auth via service account leads to api response "forbidden"
2,332 views
Skip to first unread message
Fex
Mar 28, 2012, 8:32:06 AM3/28/12
to oauth2-dev
Hello,
i'm using the google-api-php-client to authenticate a simple get
request to the analytics api. But i only get a 403 - forbidden
response.
Thats the way i did that:
1. i logged in at the google api console with an account wich has
access to the analytics account
2. i created a new service account within a project wich has access to
the analytics api
3. with the latest google-api-php-client i authenticated the request
to the analytics api by using this service account. The authentication
seems to work fine, as the request header contains "authorization:
Bearer {access_token}". But the response is always: {"error":{"errors":
[{"message":"Forbidden"}],"code":403,"message":"Forbidden"}}
When i authenticate the same api request via "Client ID for web
applications" (OAuth 2.0 Playground) i get my wanted response.
What i'am doing wrong?
Here is a short code snippet of what iam doing:
$client = new apiClient();
$client->setAssertionCredentials(new apiAssertionCredentials(
'{my service account email}',
array('https://www.googleapis.com/auth/analytics.readonly'),
'{my service account certificate}'
));
$request = $client->getIo()->authenticatedRequest(new
apiHttpRequest('https://www.googleapis.com/analytics/v3/data/ga?{my
query}'));
any ideas?
i'm using the google-api-php-client to authenticate a simple get
request to the analytics api. But i only get a 403 - forbidden
response.
Thats the way i did that:
1. i logged in at the google api console with an account wich has
access to the analytics account
2. i created a new service account within a project wich has access to
the analytics api
3. with the latest google-api-php-client i authenticated the request
to the analytics api by using this service account. The authentication
seems to work fine, as the request header contains "authorization:
Bearer {access_token}". But the response is always: {"error":{"errors":
[{"message":"Forbidden"}],"code":403,"message":"Forbidden"}}
When i authenticate the same api request via "Client ID for web
applications" (OAuth 2.0 Playground) i get my wanted response.
What i'am doing wrong?
Here is a short code snippet of what iam doing:
$client = new apiClient();
$client->setAssertionCredentials(new apiAssertionCredentials(
'{my service account email}',
array('https://www.googleapis.com/auth/analytics.readonly'),
'{my service account certificate}'
));
$request = $client->getIo()->authenticatedRequest(new
apiHttpRequest('https://www.googleapis.com/analytics/v3/data/ga?{my
query}'));
any ideas?
Andrew Magee
Mar 28, 2012, 7:29:39 PM3/28/12
to oauth...@googlegroups.com
I'm having the same issue with the Python API. Connecting seems fine, but querying always returns 403. I'm not even sure if Analytics even supports service accounts yet; all I've found on the matter is here http://googledevelopers.blogspot.com.au/2012/03/service-accounts-have-arrived.html, there is a comment from a week ago saying "I am especially waiting for the Google Analytics API to have services accounts!".
Eric Haskins
Mar 28, 2012, 7:38:33 PM3/28/12
to oauth...@googlegroups.com
I have been told in the AdSense management API group anything that is tied to a user account AdSense ,Calender , user info is not supported via service accounts. We are a Google partner and need to query our stats and earnings but are forced to use the installed app version.
I mentioned in the AdSense group its easier to process a credit card txn with authorize.net than it is to access statistics with Google :-)
Eric Haskins
Justin Smith
Mar 29, 2012, 1:55:10 AM3/29/12
to oauth...@googlegroups.com
Unfortunately Service Accounts aren't supported by all Google APIs. We're working to enable it more broadly.
The APIs listed on the blogpost are the only ones that work with Service Accounts today.
Andrew Magee
Mar 29, 2012, 2:04:07 AM3/29/12
to oauth...@googlegroups.com
Fair enough. In that case the blog post is quite confusing, as it does say:
- Google APIs Client Libraries for Python, Java, and PHP
I'm using what I imagine would be called the Google APIs Client Library for Python, so from reading this there is no indication that Analytics isn't supported.
Justin Smith
Mar 29, 2012, 2:13:01 AM3/29/12
to oauth...@googlegroups.com
Fair point. My fault for not making that more clear.
The libraries (Python, Java, PHP) can obtain an access token using only a service account. They can do this for just about any scope. However, not all APIs can consume these tokens (just yet). That's what is happening for the Analytics API.
Fex
Mar 29, 2012, 4:29:36 AM3/29/12
to oauth...@googlegroups.com
Thank you for the clarification. I was misleaded by the api documentation, wich clearly states support for bearer auth header:
Ryan Burke
Apr 17, 2012, 3:51:07 PM4/17/12
to oauth...@googlegroups.com
Justin, does Google have any timeline for expanding API consumption of service account tokens? It was pretty frustrating to troubleshoot a service account implementation to Google Analytics only to find this post.
On Thursday, March 29, 2012 12:13:01 AM UTC-6, Justin Smith wrote:
On Thursday, March 29, 2012 12:13:01 AM UTC-6, Justin Smith wrote:
Fair point. My fault for not making that more clear.
The libraries (Python, Java, PHP) can obtain an access token using only a service account. They can do this for just about any scope. However, not all APIs can consume these tokens (just yet). That's what is happening for the Analytics API.
Reply all
Reply to author
Forward
0 new messages