"403 Forbidden" response from Google Android In App Purchases API with service account

Question

Cannot make Android In App Purchases API working with service account credentials using native Google PHP client.

I took sample script from Google PHP client package (google\examples\service-account.php), provided all required credentials in it and it worked out perfectly for "Books" service, but not for "Android in App Purchases".

The code below works fine:

$client_id = '{SERVICE_CLIENT_ID}';
$service_account_name = '{SERVICE_ACCOUNT_NAME}';
$key_file_location = '{KEY_PATH}';

$client = new Google_Client();
$client->setApplicationName("Client_Library_Examples");

$service = new Google_Service_Books($client);
$scopes = array('https://www.googleapis.com/auth/books');
$key = file_get_contents($key_file_location);
$cred = new Google_Auth_AssertionCredentials($service_account_name, $scopes, $key);
$client->setAssertionCredentials($cred);

if($client->getAuth()->isAccessTokenExpired()) {
    $client->getAuth()->refreshTokenWithAssertion($cred);
}

echo '<pre>'; $results = $service->volumes->listVolumes('Henry David Thoreau', array('filter' => 'free-ebooks')); print_r($results); echo '</pre>';

the code below ends up with "403 Forbidden" as a response from Google:

$client_id = '{SERVICE_CLIENT_ID}';
$service_account_name = '{SERVICE_ACCOUNT_NAME}';
$key_file_location = '{KEY_PATH}';

$client = new Google_Client();
$client->setApplicationName("Client_Library_Examples");

$service = new Google_Service_AndroidPublisher($client);
$scopes = array('https://www.googleapis.com/auth/androidpublisher');
$key = file_get_contents($key_file_location);
$cred = new Google_Auth_AssertionCredentials($service_account_name, $scopes, $key);
$client->setAssertionCredentials($cred);

if($client->getAuth()->isAccessTokenExpired()) {
    $client->getAuth()->refreshTokenWithAssertion($cred);
}

echo '<pre>'; $results = $service->inapppurchases->get('{PACKAGE}', '{PRODUCT}', '{TOKEN}'); print_r($results); echo '</pre>';

I also tested that with Web Account credentials (when access token is generated by special "code" given by Google after "redirect"). The result is the same - 403 Forbidden.

Could anybody give any clue why Android API does not work how it's expected?

Answer 1

Ok I found the solution!

You must to connect your API with your app. You must go to your Google Play publish page (https://play.google.com/apps/publish) and invite a user with the service account email in Settings->User account & rights->Invite new user and give it the privileges of "View financial reports".

Thanks works for me, good luck!

Answer 2

I had a similar problem as you. I finally managed to solve it by looking at links generated here: https://developers.google.com/oauthplayground/

Apparently, Android publisher scope

https://www.googleapis.com/auth/androidpublisher

needs to be added into the link requesting authorisation code (before even generating refresh token) by adding:

&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fandroidpublisher

to get this:

https://accounts.google.com/o/oauth2/auth?redirect_uri=<YOUR_REDIRECT_URI>&response_type=code&client_id=<YOUR_CLIENT_ID>&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fandroidpublisher&approval_prompt=force&access_type=offline

Answer 3

You will need to log in as "you", but that can be a one time operation - if you request offline access you will be able to get a refresh token that can be used to mint new access tokens - so you could even do this as part of an out of band process and simply deploy with your refresh token. The service account can't be used (without some kind of delegation) as it doesn't identify an individual user, which is needed here.