two step process: Authenticate and then print the output. The trouble I'm having is in authenticating.
I have tried this:
<?php
session_start();
require_once "/includes/google-api-php-client-2.0.3/src/Google/client.php";
require_once "/includes/google-api-php-client-2.0.3/src/contrib/Google_CalendarService.php";
const CLIENT_ID = '...';
const SERVICE_ACCOUNT_NAME = 'my service account name';
// Make sure you keep your key.p12 file in a secure location, and isn't
// readable by others.
const KEY_FILE = '...';
$client = new Google_Client();
$client->setApplicationName("...");
if (isset($_SESSION['token'])) {
$client->setAccessToken($_SESSION['token']);
}
// Load the key in PKCS 12 format (you need to download this from the
// Google API Console when the service account was created.
$key = file_get_contents(KEY_FILE);
$client->setAssertionCredentials(new Google_AssertionCredentials(
SERVICE_ACCOUNT_NAME,
array('https://www.googleapis.com/auth/calendar', "https://www.googleapis.com/auth/calendar.readonly"),
$key)
);
$client->setClientId(CLIENT_ID);
$service = new Google_CalendarService($client);
//Save token in session
if ($client->getAccessToken()) {
$_SESSION['token'] = $client->getAccessToken();
}
//And now you can use the code in their PHP examples, like: $service->events->listEvents(...)
?>
But I get error:
Warning: require_once(/includes/google-api-php-client-2.0.3/src/Google_Client.php): failed to open stream: No such file
Because the API seems to have changed.
I found this link:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
I have created a service account, and downloaded a private key but I don't know what to do with it :-/
I tried this:
https://developers.google.com/api-client-library/php/auth/web-app
But when I navigate to the index.php I get this error:
Fatal error: Uncaught exception 'InvalidArgumentException' with message 'file does not exist' in /home/xxx/public_html/includes/google-api-php-client-2.0.3/src/Google/Client.php:841 Stack trace: #0 /home/xxx/public_html/testing_oauth.php(7): Google_Client->setAuthConfig('client_secrets....') #1 {main} thrown in /home/xxx/public_html/includes/google-api-php-client-2.0.3/src/Google/Client.php on line 841
I tried hard coding this into the index.php example (line 103-107):
// https://developers.google.com/console
'client_id' => 'My service accounts project name',
'client_secret' => 'url link to my client_secret.json file',
'redirect_uri' => null,
'state' => null,
But I get the same error...
I am trying to fetch mail from Google through gmail api
while authenticate the Google_Client after receiving the token i am getting this error
Fatal error: Uncaught exception 'Google_Auth_Exception' with message 'Error fetching OAuth2 access token, message: 'invalid_client'' in
my code is simple using google-api-php-client-master and my code is as follow
require_once('config.php');
require_once 'autoload.php';
$client = new Google_Client();
$client->setScopes(array(
'https://www.googleapis.com/auth/plus.login',
'profile',
'email',
'openid',
'https://www.googleapis.com/auth/gmail.readonly',
'https://mail.google.com/',
));
$client->setApplicationName($config->social['google']->app_name);
$client->setClientId($config->social['google']->client_id);
$client->setClientSecret($config->social['google']->client_secret);
$client->setRedirectUri($config->social['google']->Redirect_URI);
$client->setDeveloperKey($config->social['google']->api_key); // API key
$gclient='';
print_r($_GET);
$token=new stdclass;
if(!isset( $_SESSION['google_token']))
{
$gclient=$client->authenticate($_GET['code']);//error occurs hare
$_SESSION['gclient']=$gclient;
if($gclient)
{
$_SESSION['google_token'] = $client->getAccessToken();
}
print_r($gclient);
}
I have checked my credentials several times and they were all correct
would some one please help me on it
I had the same problem but my solution was extreamly easy and frustrating.
When you copy the "Client secret" in API Credentials on your Google Developers Console they add a space after the "Client secret". Be sure to delete it!
