When I try to make a call to the Google Directory API using Server to Server authentication, I get the error message "Not Authorized to access this resource/api".
What I did:
Created an App in the Google Developers Console.
Downloaded the private key and looked up the service account name.
Activated the Admin SDK under APIs.
Downloaded the google-api-php-client.
Wrote the following code:
$serviceAccountName = 'XXXXXXXXXXX#developer.gserviceaccount.com';
$scopes = 'https://www.googleapis.com/auth/admin.directory.group';
$privateKeyFile = dirname(__FILE__).'/../certs/googleapi-privatekey.p12';
$client = new Google_Client();
$client->setApplicationName('API Project');
$client->setScopes($scopes);
$cred = new Google_Auth_AssertionCredentials($serviceAccountName, $scopes, file_get_contents($privateKeyFile));
$client->setAssertionCredentials($cred);
$client->getAuth()->refreshTokenWithAssertion();
$req = new Google_Http_Request("https://www.googleapis.com/admin/directory/v1/groups/group-id#example.com/members?maxResults=1000");
$val = $client->getAuth()->authenticatedRequest($req);
var_dump($client->getAuth()->getAccessToken());
var_dump($val->getResponseBody());
Executing that small script yields a valid access token, valid for an hour and the following error message:
{ "error": { "errors": [ { "domain": "global", "reason": "forbidden", "message": "Not Authorized to access this resource/api" } ], "code": 403, "message": "Not Authorized to access this resource/api" } }
I get the same error when I try to do the same request on the Google OAuth playground with the access key from my PHP script. Do I have to activate access to the group data for that service account somewhere in the Developers Console?
Beyond granting the service account client id access to the given scopes in your Google Apps Control Panel, you need to tell the service account to impersonate a super administrator user within your Google Apps domain:
$auth->sub = $adminEmail;
For some reason, the Admin SDK docs don't contain a PHP sample but there's sample code for instantiating a service account in the Google Drive docs.
I found by trial and error that removing "admin." from the scopes makes it work (in addition to everything said above about following these steps: https://developers.google.com/drive/web/delegation#delegate_domain-wide_authority_to_your_service_account ).
$cs = json_decode(file_get_contents(<MY SECRET PATH> . 'client_secrets.json'), true);
$cs = $cs['web'];
$cred = new Google_Auth_AssertionCredentials(
$cs['client_email'], //why do they call this "service account name" ? Misleading >:(
array(
'https://www.googleapis.com/auth/directory.user',
'https://www.googleapis.com/auth/directory.group',
'https://www.googleapis.com/auth/directory.group.member'
),
$key,
'notasecret',
'http://oauth.net/grant_type/jwt/1.0/bearer',
'<MY EMAIL IN THE DOMAIN>' //_my_ email as an user with admin rights
);
Related
For my online platform, I'm setting up a basic google sign-in button whereby users can create an account or log-in using their gmail email address.
I created my credentials: OAuth 2.0 Client IDs (got both ID and secret) and Service Accounts (now removed - not needed when asking access approval from user).
For the oauth consent screen, I've added my non-sensitive scopes:
./auth/userinfo.email
./auth/userinfo.profile
openid
I'm using my own gmail address for testing and API url used is https://www.googleapis.com/oauth2/v2/userinfo? with query on the email field.
EDIT: I've removed the service account so ignore this:
I have setup my jwt sign too with the service account email (XXX-googleconnect#genial-analyzer-341XXX...) and the (pretty damn long) generated key.
Could you please tell me how to debug the error "message":"Undefined index: jwt" when I run the google API?
