继续从 Google API 获取 403 Forbidden(使用 PHP 客户端库 v1) [英] Keep getting 403 Forbidden from Google API (using PHP client library v1)

问题描述

好吧……我不得不说我在使用 Google 的 API 方面没有足够的经验，所以我会尽可能详细地解释.

Okay... I have to say I don't have enough experience on using Google's API, so I'll try to explain as detail as I could.

我需要使用 PHP 来抓取云存储的数据，所以我尝试使用 gsUtil 的凭据从存储桶中抓取数据并且它工作正常；但是当我尝试使用 PHP 库抓取数据时，API 回复了我这样的内容:

I need to use PHP to grab the Cloud storage's data, so I tried my credential with gsUtil to grab data from bucket and it works; But when I try to use PHP library to grab data, the API replied me with this content:

"error": {
  "errors": [
    {
       "domain": "global",
       "reason": "forbidden",
       "message": "Forbidden"
    }
  ],
  "code": 403,
  "message": "Forbidden"
}

因为它没有告诉我到底哪一步是错误的，所以我在这个网站上搜索并尝试了所有看起来相似的东西，但情况仍然如此.

Since it didn't tell me exactly which step is wrong, so I searched around this site and tried everything which looked similar, but the Situation stands.

这是我的 Google Dev 上的配置.控制台:

Here is the Configuration on my Google Dev. Console:

Api Manager > Overall > Enabled API：

(a)Drive API.

(b)Cloud Storage.

(c)Cloud Storage JSON API.

Api Manager > Credentials:

(a)Api Key / OAuth 2.0 ID / Service Acc. Key are created.

(b)Server IPs are added to the Api key's accept IP list.

(c)Service Account have the Editor permission to the Project, service acc key is bind to this account too.

在 PHP 中:

$email = '<my gmail>';
$scope = 'https://www.googleapis.com/auth/cloud-platform';
$apiKey = '<my api key>';
$oAuthId = '<OAuth ID>';
$serviceAcc = '<service account id>@developer.gserviceaccount.com';
$keyFileLocation = $_SERVER['DOCUMENT_ROOT']. "/<p12 file>";
$bucketId = '<my bucket id>';
$list = array();

$client = new Google_Client();
$client->setApplicationName("gp-api");
$client->setDeveloperKey($apiKey);
$cred = new Google_Auth_AssertionCredentials (
            $serviceAcc,
            array($scope),
            file_get_contents($keyFileLocation)
    );

$client->setAssertionCredentials($cred);

if($client->getAuth()->isAccessTokenExpired())
  $client->getAuth()->refreshTokenWithAssertion($cred);

if($client->getAccessToken()) {
  $reqUrl = "https://www.googleapis.com/storage/v1/b/$bucketId/o/";
  $request = new Google_Http_Request($reqUrl, 'GET', null, null);
  $httpRequest = $client->getAuth()->authenticatedRequest($request);
  if ($httpRequest->getResponseHttpCode() == 200) {
    $objects = json_decode($httpRequest->getResponseBody());
    foreach ($objects->items as $object) {
      $list[] = $object->mediaLink;
    }
  }
  else {
    echo $httpRequest->getResponseHttpCode(); // This is where I got the 403
  }
}

如果我错过了什么，请告诉我.

Please tell me if I missed something.

推荐答案

好的，我遇到了问题:它必须模拟有权访问我在程序中提到的 API 范围的用户帐户.

Ok, I got the Problem: it must impersonate the User account which have the privilege to access the API scope that I mentioned in program.

所以必须添加一些额外的代码如下:

So some additional codes must be added as following:

$email = '<email account which could access that api>';
$scope = 'https://www.googleapis.com/auth/cloud-platform';
$apiKey = '<my api key>';
$oAuthId = '<OAuth ID>';
$serviceAcc = '<service account id>@developer.gserviceaccount.com';
$keyFileLocation = $_SERVER['DOCUMENT_ROOT']. "/<p12 file>";
$bucketId = '<my bucket id>';
$list = array();

$client = new Google_Client();
$client->setApplicationName("gp-api");
$client->setDeveloperKey($apiKey);
$cred = new Google_Auth_AssertionCredentials (
        $serviceAcc,
        array($scope),
        file_get_contents($keyFileLocation),
        'notasecret',
        'http://oauth.net/grant_type/jwt/1.0/bearer',
        $email
);

Wooooooyaaaaa，又一个问题解决了！是时候解决下一个问题了.

Woooooyaaaaa, another problem solved! time to move up for next problem.

这篇关于继续从 Google API 获取 403 Forbidden(使用 PHP 客户端库 v1)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！