Requested Client Not Authorized error when attempting to use a service account to impersonate a user within my domain.
15 views
Skip to first unread message
br...@residentialdynamics.com
Sep 4, 2014, 3:54:08 PM9/4/14
to google-drive...@googlegroups.com
Hello,
This works, except the folder still shows the service account as the owner and not user mye...@mydomain.com which is what I want. I dove deeper into the php client library and discovered that the line $auth->sub = $userEmail should (I think ) appropriately be $auth->prn = $userEmail given this code on line 39 of my version of src/auth/Google_AssertionCredentials.php:
I'm using the PHP Google API Client Library. I've followed (and painstakingly re-followed) every step of this page https://developers.google.com/drive/web/delegation to create the service account and its credentials and delegate domain-wide authority to my service account. I used following the code as shown in the example to return the service object from which I attempt to create a folder on Google Drive:
<?php
require_once "google-api-php-client/src/Google_Client.php";
require_once "google-api-php-client/src/contrib/Google_DriveService.php";
require_once "google-api-php-client/src/contrib/Google_Oauth2Service.php";
session_start();
$DRIVE_SCOPE = 'https://www.googleapis.com/auth/drive';
$SERVICE_ACCOUNT_EMAIL = '<some-id>@developer.gserviceaccount.com';
$SERVICE_ACCOUNT_PKCS12_FILE_PATH = '/path/to/<public_key_fingerprint>-privatekey.p12';
/**
* Build and returns a Drive service object authorized with the service accounts
* that acts on behalf of the given user.
*
* @param userEmail The email of the user.
* @return Google_DriveService service object.
*/
function buildService($userEmail='mye...@mydomain.com') {
$key = file_get_contents($SERVICE_ACCOUNT_PKCS12_FILE_PATH);
$auth = new Google_AssertionCredentials(
SERVICE_ACCOUNT_EMAIL,
array(DRIVE_SCOPE),
$key);
$auth->sub = $userEmail;
$client = new Google_Client();
$client->setUseObjects(true);
$client->setAssertionCredentials($auth);
return new Google_DriveService($client);
}
?>
This works, except the folder still shows the service account as the owner and not user mye...@mydomain.com which is what I want. I dove deeper into the php client library and discovered that the line $auth->sub = $userEmail should (I think ) appropriately be $auth->prn = $userEmail given this code on line 39 of my version of src/auth/Google_AssertionCredentials.php:
* @param bool|string $prn The email address of the user for which the * application is requesting delegated access.I would have linked to the Github repo for the client library but the version there appears to be a newer one and the examples at https://developers.google.com/drive/web/delegation wont work with it. So I use my version instead and get the following error:
An error occurred: Error refreshing the OAuth2 token, message: '{ "error" : "access_denied", "error_description" : "Requested client not authorized." }'
Searching Stackoverflow and other areas of the groups shows some similar problems but no answers have worked for me. I just want to use my service account to create a folder and have that folder be owned my a different designated user within my domain.
Reply all
Reply to author
Forward
0 new messages