php – Google Admin SDK:您无权访问此API

由于自上周以来我一直禁用Google登录身份验证,因此我试图让oAuth 2.0使用服务帐户.我们希望为我们的内部Web应用程序上的用户提供在办公室外设置的机会.

我下载了最新的Google APIs Client Library for PHP.在Google Developer Console中,我为我的应用程序创建了一个新项目,并创建了一个服务帐户凭据.我还在Developer Console中启用了API服务:Admin SDK.

我已授予帐户用户ID访问权限的范围(我认为):

当我使用service-account.php示例并更改详细信息时,我收到带有访问令牌的JSON,但是当我执行CURL请求(与之前相同)以从用户获取电子邮件设置时,错误“您无权访问此API.“发生.

我的代码:

<?php

include_once "templates/base.php";
require_once realpath(dirname(__FILE__) . '/../src/Google/autoload.php');
$client_id = '124331845-DELETEDPART-hbh89pbgl20citf6ko.apps.googleusercontent.com'; //Client ID
$service_account_name = '124331845-DELETEDPART-89pbgl20citf6ko@developer.gserviceaccount.com'; //Email Address
$key_file_location = 'globaltext-4ce09b20cb73.p12'; //key.p12

$client = new Google_Client();
if (isset($_SESSION['service_token'])) {
  $client->setAccessToken($_SESSION['service_token']);
}
$key = file_get_contents($key_file_location);
$cred = new Google_Auth_AssertionCredentials(
    $service_account_name,
    array('https://apps-apis.google.com/a/feeds/emailsettings/2.0/'),
    $key
);
$client->setAssertionCredentials($cred);
if ($client->getAuth()->isAccessTokenExpired()) {
  $client->getAuth()->refreshTokenWithAssertion($cred);
}

$aOutput = json_decode($client->getAccessToken());

$strEmailAdresSplit = explode('@', "FIRSTNAME.LASTNAME@DOMAIN.EXTENSION");
$strDomein = $strEmailAdresSplit[1];
$strAlias = $strEmailAdresSplit[0];

$resConnectionJobs = curl_init();
$aHeader = array();
$aHeader[] = 'Authorization: Bearer '.$aOutput->access_token; 
$aHeader[] = 'Content-Type: application/atom+xml'; 

curl_setopt($resConnectionJobs, CURLOPT_URL, "https://apps-apis.google.com/a/feeds/emailsettings/2.0/DOMAIN.EXTENSION/FIRSTNAME.LASTNAME/vacation"); 
curl_setopt($resConnectionJobs, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($resConnectionJobs, CURLOPT_HTTPHEADER, $aHeader);
curl_setopt($resConnectionJobs, CURLOPT_RETURNTRANSFER, true);
curl_setopt($resConnectionJobs, CURLOPT_HEADER, false);

$oCurlData = curl_exec($resConnectionJobs);

curl_close($resConnectionJobs);
echo $oCurlData;

?>
最佳答案
你确定你的证书还可以吗?

请尝试以下过程以确保您拥有正确的凭据.

创建API密钥

转到developer’s console并按照以下步骤操作:

>选择您的项目
>选择菜单项“API& auth”
>选择菜单项“已注册的应用程序”
>注册“web应用程序”类型的应用程序
>根据您要创建的应用程序类型,选择以下选项之一.服务器端语言应使用此选项:

>服务器应用程序的密钥(具有IP锁定)

获取访问令牌&刷新令牌

创建包含以下代码的文件:

<?php

if (isset($_GET['code'])) {
    // try to get an access token
    $code = $_GET['code'];
    $url = 'https://accounts.google.com/o/oauth2/token';
    $params = array(
        "code" => $code,
        "client_id" => YOUR_CLIENT_ID,
        "client_secret" => YOUR_CLIENT_SECRET,
        "redirect_uri" => 'http://' . $_SERVER["HTTP_HOST"] . $_SERVER["PHP_SELF"],
        "grant_type" => "authorization_code"
    );

