Thanks for your reply. Do I understand correctly that as far as you can see the setup of my Master Ad Account, the gmail account that owns it, the Master Account that owns the Developer Token, the Google Workspace and the Service Account is all OK?
Yes, I am using php curl to request and store the access token on my web server. Here is the code, with a few redactions. The code is executed every 6 minutes via cron, so the token is usually refreshed after 48 minutes.
<?php
// Retrieve current token from file
$tokenJsonFile = file_get_contents('/**********/**********.json');
$tokenData = json_decode($tokenJsonFile);
$expiry = $tokenData->expiry;
$expiry_time = $expiry - time();
// Refresh token if < 15 minutes to expiry
if ($expiry_time < 900) {
// JWT Header
$JWTHead = '{"alg":"RS256","typ":"JWT"}';
$JWTHead = base64_encode($JWTHead);
// JWT Claim Data
$keyDataJsonFile = file_get_contents('/**********/**********.json');
$keyData = json_decode($keyDataJsonFile);
$iss = $keyData->client_email;
// $sub = $keyData->client_email;
$aud = $keyData->token_uri;
$iat = time();
$exp = $iat + 3600;
// $JWTClaim = '{"iss":"'.$iss.'","sub":"'.$sub.'","scope":"'.$scope.'","aud":"'.$aud.'","iat":"'.$iat.'","exp":"'.$exp.'"}';
$JWTClaim = '{"iss":"'.$iss.'","scope":"'.$scope.'","aud":"'.$aud.'","iat":"'.$iat.'","exp":"'.$exp.'"}';
$JWTClaim = base64_encode($JWTClaim);
// JWT Signature
$privateKey = $keyData->private_key;
openssl_sign(
$JWTHead.".".$JWTClaim,
$JWTSignature,
$privateKey,
"sha256WithRSAEncryption"
);
$JWTSignature = base64_encode($JWTSignature);
// Post Token Request
$curl = curl_init($aud);
$parms = [
'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
'assertion' => $JWTHead.".".$JWTClaim.".".$JWTSignature
];
$data = http_build_query($parms);
curl_setopt($curl, CURLOPT_URL, $aud);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
$response = curl_exec($curl);
curl_close($curl);
$responseData = json_decode($response);
$access_token = $responseData->access_token;
// If token not granted send email
if (!isset($access_token)) {
$tomail = "**********";
$headers = 'From: **********';
$subject = "OAuth Token Not Granted: Response Data";
mail($tomail, $subject, var_dump($responseData), $headers);
} else {
// otherwise write new token data to file
$expires_in = $responseData->expires_in;
$token_type = $responseData->token_type;
$newExpiry = $iat + $expires_in;
$newTokenData = array(
"access_token"=>$access_token,
"expiry"=>$newExpiry,
"token_type"=>$token_type
);
$newTokenJson = json_encode($newTokenData);
file_put_contents('
/**********/**********.json ', $newTokenJson);
}
}
?>
I haven't tried using a client library - my general preference is not to have to internalize the workings of another layer of software and its attendant documentation unless there are convincing benefits to offset the time investment.
Please let me know if there is anything else I can do to assist your investigation.
Regards,
Martin