EDIT: I've amended my code to reflect the removal of the service account. So no more jwt token: "jwt_bearer": "false",
<?php
$exports = <<<'JSON'
{
"name": "oauth",
"module": "oauth",
"action": "provider",
"options": {
"jwt_bearer": "false",
"service": "google",
"client_id": "307540412021-test06test06test06test06test06.apps.googleusercontent.com",
"client_secret": "XXXXX-X0RMDgT1nEgxAKrOmpcjK4sXY7Qq",
"tokenHandling": "self"
},
"meta": [
{
"name": "access_token",
"type": "text"
}
],
"outputType": "object"
}
JSON;
?>
But now I get "message":"Undefined index: false",
Disclaimer: I'm a no-coder, with basic php knowledge, pls if you could possibly use as easy to understand a language, that would be highly appreciated (and helpful for other no-coders too I bet)
Thanks in advance.
What you need to understand is that there is a big diffrence between Service account authoirzation, Oauth2, and signin.
If you run oauth2 authorization and request access of the using the email and profile scopes your going to have access to the users profile information.
if you try to run service account authentication and request the email and profile scopes your either going to get an error or your going to get the service accounts profile information. As a service account is a dummy user.
"message":"Undefined index: jwt"
Implies to me that you are using the wrong code for the wrong client.
service account client credentils
function getServiceAccountClient() {
try {
// Create and configure a new client object.
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope([YOUR SCOPES HERE]);
return $client;
} catch (Exception $e) {
print "An error occurred: " . $e->getMessage();
}
}
Oauth2 client
function getGoogleClient() {
$client = getOauth2Client();
// Refresh the token if it's expired.
if ($client->isAccessTokenExpired()) {
$client->fetchAccessTokenWithRefreshToken($client->getRefreshToken());
file_put_contents($credentialsPath, json_encode($client->getAccessToken()));
}
return $client;
}
/**
* Builds the Google client object.
* Documentation: https://developers.google.com/identity/protocols/OAuth2
* Scopes will need to be changed depending upon the API's being accessed.
* Example: array(Google_Service_Analytics::ANALYTICS_READONLY, Google_Service_Analytics::ANALYTICS)
* List of Google Scopes: https://developers.google.com/identity/protocols/googlescopes
* #return A google client object.
*/
function buildClient(){
$client = new Google_Client();
$client->setAccessType("offline"); // offline access. Will result in a refresh token
$client->setIncludeGrantedScopes(true); // incremental auth
$client->setAuthConfig(__DIR__ . '/client_secrets.json');
$client->addScope([YOUR SCOPES HERE]);
$client->setRedirectUri(getRedirectUri());
return $client;
}
As you can see the code is completely different for each type of authorization.
My main issue is why are you even trying to mix service account authorization into this if you are signing users into your app?
Should you be using a Google service account?
It's been such a major headache getting my service account to authenticate on the same webapp where I have users logging in via oauth2 as well.
So I'm wondering, is this even possible?
If not, should one just stick with the service account? Does one have to then authenticate the users on one's own - old school style? Haha
Thanks.
Regarding the service account, I have enabled the domain wide delegation, enabled the client key + api scope in my G suite admin console, and have gotten the php sample with the books api working. However any time I try any other api, other than books, I get the error,
client is unauthorized to retrieve access tokens using this method
UPDATE: I've tried to use #dalmto's example, and have added a few lines to test the gmail api, for example:
putenv('GOOGLE_APPLICATION_CREDENTIALS=credentials.json');
$user = 'email#domain.de';
function getGoogleClient() {
return getServiceAccountClient();
}
function getServiceAccountClient() {
try {
// Create and configure a new client object.
