We Keep Coding

YouTube Data API: authenticate as a resource owner

I have a task to import video details of videos, uploaded on YouTube.
I have an account, that is the video owner. I have setup credentials in the console: https://console.developers.google.com/project/XXXXX/apiui/credential. I have created OAuth Service Account there.
Later in the script I am using the code from documentation (v3 version of the API):
$credentials = new Google_Auth_AssertionCredentials(
$clientEmail,
[
'https://www.googleapis.com/auth/youtube',
'https://www.googleapis.com/auth/youtube.force-ssl',
'https://www.googleapis.com/auth/youtube.readonly',
'https://www.googleapis.com/auth/youtubepartner',
],
$privateKeyContents
);
$this->client->setAssertionCredentials($credentials);
/** #var Google_Auth_OAuth2 $auth */
$auth = $this->client->getAuth();
if ($auth->isAccessTokenExpired()) {
$auth->refreshTokenWithAssertion();
}
Authentication works ok. I've attached logger to Google Client and I can see Authorization: Bearer XXXXXXX header passed with each request.
But the problem is, that it seems, YouTube does not recognize this authentication as an authentication of an actual resource owner. For example, if I request Video Snippet, it is returned without tags (tags can be seen only by owner on some reason).
If I make the same request from here https://developers.google.com/youtube/v3/docs/videos/list?hl=ru it works flawlessly.
What can be the problem?
The request in logs looks like this:
[2015-06-08 14:50:02] name.DEBUG: OAuth2 authentication [] []
[2015-06-08 14:50:02] name.DEBUG: cURL request {"url":"https://www.googleapis.com/youtube/v3/playlists?part=id%2Csnippet&channelId=XXXXXXXXXXXX&maxResults=50","method":"GET","headers":{"authorization":"Bearer ya29.XXXXX-XXXXXX","accept-encoding":"gzip"},"body":null} []
This differs from what I can see if tracing the request Google Javascript client makes on Documentation page. The domain is different, Javascript client passes more headers etc.
How do I make it work with PHP?

You should add onBehalfofContentOwner parameter to your request to show yourself as the content owner.

You seem to have been using Google Service Account credentails for authentication. The API call needs to be made after authenticating as "Client ID for web application" rather than a service account. After you have created a new set of credentials for web application, authenticate as follows:
$OAUTH2_CLIENT_ID = 'REPLACE_ME';
$OAUTH2_CLIENT_SECRET = 'REPLACE_ME';
$client = new Google_Client();
$client->setClientId($OAUTH2_CLIENT_ID);
$client->setClientSecret($OAUTH2_CLIENT_SECRET);
$client->setScopes('https://www.googleapis.com/auth/youtube');
$redirect = filter_var('http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'],
FILTER_SANITIZE_URL);
$client->setRedirectUri($redirect);//This Uri should match exactly to what you had given in Google Developer Console while generating Client ID/Secret
// Define an object that will be used to make all API requests.
$youtube = new Google_Service_YouTube($client);
if (isset($_GET['code'])) {
if (strval($_SESSION['state']) !== strval($_GET['state'])) {
die('The session state did not match.');
}
$client->authenticate($_GET['code']);
$_SESSION['token'] = $client->getAccessToken();
header('Location: ' . $redirect);
}
Hope this resolves your problem.

Gmail API: How to get access token?

I am testing the Gmail API.
So far I have done the following:
I have created the project in the Google Developers Console
I have enabled the Gmail API.
I have created a new Client ID and the client secret.
In my PHP script I have installed the PHP Client library and followed
the instructions for the setup in PHP.
So now when I run the file quickstart.php it gives a link. When I open it, it appears an authorization page where I authorize my application to access the Gmail API.
Then it redirects to the Redirect URIs that I have declared in the setup (adding the code parameter).
In the address bar it appears exactly this:
http://localhost/main/gmail_callback?code=MY_CODE
Where main is my controller and gmail_callback so far is just a blank function.
And it should be correct since these are my settings:
Javascript origins: http://localhost
Redirect URIs: http://localhost/main/gmail_callback
What do I do next?