    $ch = curl_init();
    curl_setopt($ch, constant("CURLOPT_" . 'URL'), $url);
    curl_setopt($ch, constant("CURLOPT_" . 'POST'), true);
    curl_setopt($ch, constant("CURLOPT_" . 'POSTFIELDS'), $params);
    $output = curl_exec($ch);
    $info = curl_getinfo($ch);
    curl_close($ch);
    if ($info['http_code'] === 200) {
        header('Content-Type: ' . $info['content_type']);
        return $output;
    } else {
        return 'An error happened';
    }
} else {

    $url = "https://accounts.google.com/o/oauth2/auth";

    $params = array(
        "response_type" => "code",
        "client_id" => YOUR_CLIENT_ID,
        "redirect_uri" => 'http://' . $_SERVER["HTTP_HOST"] . $_SERVER["PHP_SELF"],
        "scope" => "https://www.googleapis.com/auth/plus.me"
    );

    $request_to = $url . '?' . http_build_query($params);

    header("Location: " . $request_to);
}

现在,将YOUR_CLIENT_ID和YOUR_CLIENT_SECRET替换为您的客户端ID和客户端密钥.

确保您的范围正确.例如,如果您想要访问Google Analytics,则应该是https://www.googleapis.com/auth/analytics.

如果您运行该文件,则应获得OAuth2批准屏幕.

如果您现在按下Accept,您应该得到如下所示的结果:

{
  "access_token" : YOUR_ACCESS_TOKEN,
  "token_type" : "Bearer",
  "expires_in" : 3600,
  "refresh_token" : YOUR_REFRESH_TOKEN
}

结果可能包含其他字段,具体取决于您申请的范围.

在后台与Google的系统连接

完成上述工作后,您的应用程序需要实现以下工作流程:

1)检查输入是否包含名为“code”的GET参数.如果存在“代码”,请获取新的访问令牌并重复此步骤(刷新页面)
如果“代码”不存在,请转到步骤2.

2)检查您是否为您的服务存储了凭据.如果存在凭据,请检查您的访问令牌是否已过期或将很快过期.然后转到步骤3.如果凭据不存在,请转到服务的身份验证路径以获取身份验证代码并返回步骤1(确保Google重定向到您当前的网址).

3)如果需要刷新,请刷新页面并返回步骤1.
如果不需要刷新,您就可以在第一时间实际完成您想要做的事情了.

但是,如果oAuth2为您流动,Google的PHP库会照顾您.如果您正在使用他们的图书馆,图书馆将负责三步流程中的每个步骤,您应该能够立即对Google的服务做任何您想做的事情.我在my Google Adwords dashboard自己使用这个策略.

但是,您可以编写自定义库并直接连接服务.以下是几个月前我写的一个项目的开发代码.虽然它不是开箱即用的(因为它是一个较大的应用程序的控制器),它应该可以帮助您了解谷歌图书馆的流程.

namespace Application;

class Controller_API_Google_Youtube extends Controller_API {
    public function read() {
        $scope = "https://www.googleapis.com/auth/youtube";
        $this->doOauth($scope);
    }

    function doOauth($scope) {

        $oauth2Credentials = JSON_File::load(__DIR__ . DIRECTORY_SEPARATOR . 'Config.json');

        $paths = array(
            'token' => 'https://accounts.google.com/o/oauth2/token',
            'auth' => "https://accounts.google.com/o/oauth2/auth"
        );

       $refreshtime = 300;

        if (isset($_GET['code'])) {
            // Get access code
            $query = $_GET;
            unset($query['code']);
            if (count($query) > 0) {
                $query = '?' . http_build_query($query);
            } else {
                $query = '';
            }