$client_secret = "hf83nd93hd93j39dj9 ";<--
As Mario M. explained, there's an additional space when you copy the Client Secret. You have to make sure you got it right.
I got the same error - Error fetching OAuth2 access token, message: 'invalid_client', but in my case it was due to not verified domain. Therefore if you are creating credentials for a Web application or something similar and received the same error;
Check there's no additional space at the end of Client secret
Make sure your domain is verified
In my case I had to set the Client Secret file
$client->setAuthConfigFile(WWW_ROOT . 'files\json\client_secret_google_api.json');
and that solved my problem. Hope it helps someone.
I'm trying to use the Google API PHP Client with the Google Directory API. I went into the Google Developers Console and created a project called google-sync. I then enabled the Admin SDK in the APIs list page. I then selected "Create new Client ID" from the Credentials page, and selected Service Account, and then downloaded the .bin private key that I was prompted to download. I then also clicked on "Generate new P12 key" and downloaded the .p12 file, which was placed in the same directory as the PHP file.
Here's my PHP code (which follows this part of the docs) that is trying to list all users.
<?php
session_start();
require 'vendor/autoload.php';
$SCOPE = 'https://www.googleapis.com/auth/admin.directory.user https://www.googleapis.com/auth/admin.directory.group https://www.googleapis.com/auth/admin.directory.orgunit';
$SERVICE_ACCOUNT_EMAIL = '<EMAIL ADDRESS>';
$SERVICE_ACCOUNT_PKCS12_FILE_PATH = '<P12 FILE NAME>.p12';
$client = new Google_Client();
$client->setApplicationName('google-sync');
$adminService = new Google_Service_Directory($client);
$key = file_get_contents($SERVICE_ACCOUNT_PKCS12_FILE_PATH);
$cred = new Google_Auth_AssertionCredentials(
$SERVICE_ACCOUNT_EMAIL,
array($SCOPE),
$key);
$client->setAssertionCredentials($cred);
$allUsers = $adminService->users->listUsers();
When I run this code, I get this error:
PHP Fatal error: Uncaught exception 'Google_Service_Exception' with message 'Error calling GET https://www.googleapis.com/admin/directory/v1/users: (400) Bad Request' in /projects/google-sync/vendor/google/apiclient/src/Google/Http/REST.php:80
Stack trace:
#0 /projects/google-sync/vendor/google/apiclient/src/Google/Http/REST.php(44): Google_Http_REST::decodeHttpResponse(Object(Google_Http_Request))
#1 /projects/google-sync/vendor/google/apiclient/src/Google/Client.php(499): Google_Http_REST::execute(Object(Google_Client), Object(Google_Http_Request))
#2 /projects/google-sync/vendor/google/apiclient/src/Google/Service/Resource.php(195): Google_Client->execute(Object(Google_Http_Request))
#3 /projects/google-sync/vendor/google/apiclient/src/Google/Service/Directory.php(2063): Google_Service_Resource->call('list', Array, 'Google_Service_...')
#4 /projects/google-sync/auth-test.php(20): Google_Service_Directory_Users_Resource->listUsers()
#5 {main}
thrown in /projects/google-sync/vendor/google/apiclient/src/Google/Http/REST.php on line 80
Fatal error: Uncaught exception 'Google_Service_Exception' with message 'Error calling GET https://www.googleapis.com/admin/directory/v1/users: (400) Bad Request' in /projects/google-sync/vendor/google/apiclient/src/Google/Http/REST.php on line 80
Google_Service_Exception: Error calling GET https://www.googleapis.com/admin/directory/v1/users: (400) Bad Request in /projects/google-sync/vendor/google/apiclient/src/Google/Http/REST.php on line 80
Call Stack:
0.0001 232296 1. {main}() auth-test.php:0
0.0172 2957992 2. Google_Service_Directory_Users_Resource->listUsers() /projects/google-sync/auth-test.php:20
0.0172 2959144 3. Google_Service_Resource->call() /projects/google-sync/vendor/google/apiclient/src/Google/Service/Directory.php:2063
0.3356 2970752 4. Google_Client->execute() /projects/google-sync/vendor/google/apiclient/src/Google/Service/Resource.php:195
0.3356 2971568 5. Google_Http_REST::execute() /projects/google-sync/vendor/google/apiclient/src/Google/Client.php:499
0.7015 2974424 6. Google_Http_REST::decodeHttpResponse() /projects/google-sync/vendor/google/apiclient/src/Google/Http/REST.php:44
When I downloaded the p12 file, I was given a password associated with the private key, but I'm unable to find any documentation on how that password should be included. Is this my problem?