The next step in the flow is to exchange the Authorization Code for an Access Token (which will also include a Refresh Token if you requested offline access). If you use the https://developers.google.com/oauthplayground/ to execute the flow manually, you'll be able to see the URLs involved. There is a php library call to do the same thing, but I personally prefer to send my own HTTP rather than use a library. Even if you do use a library, it will still be worth spending a little time to understand the HTTP flow so you can more easily debug any problems you encounter.

Basically I was approaching wrongly. Following these instructions is enough to get the tokens:
https://developers.google.com/gmail/api/quickstart/php
The main point is to access the file from the command line and not from the app.

I made a Oauth Gmail some months ago, I got something like this :
In my callback function :
if (! isset($_GET['code'])) {
$auth_url = $client->createAuthUrl();
return $this->redirect($auth_url);
} else {
$client->authenticate($_GET['code']);
$_SESSION['access_token'] = $client->getAccessToken();
$redirect_uri = Router::url('/', true).'Users/gmail';
return $this->redirect($redirect_uri);
}
And in my gmail() function :
public function gmail(){
require APPLIBS.'Google/src/Google'.DS.'autoload.php';
$client = new Google_Client();
$client->setAuthConfigFile('../Config/client_secrets.json');
$client->addScope(Google_Service_Oauth2::PLUS_LOGIN);
$client->addScope(Google_Service_Oauth2::USERINFO_EMAIL);
if (isset($_SESSION['access_token']) && $_SESSION['access_token']) {
$client->setAccessToken($_SESSION['access_token']);
$oauth_service = new Google_Service_Oauth2($client);
$data['Profile']['last_name'] = $oauth_service->userinfo->get()->familyName;
}
}
$data['Profile']['last_name'] contain the last_name of the user, for example.

Why do I keep catching a Google_Auth_Exception for invalid_grant?

I am trying to build a web app that accesses Google Analytics API, and pull data. However, I have having some issues with the OAuth 2.0 authorization.
It allows for successful initial access, but it quickly kicks me out and throws a Google_Auth_Exception with message 'Error fetching OAuth2 access token, message: 'invalid_grant'' when I hit a submit button that refreshes the page.
As I understand OAuth 2.0, there are 4 steps to authentication:
Obtain OAuth 2.0 credentials from Google Dev Console
Obtain an access token from Google Authorization Server
Send the access token to Google Analytics API
Refresh the access token, if necessary
And as I understand it, $client->setAccessToken(); automatically refreshes the token.
I cannot seem to find any documentation from Google since they moved to Github, and I have followed their example structures for the most part.
The error is thrown from the first try block, when it tries to execute $client->authenticate($_GET['code']);
My current workaround is to unset the session token, and have the user re-authorize. However, this is really cumbersome and intrusive, as any interaction with the page will ask for re-authorization.
Any help would be greatly appreciated!
Here is my code:
<?php
/**********************
OAUTH 2.0 AUTHORIZATION
***********************/
//required libraries
set_include_path("../src/" . PATH_SEPARATOR . get_include_path());
require_once 'Google/Client.php';
require_once 'Google/Service/Analytics.php';
//variables
$client_id = 'redacted';
$client_secret = 'redacted';
$redirect_uri = 'http://'.$_SERVER["HTTP_HOST"].$_SERVER['PHP_SELF'];
$dev_key = 'redacted';
//create a Google client
$client = new Google_Client();
$client->setApplicationName('App');
//sets client's API information
$client->setClientId($client_id);
$client->setClientSecret($client_secret);
$client->setRedirectUri($redirect_uri);
$client->setDeveloperKey($dev_key);
$client->setScopes(array('https://www.googleapis.com/auth/analytics.readonly'));
//if log out is requested, revoke the access
if (isset($_REQUEST['logout'])) {
unset($_SESSION['token']);
}
//check if authorization code is in the URL
try{
if (isset($_GET['code'])) {
$client->authenticate($_GET['code']); //does authorization work
$_SESSION['access_token'] = $client->getAccessToken(); //gets valid access token
$redirect = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; //set into session storage
header('Location: ' . filter_var($redirect, FILTER_SANITIZE_URL)); //cleans up the URL
}
}
//if the authorization code is now invalid
catch (Google_Auth_Exception $e) {
unset($_SESSION['token']); //unset the session token
echo "Token now invalid, please revalidate. <br>";
}
//if there is an access token in the session storage
if (isset($_SESSION['access_token']) && $_SESSION['access_token']) {
$client->setAccessToken($_SESSION['access_token']); //set the client's access token
//try creating an analytics object
try {
$analytics = new Google_Service_Analytics($client);
echo 'Created Google Analytics Client successfully! <br><br>';
}
catch (Google_Auth_Exception $e) {
echo 'Need authorization!';
}
} else {
$authUrl = $client->createAuthUrl(); //create one
echo "<a class='login' href='$authUrl'><button>Authorize Google Access</button></a>"; //print button
}

