使用Google Oauth2 Credentials的“服务帐户”模拟用户EMAIL ID [英] Impersonate the user EMAIL ID using Google Oauth2 Credentials ‘Service Account’

问题描述

我试图使用PHP GAE的Google API OAuth服务帐户创建Google日历活动。

$ b 我需要正确的会话ID 或由'创建的日历事件字段中的用户电子邮件ID 。
这在 Google Apps脚本（GAS）中可能很好，它会使用正确的会话ID创建事件。

我希望在 PHP GAE（Google App Engine）中完成相同的工作。因此，我试图模仿用户ID，如下所示：执行Google Apps域范围授权

我的目标是像在 GAS（Google Apps脚本）中一样自动插入任何最终用户的正确用户ID。 我不希望在'由...创建'的字段中设置任何默认凭据。 使用 PHP客户端库我试图模拟Calendar API中的用户。我没有获得Calendar API的完整示例。因此，我尝试了Drive API文档示例，这个示例似乎工作正常，使用其他域用户也可以使用日历API我写了下面的例子。

 <？php 
 require_once realpath（dirname（__ FILE __）。'/ google-api-php-client-主/ SRC /谷歌/ autoload.php'）; 
 require_once realpath（dirname（__ FILE __）。'/ google-api-php-client-master / src / Google / Service / Calendar.php'）; 
 require_once realpath（dirname（__ FILE __）。'/ google-api-php-client-master / src / Google / Service / Oauth2.php'）; 
 
使用google\appengine\api\users\User; 
使用google\appengine\api\users\UserService; 
 
 $ user = UserService :: getCurrentUser（）; 
 $ userEmail = $ user-> getEmail（）; 
 
 $ client_email ='34234242424-qssjf8kg1kk42dnjdvd2ndrk7rou44@developer.gserviceaccount.com'; 
 $ private_key = file_get_contents（'key.p12'）; 
 $ scopes = array（'https://www.googleapis.com/auth/calendar'）; 
 
 $ credentials = new Google_Auth_AssertionCredentials（
 $ client_email，
 $ scopes，
 $ private_key 
）; 
 $ credentials-> sub = $ userEmail; 
 $ client = new Google_Client（）; 
 $ client-> setAssertionCredentials（$ credentials）; 
 if（$ client-> getAuth（） - > isAccessTokenExpired（））{
 $ client-> getAuth（） - > refreshTokenWithAssertion（）; 
} 
 $ service = new Google_Service_Calendar（$ client）; 
 $ event = new Google_Service_Calendar_Event（）; 
 $ start = new Google_Service_Calendar_EventDateTime（）; 
 $ start-> setDateTime（'2015-09-26T10：00：00.000-07：00'）; 
 $ event-> setStart（$ start）; 
 $ end = new Google_Service_Calendar_EventDateTime（）; 
 $ end-> setDateTime（'2015-09-26T10：00：00.000-07：00'）; 
 $ event-> setEnd（$ end）; 
 $ createdEvent = $ service-> events-> insert（'abc@group.calendar.google.com'，$ event）; 
  

当我检查这封电子邮件时，我收到了正确的服务帐户凭据，
但是，当我使用不同的电子邮件ID，我得到了以下错误

  PHP致命错误：未捕获消息'错误刷新OAuth2令牌，消息：'{error：unauthorized_client，error_description：未经授权的客户端或请求中的作用域异常'Google_Auth_Exception'。 }''in​​ /base/data/home/apps/s~production/1.3874/google-api-php-client-master/src/Google/Auth/OAuth2.php:363堆栈跟踪：＃0 / base / data / home / apps / s〜production / 1.387 / google-api-php-client-master / src / Google / Auth / OAuth2.php（314）：Google_Auth_OAuth2-> refreshTokenRequest（Array）＃1 / base / data / home / apps / s〜ei-html-production / 1.3874 / final.php（34）：Google_Auth_OAuth2-> refreshTokenWithAssertion（）＃2 {main}抛出/base/data/home/apps/s~production/1.38742/google- api-php-client-master / src / Google / Auth / OAuth2.php on line 363 
  

Plz帮助我我做错了什么。为什么问题发生，当我使用差异电子邮件ID时，我将创建cal事件的最终用户可能是任何基于GMAIL或Google的域ID。

所以，plz帮助至少有一个样本部分...

