Help with oAuth 2LO + Zend Provisioning API
Isidoro!
I'm trying to build a PHP application to rename users in Google Apps. I'm using Provisioning API and 2LO with Zend. I have problems with access.
This is my code:
$oauthOptions = array(
'requestScheme' => Zend_Oauth::REQUEST_SCHEME_HEADER,
'version' => '1.0',
'signatureMethod' => 'HMAC-SHA1',
'consumerKey' => $CONSUMER_KEY,
'consumerSecret' => $CONSUMER_SECRET
);
$consumer = new Zend_Oauth_Consumer($oauthOptions);
$token = new Zend_Oauth_Token_Access();
$httpClient = $token->getHttpClient($oauthOptions);
$service = new Zend_Gdata_Gapps($httpClient, $DOMAIN);
$service->enableRequestDebugLogging('/tmp/foo.txt');
$updateUser = $service->retrieveUser($USER);
echo 'user to change ' . $updateUser->login;
$updateUser->login->name = 'x1';
$updateUser = $updateUser->save();
If I set the scope to https://apps-apis.google.com/a/feeds/user/#readonly I'm able to retrieve the user.
I have disabled from the control panel Two-legged OAuth access control (allow Access to All API) and added the scope
| |
https://apps-apis.google.com/a/feeds/user/2.0/domain/ to update the user but I get a Zend Exception GET /a/feeds/XXXXXX.com/user/2.0/XXXXXXX HTTP/1.1 Host: apps-apis.google.com Connection: close User-Agent: MyCompany-MyApp-1.0 Zend_Framework_Gdata/1.11.0dev Accept-encoding: identity Authorization: OAuth realm="",oauth_consumer_key="cloudspartner.com",oauth_nonce="a52fa4056615b5623c9e4b9c6ce55b85",oauth_signature_method="HMAC-SHA1",oauth_timestamp="1331891784",oauth_version="1.0",oauth_signature="DczkQoN2VJpDkyXGMgcFedCcMMg%3D" Closing socket Closing socket HTTP/1.1 401 Unknown authorization header WWW-Authenticate: GoogleLogin realm="http://www.google.com/accounts/ClientLogin", service="apps" Content-Type: text/html; charset=UTF-8 Date: Fri, 16 Mar 2012 09:56:25 GMT Expires: Fri, 16 Mar 2012 09:56:25 GMT Cache-Control: private, max-age=0 X-Content-Type-Options: nosniff X-Frame-Options: SAMEORIGIN X-XSS-Protection: 1; mode=block Server: GSE Connection: close <HTML> <HEAD> <TITLE>Unknown authorization header</TITLE> </HEAD> <BODY BGCOLOR="#FFFFFF" TEXT="#000000"> <H1>Unknown authorization header</H1> <H2>Error 401</H2> </BODY> </HTML> Can you point me to the right direction? I can always do ClienLogin, but I'm trying to avoid it. Thanks and regards, |
Alexandre Jacquet
Authenticating Requests
Each API request that you send needs to contain an authentication token, which Google will use to authorize access to the operation specified in the API request. Authentication tokens are only available to users who have administrative rights in your domain, and those tokens only authorize operations within your domain.
If your client is a standalone single-user "installed" client (such as a desktop application), then you should use the ClientLogin Interface system. ClientLogin can be used with multiple domains and organization units.
If your client is a multi-user web application client, then you should use 3-legged OAuth. Both of these methods involve interacting with an authentication service. The authentication service returns an authentication token that your client can then send to the Provisioning API service along with every subsequent request on behalf of that user.
For clients using ClientLogin that have been enrolled in two-step verification, use your two-step verification access code for the password query parameter.
 |
Alexandre Jacquet Google Apps Deployment Specialst |
--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/JeDaiWOzGd0J.
To post to this group, send email to google-app...@googlegroups.com.
To unsubscribe from this group, send email to google-apps-mgmt...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-apps-mgmt-apis?hl=en.
Isidoro!
Thanks for your comments.
Believe it or not, we do have a use case for this request.
We're deploying Google Apps in a University and one of their requirements is to be able to change the username from their own website (along with password).
Since we use GADS, if we rename in LDAP, this will suspend the user in Google Apps and create a new user.
So, we need a way to change the username. If we do use 3LO, the user will be prompt with an additional username and pass to fill in, so he will be confused. That's why we plan to use 2LO or ClientLogin (least preferable option), to hide this extra step for the user. At the end of the day, the site will be only accessible via University' intranet.
Best
Alexandre Jacquet
|
Alexandre Jacquet Google Apps Deployment Specialst |
--
You received this message because you are subscribed to the Google Groups "Google Apps Domain Information and Management APIs" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-apps-mgmt-apis/-/afBLnWhkEcMJ.