Login/Register
Google php client library loadServiceAccountJson broken - fix enclosed
Asked Answered
phpgoogle-api-php-clientgoogle-admin-sdk
G

1

0

The new function in the php library loadServiceAccountJson doesn't allow setting sub in the Google_Auth_AssertionCredentials creator, so always gives authorization fails. How do we get the library updated?

The following instructions will allow a working query, in my case to the Admin SDK Directory API:

First, update the php library function loadServiceAccountJson in src/Google/Client.php to this:

  public function loadServiceAccountJson($jsonLocation, $scopes)
  {
    $data = json_decode(file_get_contents($jsonLocation));
    if (isset($data->type) && $data->type == 'service_account') {
      // Service Account format.
      $cred = new Google_Auth_AssertionCredentials(
          $data->client_email,
          $scopes,
          $data->private_key,
          'notasecret',
          'http://oauth.net/grant_type/jwt/1.0/bearer',
          $data->sub
      );
      return $cred;
    } else {
      throw new Google_Exception("Invalid service account JSON file.");
    }
  }

Then, add a value sub to the data in your server auth json file, downloaded from the Developer Console/APIs & Auth/Credentials (you'll need to make a Service Account) - name the file serverauth.json:

{
  "private_key_id": "removed",
  "private_key": "-----BEGIN PRIVATE KEY-----\n-----END PRIVATE KEY-----\n",
  "client_email": "removed",
  "client_id": "removed",
  "redirect_uris":[your urls here],
  "type": "service_account",
  "sub": "[email protected]"
}

Now, obtain authorization:

$credentials = $client->loadServiceAccountJson('serverauth.json',"https://www.googleapis.com/auth/admin.directory.user.readonly");
$client->setAssertionCredentials($credentials);
if ($client->getAuth()->isAccessTokenExpired()) {
    $client->getAuth()->refreshTokenWithAssertion();
}

And lastly, create a Directory instance and query it:

$service = new Google_Service_Directory($client);
$optParams = array(
        'domain' => 'google.domain.com',
        'orderBy' => 'email',
        'viewType' => 'domain_public',
        'query' => "givenName:'Joe' familyName:'Schmoe Jr'"
);
$results = $service->users->listUsers($optParams);
$users = $results->getUsers();

print_r($users);
Goshorn answered 24/7, 2015 at 16:46 Comment(0)
Q
0

New Google API is bit different now:

$client = new Google_Client();
$client->setApplicationName("YourAppName");
$client->setAuthConfig(<JSON-Config-File-Location>);
$client->setScopes(array("https://www.googleapis.com/auth/admin.directory.user.readonly", "https://www.googleapis.com/auth/admin.directory.group.readonly"));
$client->setSubject(<User-Email-To-Impersonate>);

$service = new Google_Service_Directory($client);
$results = $service->users->listUsers(array('domain' => '<your-domain-name>'));

I'm still trying to figure out how can I get this without the need to impersonate user?

Quinone answered 10/3, 2016 at 13:10 Comment(1)
You probably can't do it without acting as a user within the domain, unless your current Service Account has permissions on the scopes you need. (A domain admin can set that up for you, but you probably won't have it by default.) I didn't know there was a new library - I'll go have a look.Goshorn

© 2022 - 2024 — McMap. All rights reserved.