CODEWITHSUNDEEP
google-oauthgoogle-admin-sdkgoogle-directory-api
Techlands
Techlands

Reputation: 21

Google API Admin SDK Error (Requested client not authorized)

Quick Background: Creating a php class to add/remove emails from a group under a google apps account. I used the same google account for the Apps Admin Console to create a project under the Developers Console. Also the google apps account is in trial mode which expires in 29 days (pending initial payment).

App Details: Using Google API Client via Composer https://github.com/google/google-api-php-client

Other Details: Developers Console -> Project -> Admin SDK Enabled, Admin Console -> Security -> Api Access Enabled

Issue: getting exception "Requested client not authorized." on refreshTokenWithAssertion() call

If I comment out $cred->sub = from the code below I get this exception

Error calling GET https://www.googleapis.com/admin/directory/v1/groups/{groupemail}/members/{memberemail}: (403) Not Authorized to access this resource/api

Code:

static public function test() {
    try {
        $client = new Google_Client();
        $client->setApplicationName('app-name');
        $service = new Google_Service_Directory($client);

        if (!empty(self::$serviceToken)) {
            $client->setAccessToken(self::$serviceToken);
        }

        $key = file_get_contents(APP . DS . 'Config' . DS . 'google.p12');

        $cred = new Google_Auth_AssertionCredentials(
            '[email protected]',
            array(
                'https://www.googleapis.com/auth/directory.user',
                'https://www.googleapis.com/auth/directory.group',
                'https://www.googleapis.com/auth/directory.group.member',
            ),
            $key,
            'notasecret'
        );

        $cred->sub = 'google apps account email';

        $client->setAssertionCredentials($cred);

        if($client->getAuth()->isAccessTokenExpired()) {
            $client->getAuth()->refreshTokenWithAssertion($cred);
        }
        self::$serviceToken = $client->getAccessToken();

        $resp = $service->members->get('group email address', 'email address of group member');
    }
    catch (Exception $e) {
        echo $e->getMessage();
    }
}

Upvotes: 0

Views: 1020

Answers (1)

miketreacy
miketreacy

Reputation: 1120

In your array:

        array(
            'https://www.googleapis.com/auth/directory.user',
            'https://www.googleapis.com/auth/directory.group',
            'https://www.googleapis.com/auth/directory.group.member',
        ),

I believe the authorize requests should be:

        array(
            'https://www.googleapis.com/auth/admin.directory.user',
            'https://www.googleapis.com/auth/admin.directory.group',
            'https://www.googleapis.com/auth/admin.directory.group.member',
        ),

More information be found here.

Upvotes: 2

Related Questions