I resolved the issue. I was trying to authorize the same authentication code twice, and therefore it returned an invalid_grant error.
My solution was to rewrite much of the code and fix the OAuth2 logic.
I have created a mini-tutorial of the OAuth2 authentication flow below:
<?php
session_start(); // Create a session
/**************************
* Google Client Configuration
*
* You may want to consider a modular approach,
* and do the following in a separate PHP file.
***************************/
/* Required Google libraries */
require_once 'Google/Client.php';
require_once 'Google/Service/Analytics.php';
/* API client information */
$clientId = 'YOUR-CLIENT-ID-HERE';
$clientSecret = 'YOUR-CLIENT-SECRET-HERE';
$redirectUri = 'http://www.example.com/';
$devKey = 'YOUR-DEVELOPER-KEY-HERE';
// Create a Google Client.
$client = new Google_Client();
$client->setApplicationName('App'); // Set your app name here
/* Configure the Google Client with your API information */
// Set Client ID and Secret.
$client->setClientId($clientId);
$client->setClientSecret($clientSecret);
// Set Redirect URL here - this should match the one you supplied.
$client->setRedirectUri($redirectUri);
// Set Developer Key and your Application Scopes.
$client->setDeveloperKey($devKey);
$client->setScopes(
array('https://www.googleapis.com/auth/analytics.readonly')
);
/**************************
* OAuth2 Authentication Flow
*
* You may want to consider a modular approach,
* and do the following in a separate PHP file.
***************************/
// Create a Google Analytics Service using the configured Google Client.
$analytics = new Google_Service_Analytics($client);
// Check if there is a logout request in the URL.
if (isset($_REQUEST['logout'])) {
// Clear the access token from the session storage.
unset($_SESSION['access_token']);
}
// Check if there is an authentication code in the URL.
// The authentication code is appended to the URL after
// the user is successfully redirected from authentication.
if (isset($_GET['code'])) {
// Exchange the authentication code with the Google Client.
$client->authenticate($_GET['code']);
// Retrieve the access token from the Google Client.
// In this example, we are storing the access token in
// the session storage - you may want to use a database instead.
$_SESSION['access_token'] = $client->getAccessToken();
// Once the access token is retrieved, you no longer need the
// authorization code in the URL. Redirect the user to a clean URL.
header('Location: '.filter_var($redirectUri, FILTER_SANITIZE_URL));
}
// If an access token exists in the session storage, you may use it
// to authenticate the Google Client for authorized usage.
if (isset($_SESSION['access_token']) && $_SESSION['access_token']) {
$client->setAccessToken($_SESSION['access_token']);
}
// If the Google Client does not have an authenticated access token,
// have the user go through the OAuth2 authentication flow.
if (!$client->getAccessToken()) {
// Get the OAuth2 authentication URL.
$authUrl = $client->createAuthUrl();
/* Have the user access the URL and authenticate here */
// Display the authentication URL here.
}
/**************************
* OAuth2 Authentication Complete
*
* Insert your API calls here
***************************/