参考链接：

如何d o我使用Google Api 3插入谷歌日历事件给任何域名用户？ / 20887070 / how-to-create-a-google-calendar-event-without-a-reminder-how-to-get-service-ac>如何在没有提醒的情况下创建Google日历活动/如何获取服务帐户模仿用户

解决方案

您只能模拟Google应用程序域中的用户，搜索域广泛的代表团）。

获得模拟授权后，您必须为您模拟的每个用户重新创建一个全新的Google Client。您只会收到一个您可以用于此用户的access_token。如果您只是在授权后更改电子邮件地址，则无法使用。

I am trying to create Google calendar events using Google Api OAuth service Account from PHP GAE.

I need the correct Session ID or the user EMail ID in the Calendar events field ‘created by’. This is possible well in Google Apps Script(GAS), it creates the events with the correct session ID.

But, I want the same to be done in PHP GAE(Google App Engine). So, I tried to impersonate the user ID as follows:Perform Google Apps Domain-Wide Delegation of Authority

My aim is to insert the correct user ID of any end user automatically as like in GAS(Google Apps Script). I don't want any default credentials to be set in the field ‘created by’..

Using the PHP client library i tried to impersonate a user in Calendar API.I didn't get any complete sample for Calendar API.So, I tried the Drive API documentation sample, this sample seems to be working fine, Using other domain user also

Using Calendar API I wrote the below example.

 <?php
    require_once realpath(dirname(__FILE__).'/google-api-php-client-master/src/Google/autoload.php');
    require_once realpath(dirname(__FILE__).'/google-api-php-client-master/src/Google/Service/Calendar.php');
    require_once realpath(dirname(__FILE__).'/google-api-php-client-master/src/Google/Service/Oauth2.php');

    use google\appengine\api\users\User;
    use google\appengine\api\users\UserService;

    $user = UserService::getCurrentUser();
    $userEmail=$user->getEmail();

    $client_email = '34234242424-qssjf8kg1kk42dnjdvd2ndrk7rou44@developer.gserviceaccount.com';
    $private_key = file_get_contents('key.p12');
    $scopes = array('https://www.googleapis.com/auth/calendar');

    $credentials = new Google_Auth_AssertionCredentials(
    $client_email,
        $scopes,
        $private_key
    );
    $credentials->sub = $userEmail;
    $client = new Google_Client();
    $client->setAssertionCredentials($credentials);
    if ($client->getAuth()->isAccessTokenExpired()) {
        $client->getAuth()->refreshTokenWithAssertion();
    }
    $service =new Google_Service_Calendar($client);
    $event = new Google_Service_Calendar_Event();
    $start = new Google_Service_Calendar_EventDateTime();
    $start->setDateTime('2015-09-26T10:00:00.000-07:00');
    $event->setStart($start);
    $end = new Google_Service_Calendar_EventDateTime();
    $end->setDateTime('2015-09-26T10:00:00.000-07:00');
    $event->setEnd($end);
    $createdEvent = $service->events->insert('abc@group.calendar.google.com', $event);

It’s working well when i check this email, i got the correct service account credentials. But when i used different email ID, i got this below error

PHP Fatal error: Uncaught exception 'Google_Auth_Exception' with message 'Error refreshing the OAuth2 token, message: '{ "error" : "unauthorized_client", "error_description" : "Unauthorized client or scope in request." }'' in /base/data/home/apps/s~production/1.3874/google-api-php-client-master/src/Google/Auth/OAuth2.php:363 Stack trace: #0 /base/data/home/apps/s~production/1.387/google-api-php-client-master/src/Google/Auth/OAuth2.php(314): Google_Auth_OAuth2->refreshTokenRequest(Array) #1 /base/data/home/apps/s~ei-html-production/1.3874/final.php(34): Google_Auth_OAuth2->refreshTokenWithAssertion() #2 {main} thrown in /base/data/home/apps/s~production/1.38742/google-api-php-client-master/src/Google/Auth/OAuth2.php on line 363

Plz help me what i did wrong.Why the issue happens, when I used diff email ID, my end user who'll create cal events, could be any GMAIL or Google based domain ID.

So, plz help with at least a sample part...

Reference links:

How do I Insert Google Calendar Event using Google Api 3 for any user in the domain?

How to create a Google Calendar event without a reminder / How to get Service Accounts to impersonate users

解决方案

You can only impersonate users on a google apps domain where you have the necessary permission for (search for 'domain wide delegation'). You've got that covered.

Once you're authorized for impersonation you have to recreate a fresh Google Client for each user you impersonate. You'll only receive an access_token you can use for this very user. If you just change the email address once you're authorized it will not work.

这篇关于使用Google Oauth2 Credentials的“服务帐户”模拟用户EMAIL ID的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！