Google_Service_Directory - （403）未授权访问该资源/ API [英] Google_Service_Directory - (403) Not Authorized to access this resource/api

问题描述

我只使用一个问题的PHP API的实际版本的例子，并使用实施例的文件夹的服务account.php文件。

I have a problem just using an example of actual version of PHP api, and using the "service-account.php" file of examples folder.

原来是作秀的书API，并与我个人的凭据配置效果很好，但在我XCASE我需要directory.groups.get服务访问有一个谷歌组的成员帐户列表邮件列表，所以我改变原来的code在这：

the original is for show the "Books API", and with my personal credentials configuration it works well, but in my xcase I need to access by directory.groups.get service to have the list of members accounts of a google groups mail list, so I change the original code in this:

<?php

session_start();
include_once "templates/base.php";

/************************************************
  Make an API request authenticated with a service
  account.
 ************************************************/
require_once realpath(dirname(__FILE__) . '/../autoload.php');

/************************************************
 ************************************************/

// MY ACCOUNT DATA HERE
$client_id = 'xxx';
$service_account_name = 'xxx'; //Email Address 
$key_file_location = 'xxx.p12'; //key.p12
$groupKey = 'xxx';

echo pageHeader("My Service Account Access");
if ($client_id == '<YOUR_CLIENT_ID>'
    || !strlen($service_account_name)
    || !strlen($key_file_location)) {
  echo missingServiceAccountDetailsWarning();
}

$client = new Google_Client();
$client->setApplicationName("Client_Library_Examples");
//$service = new Google_Service_Books($client); //ORIGINAL
$service = new Google_Service_Directory($client);

/************************************************
 ************************************************/
if (isset($_SESSION['service_token'])) {
  $client->setAccessToken($_SESSION['service_token']);
}
$authArray = array(
                'https://www.googleapis.com/auth/admin.directory.group',
                'https://www.googleapis.com/auth/admin.directory.group.readonly',
                'https://www.googleapis.com/auth/admin.directory.group.member',
                'https://www.googleapis.com/auth/admin.directory.group.member.readonly'
);
$key = file_get_contents($key_file_location);
$cred = new Google_Auth_AssertionCredentials(
    $service_account_name,
    $authArray, //array('https://www.googleapis.com/auth/books'), //ORIGINAL
    $key
);
$client->setAssertionCredentials($cred);
if($client->getAuth()->isAccessTokenExpired()) {
  $client->getAuth()->refreshTokenWithAssertion($cred);
}
$_SESSION['service_token'] = $client->getAccessToken();


/************************************************
 ************************************************/
//$optParams = array('filter' => 'free-ebooks'); //ORIGINAL
$optParams = array('fields' => 'id');
//$results = $service->volumes->listVolumes('Henry David Thoreau', $optParams); //ORIGINAL
$results = $service->groups->get($groupKey, $optParams);
echo "<h3>Results Of Call:</h3>";
foreach ($results as $item) {
  //echo $item['volumeInfo']['title'], "<br /> \n"; //ORIGINAL
    echo "<pre>".print_r ($item, true)."</pre>";
}

echo pageFooter(__FILE__);

无论我做什么，对于API SDK提供授权和使用文件，只是在控制台的开发者API证书面板中创建的凭据，我收到alwais 403错误。

whatever I do, providing authorization for API SDK, and using file and credentials just created in API Credentials panel of the console's developer, I receive alwais the 403 error.

在这里的错误堆栈：

Google_Http_REST ::德codeHtt presponse（对象（Google_Http_Request））

Google_Http_REST::decodeHttpResponse(Object(Google_Http_Request))

Google_Http_REST ::执行（对象（Google_Client），对象（Google_Http_Request））

Google_Http_REST::execute(Object(Google_Client), Object(Google_Http_Request))

Google_Client->执行（对象（Google_Http_Request））

Google_Client->execute(Object(Google_Http_Request))

Google_Service_Resource->调用（'得到'，阵列，'GOOGLE_SERVICE _...'）

Google_Service_Resource->call('get', Array, 'Google_Service_...')

什么建议吗？

谢谢，
罗伯托

thanks, Roberto

推荐答案

问题的根源在于服务帐户不在域管理员，因此它不能访问管理SDK目录API。相反，你需要启用<一个href=\"https://developers.google.com/admin-sdk/directory/v1/guides/delegation#delegate_domain-wide_authority_to_your_service_account\">domain-wide代表团为您服务帐户，然后有服务帐户冒充域管理员时，它发出请求：

The root of the problem is that the service account is not an administrator on the domain, so it cannot access the Admin SDK Directory API. Instead, you need to enable domain-wide delegation for your service account, and then have the service account impersonate a domain admin when it makes the request:

$cred = new Google_Auth_AssertionCredentials(
    $service_account_name,
    $authArray,
    $key
);
$cred->sub = "admin@yourdomain.com";

这篇关于Google_Service_Directory - （403）未授权访问该资源/ API的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！