I was facing the same issue. Service account should impersonate a domain admin when it makes the request. In addition, listUsers() expects the domain to be passed as an argument.
Makes sure that you've delegated domain-wide authority to the service account - https://developers.google.com/api-client-library/php/auth/service-accounts
$cred = new Google_Auth_AssertionCredentials(
$service_account_name,
array($SCOPE),
$key
);
$cred->sub = "admin#domain.com";
//Get All users.
$list = $service->users->listUsers(Array('domain' => 'domain.com'));
//Get one user
$userId = $service->users->get('someuser#domain.com');
I was able to fix this by going into my domain's Admin Console, went to the Manage API client access page under Security, and added the Client Id from the Developer Console and added the scopes I needed for the Directory API.
See this part of the docs for more info.
I'm trying to add calendar events to my Google calendar from a php script. Note that I can do this successfully directly from a Google test page so I think that my calendar is set up correctly. However, when I attempt do this from a php script, I'm not able to get the OAuth2 token.
The following script, mostly taken from a Google example, runs without error, but it always winds up with a "Connect Me!" link. When I click on this link, it takes me to a validation screen that warns me that this app would like to manage my calendars. I click 'Accept' and a then see my calendar. A little inconvenient, but if this gets the OAuth token, fine.
I then go back and run the script again, hoping that the access token will now be available, but I get exactly the same result. No matter how many times I run this script, I never get the token, which I need in order to expand the script to add events to the calendar.
I've been at this for days, and I'm just not getting anywhere. Can anyone help? Thanks.
<?php
require_once '../../src/Google_Client.php';
require_once '../../src/contrib/Google_CalendarService.php';
require_once '../../src/auth/Google_OAuth2.php';
session_start();
$client = new Google_Client();
$client->setApplicationName("Add Google Calendar Entries");
// Visit https://code.google.com/apis/console?api=calendar to generate your
// client id, client secret, and to register your redirect uri.
$client->setClientId('843319906820-1s1d737e77o71a3vaskf434k3ape1fk5.apps.googleusercontent.com');
$client->setClientSecret('AP5imn3e0TEWNyLTCNm8YJj6');
$client->setRedirectUri('https://www.google.com/calendar/');
$client->setDeveloperKey('AIzaSyDIw3ks7AmrIrRxjO9y2gWBhQDYHFWd-uc');
$client->setUseObjects(true);
$cal = new Google_CalendarService($client);
if (isset($_GET['logout'])) {
unset($_SESSION['token']);
}
if (isset($_GET['code'])) {
$client->authenticate($_GET['code']);
$_SESSION['token'] = $client->getAccessToken();
header('Location: http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']);
}
if (isset($_SESSION['token'])) {
$client->setAccessToken($_SESSION['token']);
}
if ($client->getAccessToken()) {
$calList = $cal->calendarList->listCalendarList();
print "<h1>Calendar List</h1><pre>" . print_r($calList, true) . "</pre>";
$_SESSION['token'] = $client->getAccessToken();
} else {
$authUrl = $client->createAuthUrl();
print "<a class='login' href='$authUrl'>Connect Me!</a>";
}
?>
EDIT: Attempting to implement the suggestion from Vinicius Pinto. I've changed my redirect to point directly back to this script. Now I get this error:
Fatal error: Uncaught exception 'Google_ServiceException' with message
'Error calling GET
https://www.googleapis.com/calendar/v3/users/me/calendarList?key=AIzaSyDIw3ks7AmrIrRxjO9y2gWBhQDYHFWd-uc:
(403) Access Not Configured. Please use Google Developers Console to
activate the API for your project.' in
D:\Hosting\11347607\html\scripts\google-api-php-client\src\io\Google_REST.php:66
Stack trace: #0
D:\Hosting\11347607\html\scripts\google-api-php-client\src\io\Google_REST.php(36):
Google_REST::decodeHttpResponse(Object(Google_HttpRequest)) #1
D:\Hosting\11347607\html\scripts\google-api-php-client\src\service\Google_ServiceResource.php(186):
Google_REST::execute(Object(Google_HttpRequest)) #2
D:\Hosting\11347607\html\scripts\google-api-php-client\src\contrib\Google_CalendarService.php(205):
Google_ServiceResource->__call('list', Array) #3
D:\Hosting\11347607\html\scripts\google-api-php-client\examples\calendar\simple.php(43):
Google_CalendarListServiceResource->listCalen in
D:\Hosting\11347607\html\scripts\google-api-php-client\src\io\Google_REST.php
on line 66
It would appear that I don't have the correct APIs activated in the developer console. I have the Calendar API and the Google Cloud Storage JSON API activated and nothing else. I don't see any other APIs that would be relevant, and I don't think that this message is telling me which APIs it wants.
EDIT 2: Looks like I was using the wrong developer key. I've changed it to the key for server applications. Now my error is this:
Fatal error: Uncaught exception 'Google_AuthException' with message
'Error refreshing the OAuth2 token, message: '{ "error" :
"invalid_client" }'' in
D:\Hosting\11347607\html\scripts\google-api-php-client\src\auth\Google_OAuth2.php:288
Stack trace: #0
D:\Hosting\11347607\html\scripts\google-api-php-client\src\auth\Google_OAuth2.php(248):
Google_OAuth2->refreshTokenRequest(Array) #1
D:\Hosting\11347607\html\scripts\google-api-php-client\src\auth\Google_OAuth2.php(225):
Google_OAuth2->refreshToken('1/6ZdJyZALqcbwW...') #2
D:\Hosting\11347607\html\scripts\google-api-php-client\src\service\Google_ServiceResource.php(167):
Google_OAuth2->sign(Object(Google_HttpRequest)) #3
D:\Hosting\11347607\html\scripts\google-api-php-client\src\contrib\Google_CalendarService.php(205):
Google_ServiceResource->__call('list', Array) #4
D:\Hosting\11347607\html\scripts\google-api-php-client\examples\calendar\simple.php(47):
Google_CalendarListServiceResource->listCalendarList() in
D:\Hosting\11347607\html\scripts\google-api-php-client\src\auth\Google_OAuth2.php
on line 288
The $client->setRedirectUri() should receive a URL pointing to your application, because this is the URL that you'll be redirected to after you authorize the application in the Google page. That's why you are being redirect to the calendar, because you are using the calendar URL.
It seems like your script is already expecting a $_GET['code'], so try setting the redirect URL to the url of this script. You'll also need to set the same URL in the Developers Console, under API -> Credentials.
You only get a token when you call $client->authenticate($_GET['code']); with a value code.
Take a look at this lib I just commited to Github, it's an early version, but it's working fine (I'm using to access YouTube). It's using the new official library.
Update: as said in the comments, the developer key isn't actually required for this to work, even though all Google sample code sets it.
I'm wracking my brain trying to figure out how to use the Google API PHP Client to access Google Analytics. Specifically, I want to upload cost data from other campaigns. My code does work to get information from GA, I can view traffic data for profiles, but I cannot figure out how to upload.