            $client = \PowerTools\HTTP_Client::factory(
                        array(
                            'maps' => array(
                                'url' => $paths['token'],
                                'returntransfer' => 1,
                                'post' => true,
                                'postfields' => array(
                                    'code' => $_GET['code'],
                                    "client_id" => $oauth2Credentials['client_id'],
                                    "client_secret" => $oauth2Credentials['client_secret'],
                                    "redirect_uri" => HTTP_PROTOCOL . URL_PATH . $query,
                                    "grant_type" => "authorization_code"
                                )
                            )
                        )
            )->execute();
            $responses = $client->getResponses();
            $response = array_pop($responses);
            $info = $response['maps']->getInfo();
            $content = $response['maps']->getContent();
            if ($info['http_code'] === 200) {
                $output = JSON::decode($content);
                $oauth2Credentials[$scope] = array();
                $oauth2Credentials[$scope]['expires'] = time() + $output['expires_in'];
                $oauth2Credentials[$scope]['access_token'] = $output['access_token'];
                $oauth2Credentials[$scope]['refresh_token'] = $output['refresh_token'];
                file_put_contents(__DIR__ . DIRECTORY_SEPARATOR . 'Config.json', JSON::encode($oauth2Credentials));
                header("Location: " . HTTP_PROTOCOL . URL_PATH . $query);
            } else {
                echo "Something went wrong";
            }
        } elseif (!isset($oauth2Credentials[$scope])) {
            // Get auth code

            header("Location: " . $paths['auth'] . '?' . http_build_query(
                        array(
                            "response_type" => "code",
                            "client_id" => $oauth2Credentials['client_id'],
                            "redirect_uri" => HTTP_PROTOCOL . DOMAIN_PATH,
                            "scope" => $scope
                        )
            ));
        } elseif ($oauth2Credentials[$scope]['expires'] - $refreshtime < time()) {
            // Refresh access code

            $client = \PowerTools\HTTP_Client::factory(
                        array(
                            'maps' => array(
                                'url' => $paths['token'],
                                'returntransfer' => 1,
                                'post' => true,
                                'postfields' => array(
                                    "client_id" => $oauth2Credentials['client_id'],
                                    "client_secret" => $oauth2Credentials['client_secret'],
                                    "refresh_token" => $oauth2Credentials[$scope]['refresh_token'],
                                    "grant_type" => "refresh_token"
                                )
                            )
                        )
            )->execute();
            $responses = $client->getResponses();
            $response = array_pop($responses);
            $info = $response['maps']->getInfo();
            $content = $response['maps']->getContent();
            if ($info['http_code'] === 200) {
                $output = JSON::decode($response['maps']->getContent());
                $oauth2Credentials[$scope]['expires'] = time() + $output['expires_in'];
                $oauth2Credentials[$scope]['access_token'] = $output['access_token'];
                file_put_contents(__DIR__ . DIRECTORY_SEPARATOR . 'Config.json', JSON::encode($oauth2Credentials));
                $this->read();
            } else {
                $this->output = array("error" => "Something went wrong");
            }
        } else {
            $this->doSomethinguseful($oauth2Credentials, $scope);
        }
        return $this;
    }


    function doSomethinguseful($oauth2Credentials, $scope) {
        // https://developers.google.com/youtube/v3/sample_requests?hl=nl
        $client = \PowerTools\HTTP_Client::factory(
                    array(
                        'maps' => array(
                            'useragent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13',
                            'url' => 'https://www.googleapis.com/youtube/v3/channels?part=contentDetails&mine=true',
                            'returntransfer' => true,
                            'httpheader' => array(
                                'Authorization: Bearer ' . $oauth2Credentials[$scope]['access_token'],
                                'Accept-Encoding: gzip, deflate'
                            )
                        )
                    )
        )->execute();
        $responses = $client->getResponses();
        $response = array_pop($responses);
        $content = $response['maps']->getContent();
        $this->output = JSON::decode(gzdecode($content));
    }
}

转载注明原文:php – Google Admin SDK:您无权访问此API - 代码日志