Login/Register
Impersonate google user with a service account
Asked Answered
impersonationgoogle-drive-apigoogle-api-php-client
P

1

6

I'm using google-api-php-client 0.6.1 and I'd like to know is there a way to impersonate concrete user with service account? My application needs to store some files in its google drive. So, I've decided to user service account and .p12 key - authentification. It works great, but all files are being stored in Service account, so I can't manage them. I'd like documents to be stored at the certain account (which was using to create the api project and the service account itself). I was trying to use this code:

$KEY_FILE = <p12 key file path>;
$key = file_get_contents($KEY_FILE);
$auth = new Google_AssertionCredentials(
      $SERVICE_ACCOUNT_NAME,
      array('https://www.googleapis.com/auth/drive'),
      $key);
$auth->prn = '<[email protected]>';
$client = new Google_Client();
$client->setUseObjects(true);
$client->setAssertionCredentials($auth);
return new Google_DriveService($client);

but I got "Error refreshing the OAuth2 token, message: '{ "error" : "access_denied" }'"

Prehistory answered 6/3, 2013 at 7:10 Comment(2)
I experience the same issue and it seems that I should make some changes in google configuration itself. Have you found the solution? Can you point me what should I change?Crewel
did you find any solution ?Croteau
U
3

Don't user $auth->prn, use $auth->sub. This works for me:

// Create a new google client.  We need this for all API access.
$client = new Google_Client();
$client->setApplicationName("Google Group Test");

$client_id = '...';
$service_account_name = '...';
$key_file_location = '...';

if (isset($_SESSION['service_token'])) {
    $client->setAccessToken($_SESSION['service_token']);
}
$key = file_get_contents($key_file_location);

// https://www.googleapis.com/auth/admin.directory.group,
// https://www.googleapis.com/auth/admin.directory.group.readonly, 
// https://www.googleapis.com/auth/admin.directory.group.member, 
// https://www.googleapis.com/auth/admin.directory.group.member.readonly,
// https://www.googleapis.com/auth/apps.groups.settings, 
// https://www.googleapis.com/auth/books
$cred = new Google_Auth_AssertionCredentials(
    $service_account_name,
        array(
            Google_Service_Groupssettings::APPS_GROUPS_SETTINGS,
            Google_Service_Directory::ADMIN_DIRECTORY_GROUP,
            Google_Service_Directory::ADMIN_DIRECTORY_GROUP_READONLY,

            Google_Service_Directory::ADMIN_DIRECTORY_GROUP_MEMBER,
            Google_Service_Directory::ADMIN_DIRECTORY_GROUP_MEMBER_READONLY,

            Google_Service_Books::BOOKS,
        ),
        $key,
        'notasecret'
    );
//
// Very important step:  the service account must also declare the
// identity (via email address) of a user with admin priviledges that
// it would like to masquerade as.
//
// See:  https://mcmap.net/q/1915752/-trouble-making-authenticated-calls-to-google-api-via-oauth
//
$cred->sub = '...';
$client->setAssertionCredentials($cred);
if ($client->getAuth()->isAccessTokenExpired()) {
    $client->getAuth()->refreshTokenWithAssertion($cred);
}
$_SESSION['service_token'] = $client->getAccessToken();
Urano answered 14/3, 2015 at 22:22 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.