in my case it was problem of reauthentication. I was testing the api and got the code. To get the access token i had to revoke the access from account section->security->apps connected. Now select you app name and remove it. now try it and you will get the token response.
Error was : Uncaught exception 'Google_Auth_Exception' with message 'Error fetching OAuth2 access token, message: 'invalid_grant: Code was already redeemed

After added
header('Location: '.filter_var($redirectUri, FILTER_SANITIZE_URL));
I got error message Invalid Request Parameter. How to solve it?

request Google Analytics data from a local server

I want to write a PHP script that imports web stats data from GA. The script is accessible through a web front end (for triggering the import) and resides on a local server (127.0.0.1).
As I understood from the documentation is that there are two options for authenticating and using the core API:
API key - grants only access to statistics
OAuth2 - full authorization
If I understand the mechanics of OAuth2 correctly then this is not an option in my scenario because I cannot specify a callback URL. Hacky solutions come to my mind - like establishing a web profile authentication directly connecting to GA from the browser and then fetching the data by JavaScript and feeding it to the import script - but I would prefer to refrain from such solutions. Also because the browser interaction triggering the import process might be substituted with a cron job in the future.
The API key seems to be exactly what I want but the GET request from the browser fails.
GET request:
https://www.googleapis.com/analytics/v3/data/ga
?ids=ga:[profile ID]
&start-date=2013-01-01&end-date=2013-01-05
&metrics=ga:visits
&key=[the API key]
Response:
{
error: {
errors: [
{
domain: "global",
reason: "required",
message: "Login Required",
locationType: "header",
location: "Authorization"
}
],
code: 401,
message: "Login Required"
}
}
The URL though should be fine. Except for the key parameter it is the same as the one generated with http://ga-dev-tools.appspot.com/explorer/ which is also working (AOuth2 is used in that case). The API key is fresh.
Then again generating a new API key confronts me with the next inconveniency which is that apparently the key is only valid for a day.
So at the end of the day my question is this:
Is it possible to fetch data in the above described scenario without having to authenticate manually or generate API keys on a daily basis?

As already suggested, use this library: https://code.google.com/p/google-api-php-client/
but, instead of using oauth, create a service account from the api console (just select server application). This will provide you with a client id, an email that identify the service account, and *.p12 file holding the private key.
You then have to add the service account (the email) to your analytics as an admin user in order to get the data you need.
To use the service:
$client = new Google_Client();
$client->setApplicationName('test');
$client->setAssertionCredentials(
new Google_AssertionCredentials(
EMAIL,
array('https://www.googleapis.com/auth/analytics.readonly'),
file_get_contents(PRIVATE_KEY_FILEPATH)
)
);
$client->setClientId(CLIENT_ID);
$client->setAccessType('offline_access');
$analytics = new Google_AnalyticsService($client);
To get some data:
$analytics->data_ga->get(PROFILE_ID, $date_from, $date_to, $metrics, $optParams)
For the details check api docs. Also, be careful, there is a query cap (unless you pay)