$client2 = new Google_Client();
$client2->useApplicationDefaultCredentials();
$client2->setScopes(array('https://www.googleapis.com/auth/userinfo.email','https://www.googleapis.com/auth/admin.directory.user.readonly','https://www.googleapis.com/auth/userinfo.profile','https://www.googleapis.com/auth/gmail.readonly','https://www.googleapis.com/auth/calendar'));
$client2->setAccessType('offline');
$client2->setSubject($user);
return $client2;
} catch (Exception $e) {
print "An error occurred: " . $e->getMessage();
}
}
$newGoogleClient = getGoogleClient();
$service3 = new Google_Service_Gmail($newGoogleClient);
$results3 = $service3->users_labels->listUsersLabels($user);
But am now just receiving "400: Bad Request" errors
EDIT: After some more digging there is a note: 'failedPrecondition' - any idea which precondition that could be? I've allowed the following scopes for the client in my admin console:
hxxps://www.googleapis.com/auth/gmail.metadata,
hxxps://www.googleapis.com/auth/userinfo.email,
hxxps://www.googleapis.com/auth/userinfo.profile,
hxxps://www.googleapis.com/auth/gmail.modify,
hxxps://www.googleapis.com/auth/gmail.readonly,
hxxps://www.googleapis.com/auth/gmail.labels,
hxxps://mail.google.com/
And enabled the apis and enabled the scope in the 'OAuth Consent Screen'
DWD is also enabled: Service Account Overview Screenshot
EDIT2: Okay so I found the missing precondition was the "setSubject".
Once I added that it went a step further, but still failed again at '"error": "unauthorized_client",\n "error_description": "Client is unauthorized to retrieve access tokens using this method.'
FYI: When creating the service account, I gave it the "project -> owner" role. Is that sufficient? Does one have to add more?
EDIT3: I've also just checked logger and it says that DWD is enabled.. Im at my whits end here haha
client: {
adminState: {
updateTime: "2018-11-23T00:29:44.810Z"
}
assertionMatchExistingGrant: "MATCH_GRANT_DISABLED"
authType: "PUBLIC_KEY"
brandId: "aaaaaaaaaaaaaa"
clientId: "aaaaaaaaaaaaaaaaaa"
consistencyToken: "2018-11-23T00:29:44.953175Z"
creationTime: "2018-11-23T00:29:44.810Z"
displayName: "Client for servicemaint1"
domainWideDelegation: "DELEGATION_ENABLED"
projectNumber: "aaaaaaaaaaaaaaaa"
threeLeggedOauth: "DISABLED"
updateTime: "2018-11-23T00:29:44.953175Z"
}
EDIT4: FINALLY WORKING!
So I had been trying this in a new project I created for testing all morning / last night. But my oauth2 user authenticating was running through a different project (where I also couldn't get the service account working all of yesterday morning / afternoon).
So anyway, I noticed in: https://myaccount.google.com/permissions "Apps with Access to your account" - only my old project / app was authorized. So I switched back to my first project, created a new service account client ID .json file and it finallyyy worked to authenticate both! :)
I must have that authorized that somewhere extra along the line which I had not done with the second project.
Thanks again.
EDIT5: One more quick question - is this the correct way to do this on stackoverflow? With constantly going back to edit?
Also for others stumbling upon this later, here's my total authentication block (sorry its a bit long):
putenv('GOOGLE_APPLICATION_CREDENTIALS=maintenanceapp.json');
$user = 'xyz#abc.com';
function getGoogleClient() {
return getServiceAccountClient();
}
function getServiceAccountClient() {
$user = 'xyz#abc.com';
try {
// Create and configure a new client object.