Here's the code that I'm using for auth:
require_once 'google-api-php-client/src/Google_Client.php';
require_once 'google-api-php-client/src/contrib/Google_AnalyticsService.php';
session_start();
$client = new Google_Client();
$client->setApplicationName("GA-Tester");
$client->setClientId('xxx.apps.googleusercontent.com');
$client->setClientSecret('xxx');
$client->setRedirectUri('http://www.site.com/indext.php');
$client->setDeveloperKey('xxx');
$analyticsService = new Google_AnalyticsService($client);
$dailyUploads = $analyticsService->management_dailyUploads;
if (isset($_GET['logout'])) {
unset($_SESSION['token']);
}
if (isset($_GET['code'])) {
$client->authenticate();
$_SESSION['token'] = $client->getAccessToken();
$redirect = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
header('Location: ' . filter_var($redirect, FILTER_SANITIZE_URL));
}
if (isset($_SESSION['token'])) {
$client->setAccessToken($_SESSION['token']);
}
if (!$client->getAccessToken()) {
header ('Location:http://www.site.com/indext.php');
} else {...
This code does work for requesting data. I can get a list of accounts, profiles, download traffic data for a specific profile, etc. No errors or issues.
When I try to upload my CSV file containing cost data I get a '401 Invalid Credentials' error. Here's the code that sends the file:
$send = $dailyUploads->upload(
$accountId,
$webPropertyId,
$customDataSourceId,
$start_date,
1,
'cost',
array(
"reset" => true,
"data" => $cont,
"mimeType" => "application/octet-stream",
"uploadType" => "media"));
I've double checked all of my variables that I'm passing, they're sending the correct information.
So here's my question. If all of my GET requests work without issue, why would my POST request throw an error? I can't tell if this is an error with my code, or with settings in the API console. Can anyone steer me in the right direction?
EDIT:
Here's the error code generated (minus identifiable bits).
Fatal error: Uncaught exception 'Google_ServiceException' with message
'Error calling POST https://www.googleapis.com/upload/analytics/v3/man
agement/accounts/1234567/webproperties/UA-1234567-1/customDataSources/
xXxXxX/dailyUploads/2013-01-17/uploads?appendNumber=1&type=cost&reset=
true&uploadType=media&key=xXxXxX: (401) Invalid Credentials' in /../pub
lic_html/proj/google-api-php-client/src/io/Google_REST.php:66 Stack tra
ce: #0 /../public_html/proj/google-api-php-client/src/io/Google_REST.ph
p(36): Google_REST::decodeHttpResponse(Object(Google_HttpRequest)) #1 /
../public_html/proj/google-api-php-client/src/service/Google_ServiceRes
ource.php(186): Google_REST::execute(Object(Google_HttpRequest)) #2 /..
/public_html/proj/google-api-php-client/src/contrib/Google_AnalyticsSer
vice.php(82): Google_ServiceResource->__call('upload', Array) #3 /../pu
blic_html/proj/dailyUpload_send.php(60): Google_ManagementDailyUploadsS
erviceResource->upload('1234567', 'UA-1234567-1', 'xXxXxXxXxXxXxXx...',
' in /../public_html/proj/google-api-php-client/src/io/Google_REST.php
on line 66
I just successfully uploaded cost data for the first time. In trading comments with Nicholas Pickering I came across the documentation for Management API Authorization which states that:
You will get a 401 status code if your access_token has expired or if you are using the wrong scope for the API.
The default for scope is read only, which is why all of my GET requests were working without difficulty, but I couldn't complete any POST requests through the API. I can't remember how I found it, but the way to accomplish this within the PHP client library is to append the following line to the client declaration:
$client->setScopes('https://www.googleapis.com/auth/analytics');
As soon as I added that line to my project, I was able to successfully upload cost data. I'm really glad to have cleared this hurdle. I still have a long way to go to complete my project, but at least I know that it's going to work.
I kept geting this error until I went to Google Console -> APIs & auth ->
APIs and turned on this API usage.