I think to get this working, you need to use OAuth but with a slight modification to run it from server. Google calls this auth method "Using OAuth 2.0 for Web Server Applications"
As described on that page, you can use a PHP client library to get the authentication done. The client library is located here.
An example example on how to use this client library are on the same project's help pages. Note that you'll have to make some modifications to the code as the comments say to store the token in db and to refresh it regularly.
<?php
require_once 'google-api-php-client/src/Google_Client.php';
require_once 'google-api-php-client/src/contrib/Google_PlusService.php';
// Set your cached access token. Remember to replace $_SESSION with a
// real database or memcached.
session_start();
$client = new Google_Client();
$client->setApplicationName('Google+ PHP Starter Application');
// Visit https://code.google.com/apis/console?api=plus to generate your
// client id, client secret, and to register your redirect uri.
$client->setClientId('insert_your_oauth2_client_id');
$client->setClientSecret('insert_your_oauth2_client_secret');
$client->setRedirectUri('insert_your_oauth2_redirect_uri');
$client->setDeveloperKey('insert_your_simple_api_key');
$plus = new Google_PlusService($client);
if (isset($_GET['code'])) {
$client->authenticate();
$_SESSION['token'] = $client->getAccessToken();
$redirect = 'http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
header('Location: ' . filter_var($redirect, FILTER_SANITIZE_URL));
}
if (isset($_SESSION['token'])) {
$client->setAccessToken($_SESSION['token']);
}
if ($client->getAccessToken()) {
$activities = $plus->activities->listActivities('me', 'public');
print 'Your Activities: <pre>' . print_r($activities, true) . '</pre>';
// We're not done yet. Remember to update the cached access token.
// Remember to replace $_SESSION with a real database or memcached.
$_SESSION['token'] = $client->getAccessToken();
} else {
$authUrl = $client->createAuthUrl();
print "<a href='$authUrl'>Connect Me!</a>";
}

I have a similar setup. The thing that you don't realize is that you can specify a http://localhost or http://127.0.0.1 or anything else as an origin and callback URL. You need to setup some web interface on your local server that initiates an OAuth setup for the user with the GA access. Note that this is one time. The callback handler must be something like this:
Note: The libraries used here are the same as the previous answer, the detailed code is in the wrapper.
$redirect = 'http://' . $_SERVER['HTTP_HOST'] . '/content/business-intelligence';
if (isset($_GET['code'])) {
require_once 'GAPI.php';
$client = GAPI::init(); //create client instance of Google_Client
$client->authenticate(); //convert auth code to access token
$token = $client->getAccessToken();
$retVal = CF_GAPI::persistToken($token); //save token
if($retVal)
$redirect .= "?new_token";
else
$redirect .= "?bad_token";
}
header('Location: ' . $redirect); //redirect to bi index
Once you have saved the token saved, you must set it in the client before making requests to GA to get your analytics data. Like:
try {
$token = GAPI::readToken(); //read from persistent storage
} catch (Exception $e) {
$token = FALSE;
}
if($token == FALSE) {
$logger->crit("Token not set before running cron!");
echo "Error: Token not set before running cron!";
exit;
}
$client = GAPI::init(); //instance of Google_Client
$client->setAccessToken($token);
The GAPI::init() is implemented as follows:
$client = new Google_Client();
$client->setApplicationName(self::APP_NAME);
$client->setClientId(self::CLIENT_ID);
$client->setClientSecret(self::CLIENT_SECRET);
$client->setRedirectUri(self::REDIRECT_URI);
$client->setDeveloperKey(self::DEVELOPER_KEY);
//to specify that the token is stored offline
$client->setAccessType('offline');
//all results will be objects
$client->setUseObjects(true);
//tell that this app will RO from Analytics
$client->setScopes('https://www.googleapis.com/auth/analytics.readonly');
return $client;
My mysql table has columns like id, title, send_to_emails, frequency, dimensions, metrics, filters, profile_id which completely define each report to the generated from GA. You can play around with them using the documentation, list of metrics & dimensions and the sandbox tester that you already know about.

Google API : Unattended reading of calendar. How to login?