$client2 = new Google_Client();
$client2->useApplicationDefaultCredentials();
$client2->setScopes(['https://www.googleapis.com/auth/gmail.metadata','https://www.googleapis.com/auth/userinfo.email','https://www.googleapis.com/auth/userinfo.profile','https://www.googleapis.com/auth/gmail.modify','https://www.googleapis.com/auth/gmail.readonly','https://www.googleapis.com/auth/gmail.labels']);
//$client2->setAccessType('offline');
$client2->setSubject($user);
return $client2;
} catch (Exception $e) {
echo "An error occurred: " . $e->getMessage();
}
}
$newGoogleClient = getGoogleClient();
$service3 = new Google_Service_Gmail($newGoogleClient);
$results3 = $service3->users_labels->listUsersLabels($user);
/*************************************************
* Ensure you've downloaded your oauth credentials
************************************************/
if (!$oauth_credentials = getOAuthCredentialsFile()) {
echo missingOAuth2CredentialsWarning();
return;
}
/************************************************
* NOTICE:
* The redirect URI is to the current page, e.g:
* http://localhost:8080/idtoken.php
************************************************/
$redirect_uri = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
$client = new Google_Client();
// USER AUTH
$client->setAuthConfig($oauth_credentials);
$client->setRedirectUri($redirect_uri);
$client->setScopes(array('https://www.googleapis.com/auth/userinfo.email','https://www.googleapis.com/auth/userinfo.profile','https://www.googleapis.com/auth/gmail.readonly','https://www.googleapis.com/auth/calendar'));
$client->setApprovalPrompt('auto');
$client->setAccessType('offline');
$plus = new Google_Service_Plus($client);
/************************************************
* If we're logging out we just need to clear our
* local access token in this case
************************************************/
if (isset($_REQUEST['logout'])) {
unset($_SESSION['id_token_token']);
}
/************************************************
* If we have a code back from the OAuth 2.0 flow,
* we need to exchange that with the
* Google_Client::fetchAccessTokenWithAuthCode()
* function. We store the resultant access token
* bundle in the session, and redirect to ourself.
************************************************/
if (isset($_GET['code'])) {
$token = $client->fetchAccessTokenWithAuthCode($_GET['code']);
// store in the session also
$_SESSION['id_token_token'] = $token;
// redirect back to the example
header('Location: https://abc.de/index.php');
// return;
}
/************************************************
If we have an access token, we can make
requests, else we generate an authentication URL.
************************************************/
if (
!empty($_SESSION['id_token_token'])
&& isset($_SESSION['id_token_token']['id_token'])
) {
$client->setAccessToken($_SESSION['id_token_token']);
} else {
$authUrl = $client->createAuthUrl();
//header('Location: ' . $authUrl);
}
/************************************************
If we're signed in we can go ahead and retrieve
the ID token, which is part of the bundle of
data that is exchange in the authenticate step
- we only need to do a network call if we have
to retrieve the Google certificate to verify it,
and that can be cached.
************************************************/
if ($client->getAccessToken()) {
$token_data = $client->verifyIdToken();
}
In google developer console when you create your project and the credentials you must choose which type of client you are going to create for which type of application.
There are several different ways to authenticate to google.
OAuth2 native
OAuth2 web
Mobile
Service account
The code to use these clients is also different. You cant create a web OAuth2 client and use it for the code meant to be calling a service account.
"client is unauthorized to retrieve access tokens using this method".
Means exactly that. The client you have set up on Google developer console is either not a service account client or the code you are using is not meant for a service account client.
This is my serviceaccount.php sample. If your code needs to look something like this and you need to make sure that the client you created on the google developer console is a service account client.
require_once __DIR__ . '/vendor/autoload.php';
// Use the developers console and download your service account
// credentials in JSON format. Place the file in this directory or
// change the key file location if necessary.
putenv('GOOGLE_APPLICATION_CREDENTIALS='.__DIR__.'/service-account.json');
/**
* Gets the Google client refreshing auth if needed.
* Documentation: https://developers.google.com/identity/protocols/OAuth2ServiceAccount
* Initializes a client object.
* #return A google client object.
*/
function getGoogleClient() {
return getServiceAccountClient();
}
/**
* Builds the Google client object.
* Documentation: https://developers.google.com/api-client-library/php/auth/service-accounts
* Scopes will need to be changed depending upon the API's being accessed.
* array(Google_Service_Analytics::ANALYTICS_READONLY, Google_Service_Analytics::ANALYTICS)
* List of Google Scopes: https://developers.google.com/identity/protocols/googlescopes
* #return A google client object.
*/
function getServiceAccountClient() {
try {
// Create and configure a new client object.
