All geek questions in one place

Google-api-php-client: Invalid client secret JSON file

It looks like the latest version of google-api-php-client for PHP does not match the docs @ https://developers.google.com/drive/web/examples/php

Looking at the src code, I see that it is looking for keys in the loaded JSON, which the setAuthConfigFile () method cannot find: client_secret, installed, web, redirect_uris (others?) Not in the loaded JSON, only private_key_id, private_key, client_email, client_id are available and type.

The code and documents look really disorganized and out of sync ... won't be the first for Google. Has anyone got OAuth that recently worked with this library?

+6
source share
4 answers

There is a difference between a "service account and a " web application to call the API. When you create a “service account”, you will get the file described above, a JSON file with private_key , client_email , client_id , etc.

When creating a web application, you will be provided with client_id , client_secret , redirect_uri , etc.

I would suggest reading these pages to choose which key and login you need (on both pages you will find examples for its integration into PHP):

You can use the Google API client library for PHP to create website server applications that use OAuth 2.0 authorization to access Google APIs. OAuth 2.0 allows users to exchange specific data with the help of private information while saving their usernames, passwords and other. For example, a web application might use OAuth 2.0 to get permission from users to store files in their Google Drive.

https://developers.google.com/api-client-library/php/auth/web-app

Typically, an application uses a service account when the application uses the Google API to work with its data, and not with user data. For example, an application that uses the Google Cloud Datastore for persistence data will use the service account to authenticate its Google Cloud Storage API calls.

https://developers.google.com/api-client-library/php/auth/service-accounts

+7
source

There is a new function in the php library that comes close to it, but does not allow installing sub, therefore it always gives an authorization failure. So, first update the php library function loadServiceAccountJson in src / Google / Client.php:

  public function loadServiceAccountJson($jsonLocation, $scopes) { $data = json_decode(file_get_contents($jsonLocation)); if (isset($data->type) && $data->type == 'service_account') { // Service Account format. $cred = new Google_Auth_AssertionCredentials( $data->client_email, $scopes, $data->private_key, 'notasecret', 'http://oauth.net/grant_type/jwt/1.0/bearer', $data->sub ); return $cred; } else { throw new Google_Exception("Invalid service account JSON file."); } }

Then add the sub value to the data in the server json auth file:

 { "private_key_id": "removed", "private_key": "-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n", "client_email": "removed", "client_id": "removed", "redirect_uris":[your urls here], "type": "service_account", "sub": " valid.user@google.domain.com " }

Now get authorization:

 $credentials = $client->loadServiceAccountJson('serverauth.json',"https://www.googleapis.com/auth/admin.directory.user.readonly"); $client->setAssertionCredentials($credentials); if ($client->getAuth()->isAccessTokenExpired()) { $client->getAuth()->refreshTokenWithAssertion(); }

Where serverauth.json is the JSON key file downloaded from the service account you want to use and added a substring to.

Finally, create an instance of the directory and request it:

 $service = new Google_Service_Directory($client); $optParams = array( 'domain' => 'google.domain.com', 'orderBy' => 'email', 'viewType' => 'domain_public', 'query' => "givenName:'Joe' familyName:'Schmoe Jr'" ); $results = $service->users->listUsers($optParams); $users = $results->getUsers(); print_r($users);
+2
source

I understand your risk. You have problems with the Google API. There are 3 types of json files in the Google API console, one is Web, the second is Service, and the last is Installed. the choice you need to use is installation, because you will get a key installed or another.

0
source

1) "CREDENTIALS_PATH" must point to a non-existent file (in the path for writing)

2) "CLIENT_SECRET_PATH" must point to the credential file "OAuth 2.0 Client ID" created and downloaded from the Google Console in the "Api Credentials" section.

For a server-side php script, just like yours, pay attention when creating the "OAuth 2.0 client ID" record: in the creation wizard you should select a "different" type of application, and not a "web type".

Hello

0
source

Source: https://habr.com/ru/post/981167/

More articles:


All Articles