Google_Service_Directory - (403)未授权访问此资源/ api

时间:2014-10-16 16:14:57

标签: php api google-api-php-client google-admin-sdk

我只是使用PHP api的实际版本的示例,并使用" service-account.php"示例文件夹文件。

原作是用于显示" Books API",并且使用我的个人凭据配置它运行良好,但在我的xcase中我需要通过directory.groups.get服务访问以获得成员列表Google群组邮件列表的帐户,因此我更改了原始代码:

<?php

session_start();
include_once "templates/base.php";

/************************************************
  Make an API request authenticated with a service
  account.
 ************************************************/
require_once realpath(dirname(__FILE__) . '/../autoload.php');

/************************************************
 ************************************************/

// MY ACCOUNT DATA HERE
$client_id = 'xxx';
$service_account_name = 'xxx'; //Email Address 
$key_file_location = 'xxx.p12'; //key.p12
$groupKey = 'xxx';

echo pageHeader("My Service Account Access");
if ($client_id == '<YOUR_CLIENT_ID>'
    || !strlen($service_account_name)
    || !strlen($key_file_location)) {
  echo missingServiceAccountDetailsWarning();
}

$client = new Google_Client();
$client->setApplicationName("Client_Library_Examples");
//$service = new Google_Service_Books($client); //ORIGINAL
$service = new Google_Service_Directory($client);

/************************************************
 ************************************************/
if (isset($_SESSION['service_token'])) {
  $client->setAccessToken($_SESSION['service_token']);
}
$authArray = array(
                'https://www.googleapis.com/auth/admin.directory.group',
                'https://www.googleapis.com/auth/admin.directory.group.readonly',
                'https://www.googleapis.com/auth/admin.directory.group.member',
                'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
);
$key = file_get_contents($key_file_location);
$cred = new Google_Auth_AssertionCredentials(
    $service_account_name,
    $authArray, //array('https://www.googleapis.com/auth/books'), //ORIGINAL
    $key
);
$client->setAssertionCredentials($cred);
if($client->getAuth()->isAccessTokenExpired()) {
  $client->getAuth()->refreshTokenWithAssertion($cred);
}
$_SESSION['service_token'] = $client->getAccessToken();


/************************************************
 ************************************************/
//$optParams = array('filter' => 'free-ebooks'); //ORIGINAL
$optParams = array('fields' => 'id');
//$results = $service->volumes->listVolumes('Henry David Thoreau', $optParams); //ORIGINAL
$results = $service->groups->get($groupKey, $optParams);
echo "<h3>Results Of Call:</h3>";
foreach ($results as $item) {
  //echo $item['volumeInfo']['title'], "<br /> \n"; //ORIGINAL
    echo "<pre>".print_r ($item, true)."</pre>";
}

echo pageFooter(__FILE__);

无论我做什么,提供API SDK授权,并使用刚刚在控制台开发人员的API凭据面板中创建的文件和凭据,我都会收到403错误。

这里是错误堆栈:

#0 /var/www/html/google_local/google-api-php-client-master/src/Google/Http/REST.php(41): 
Google_Http_REST::decodeHttpResponse(Object(Google_Http_Request)) 
#1 /var/www/html/google_local/google-api-php-client-master/src/Google/Client.php(546): 
Google_Http_REST::execute(Object(Google_Client), Object(Google_Http_Request)) 
#2 /var/www/html/google_local/google-api-php-client-master/src/Google/Service/Resource.php(190): 
Google_Client->execute(Object(Google_Http_Request)) 
#3 /var/www/html/google_local/google-api-php-client-master/src/Google/Service/Directory.php(1494): 
Google_Service_Resource->call('get', Array, 'Google_Service_...') 
#4 /var/www/html/google_local/googl in /var/www/html/google_local/google-api-php-client-master/src/Google/Http/REST.php on line 76

有什么建议吗?

谢谢, 罗伯特

1 个答案:

答案 0 :(得分:15)

问题的根源是服务帐户不是域的管理员,因此无法访问Admin SDK Directory API。相反,您需要为您的服务帐户启用domain-wide delegation,然后让服务帐户在发出请求时模拟域管理员:

$cred = new Google_Auth_AssertionCredentials(
    $service_account_name,
    $authArray,
    $key
);
$cred->sub = "admin@yourdomain.com";