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->addScope([YOUR SCOPES HERE]);
return $client;
} catch (Exception $e) {
print "An error occurred: " . $e->getMessage();
}
}
Developer console
Under clients check that the client you are using is one that can be found under service account keys. If not then it is the wrong client type and will not work with your code. Create a new service account client and set up domain wide delegation with that client id.
response_type=code
client_id=348268306866-9dl0kdgn2f9bjhoge7pris1jo8u9si47.apps.googleusercontent.com
redirect_uri=https://degoo.com/me/googleoauth2callback
access_type=offline
scope=https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/contacts.readonly
state={"RedirectUrl":"/me/chooseaccount","RegisterIfNotExists":true}
That’s all we know.
I have a problem with google api and oauth2 token.
There is an app which allows to synchronize contacts / calendar with your google account by oauth2 token.
When first time user wants to connect with his google account, he needs to grant access , then app is receiving code/token which is saved and will be used for offline synchronization later.
function getClient($app)
{
$client = new Google_Client();
$client->setAuthConfig("path_to_secret.json");
switch($app)
{
case 'contacts':
$client->addScope(Google_Service_Script::WWW_GOOGLE_COM_M8_FEEDS);
$client->addScope(Google_Service_People::USERINFO_EMAIL);
break;
case 'calendar':
$client->addScope(Google_Service_Calendar::CALENDAR);
break;
default:
throw new Exception('API Callback not defined in setup');
}
$client->setAccessType('offline'); // offline access
$client->setIncludeGrantedScopes(true); // incremental auth
$client->setRedirectUri(GOOGLE_APP_URL . $app.'/callback.php');
return $client;
}
(there are different tokens for contacts and calendar)
The synchronization script:
...
try
{
$client = getClient('calendar');
$client->setAccessToken(unserialize($accessToken));
$http = $client->authorize();
$service = new Google_Service_Calendar($client);
...
}
$accessToken is a serialized string like:
a:5:{s:12:"access_token";s:131:"******token_here********";s:10:"token_type";s:6:"Bearer";s:10:"expires_in";i:3598;s:8:"id_token";s:902:"***id_token****";s:7:"created";i:1505178047;}
This is working for first time and couple more times but after some time(hours) there is an error:
Error: {"error": { "errors": [ { "domain": "global", "reason": "authError", "message": "Invalid Credentials", "locationType": "header", "location": "Authorization" } ], "code": 401, "message": "Invalid Credentials" }}
What I am doing wrong?
What is interesting that for contacts synchronization works fine all the time (access token has the same attributes as in calendar synchronization )
Ok, propably solved - refresh_token is provided for the first time only, so when I was testing it more times then I didn't get refresh token.
When I revoked access in https://myaccount.google.com/u/0/permissions and connected again then I received also refresh token. I assume now it will work properly
Trying to list my files from personal account using google/apiclient and cannot succeed. My steps
Created service account
Enabled domain delegation
Downloaded the keys (for the service account, not the client delegate)
Using google api client to connect (code below)
Initialisation and listing
private function _initClient(string $keyLocation)
{
if (empty($keyLocation) || !file_exists($keyLocation))
{
throw new \Exception("Missing google certificate file");
}
$client = new \Google_Client();
$client->setApplicationName('My App');
$client->useApplicationDefaultCredentials();
$client->setSubject("my.email#gmail.com");
$client->setScopes([
'https://www.googleapis.com/auth/drive',
]);
return $client;
}
public function listDirectories()
{
$drive = new \Google_Service_Drive($this->client);
$files = $drive->files->listFiles([
'corpus' => 'user',
'spaces' => 'drive'
]);
var_dump($files);
}
require_once 'vendor/autoload.php';
$key = __DIR__.DIRECTORY_SEPARATOR.'client_id.json';
putenv('GOOGLE_APPLICATION_CREDENTIALS='.$key);
$t = new Myclass($key);
$t->listDirectories();
In response I get :
Uncaught Google_Service_Exception: {
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method."