I thought this one was going to be a breeze. Hence I'm stuck at the very beginning :-(
I created a Google Calendar where users can add events using a 'shared' dedicated login.
Then I need to write a PHP script on my server to read the events in a given time frame.
I thought the API key described here would be enough. But it's not.
curl https://www.googleapis.com/calendar/v3/users/me/calendarList?key=mykey
says Login required.
So I read about OAuth2.0 and how I need user to authenticate. The problem is my script is not interactive (although hardcoding the login in the script is not a problem to me: The info is not life-critical). So I read about Service Accounts but it looks like it's for non-user info.
Question: How do I code my script to force a given login without involving a human?
Note: This SO question seemed promising but the answer is for API version 2.0, which seems obsoleted.

The first thing you need to do is obtain an access token. This will require a human.
Assuming you're using the Google APIs PHP Client, it can be done with this script (run from the command line).
NOTE: The snippet below works with a Client ID for Installed Applications. Make sure you create a client ID of this type in the Google API Access console.
require_once '../../src/apiClient.php';
defined('STDIN') or define('STDIN', fopen('php://stdin', 'r'));
$client = new apiClient();
// Visit https://code.google.com/apis/console to create your client id and cient secret
$client->setClientId('INSERT_CLIENT_ID');
$client->setClientSecret('INSERT_CLIENT_SECRET');
$client->setRedirectUri('urn:ietf:wg:oauth:2.0:oob');
$client->setScopes(array(
'https://www.googleapis.com/auth/calendar',
'https://www.googleapis.com/auth/calendar.readonly',
));
$authUrl = $client->createAuthUrl();
print "Please visit:\n$authUrl\n\n";
print "Please enter the auth code:\n";
$authCode = trim(fgets(STDIN));
$_GET['code'] = $authCode;
$token = $client->authenticate();
var_dump($token);
This will give you a json encoded string containing your accessToken and refreshToken. The accessToken expires after 1 hour, but don't worry. The refreshToken will not expire (unless you uninstall the application), and can be used to obtain a new refreshToken. The client library takes care of this part.
Next, save the full json string token (not only the access_token property in a safe place and make sure it can't be read by others. Your app can then call $client->setAccessToken($token) where $token was looked up from the safe location (Again, $token is the full json-encoded string, not limited to its access_token property).
Now, you can make authenticated request to the Calendar APIs!
require_once '../../src/apiClient.php';
require_once '../../src/contrib/apiCalendarService.php';
session_start();
$client = new apiClient();
$client->setApplicationName("Google Calendar PHP Sample Application");
$cal = new apiCalendarService($client);
$client->setAccessToken($tokenFromSafePlace);
$calList = $cal->calendarList->listCalendarList();
print "<h1>Calendar List</h1><pre>" . print_r($calList, true) . "</pre>";

Using the latest version of the client library (for the v3 api?) to get the token you need:
require_once 'Google/Client.php';
defined('STDIN') or define('STDIN', fopen('php://stdin', 'r'));
$client = new Google_Client();
// Visit https://console.developers.google.com/ to create your application and client id for a native app.
$client->setClientId('YOUR_CLIENT_ID');
$client->setClientSecret('YOUR_CLIENT_SECRET');
$client->setRedirectUri('urn:ietf:wg:oauth:2.0:oob');
$client->setScopes(array(
'https://www.googleapis.com/auth/calendar',
'https://www.googleapis.com/auth/calendar.readonly',
));
$authUrl = $client->createAuthUrl();
print "Please visit:\n$authUrl\n\n";
print "Please enter the auth code:\n";
$authCode = trim(fgets(STDIN));
$_GET['code'] = $authCode;
$token = $client->authenticate($authCode);
var_dump($token);
To get the calendar list you then need the following code:
require_once 'Google/Client.php';
require_once 'Google/Service/Calendar.php';
$client = new Google_Client();
$client->setApplicationName("My Calendar example");
// token you got from the previous code
$client->setAccessToken($token);
$calendarService = new Google_Service_Calendar($client);
$calendarList = $calendarService->calendarList;
$calList = $calendarList->listCalendarList();
print "<h1>Calendar List</h1><pre>" . print_r($calList, true) . "</pre>";