}
So the main question is what I am missing? where I can pre-authorized my delegated account ? Or there is another way to communicate with Drive Api without user confirmation?
You cannot enable domain wide delegation(DWD) for #gmail.com accounts because you are not the owner of the domain gmail.com. DWD is only possible for G Suite accounts. For gmail.com accounts, you need to take another approach. I strongly recommend you to go over this documentation for more details.
In summary, I don't think is possible to do this without user consent. I hope this information helps.
I want to access the locations associated with my account and their reviews, for that I am using the google my business API and I have access to it (it does work on oAuthplayground).
Now I want to access the google my business api without logging into my account, for that I am trying to make it work with the service account. But no luck so far, please advice how to proceed with this. I have enabled the G suite in the service account and I have also tried to give access to the service account email (ID) for the my business manage but it stays in Invited state, as there is no way to actually accept the invite.
When I try to send request using my account as subject.
$client = new Google_Client();
$client->addScope('https://www.googleapis.com/auth/plus.business.manage');
$client->setAuthConfig(dirname(__FILE__) . '/Xyz Review API-service account.json');
$client->setSubject('xyz*****abc#gmail.com');
$business_service_class = new Google_Service_Mybusiness($client);
$result_accounts = $business_service_class->accounts->listAccounts();
echo json_encode($result_accounts);
exit;
Response:
{"nextPageToken":null}
If I use the google service account ID as email id in subject then I get following response.
$client->setSubject('xyz-review-service#xyz-review-api.iam.gserviceaccount.com');
Response:
Error 500
{ "error": "unauthorized_client", "error_description": "Unauthorized client or scope in request." }
If I am doing this completely wrong then please do advice how to proceed with this. Thank you.
Here is what I got working in 2021 with NodeJS:
To log in as a service account for server to server authentication you need to enable domain wide delegation for your service account. https://developers.google.com/admin-sdk/directory/v1/guides/delegation
Once you do this, you can make your service account log into the Google My Business API by impersonating the email address of an approved My Business manager. This is in NodeJS, here is what I used:
const { google } = require('googleapis'); // MAKE SURE TO USE GOOGLE API
const { default: axios } = require('axios'); //using this for api calls
const key = require('./serviceaccount.json'); // reference to your service account
const scopes = 'https://www.googleapis.com/auth/business.manage'; // can be an array of scopes
const jwt = new google.auth.JWT({
email: key.client_email,
key: key.private_key,
scopes: scopes,
subject: `impersonated#email.com`
});
async function getAxios() {
const response = await jwt.authorize() // authorize key
let token = response.access_token // dereference token
console.log(response)
await axios.get('https://mybusiness.googleapis.com/v4/accounts', {
headers: {
Authorization: `Bearer ${token}`
} // make request
})
.then((res) => { // handle response
console.log(res.data);
})
.catch((err) => { // handle error
console.log(err.response.data);
})
}
await getAxios(); // call the function
I faced the problem of authentication for my internal service with google apis.
Basically exists two method:
create the page to accept your application to access the google account
create a certificate to authenticate the application with "implicit" approval
as i said i'm using the google api for an internal project, so the first option is out of question (the service is not public).
Go to https://console.cloud.google.com and create a new project then go to "api manager" then "credentials" then create a "service credential".
If you follow all those steps you have a certificate with .p12 extension, it's your key to access to google api (remember you have to enable the key to access the specific google api you want).
I paste an example extracted from my project, i'm using google calendar, but the authentication is the same for each service.
$client_email = 'xxxx#developer.gserviceaccount.com';
$private_key = file_get_contents(__DIR__ . '/../Resources/config/xxxx.p12');
$scopes = array('https://www.googleapis.com/auth/calendar');
$credentials = new \Google_Auth_AssertionCredentials(
$client_email,
$scopes,
$private_key
);
$this->client = new \Google_Client();
$this->client->setAssertionCredentials($credentials);