服务应用程序和Google Analytics API V3：服务器到服务器的OAuth2身份验证？ [英] Service Applications and Google Analytics API V3: Server-to-server OAuth2 authentication?

问题描述

我试着让服务器应用程序定期从我自己的Google Analytics帐户中提取Google Analytics数据。请注意，它是一个访问我自己数据的个人服务器端应用程序，即没有最终用户访问此应用程序。

例如，我在 Google API控制台上将我的应用程序注册为 Service Application ，它为我提供了一个客户端ID 和一个私钥。我的理解是服务应用程序不使用应用程序秘密和重定向URL ，因为此服务器到服务器身份验证流程中没有最终用户。事实上，Google API控制台并没有给我提供秘密，也没有提示我提供重定向URL。

不幸的是，我无法弄清楚如何在< href =http://code.google.com/p/google-api-php-client/ =noreferrer> Google的PHP客户端API 。关于使用最终用户验证Web应用程序有大量文档。

Google的文档建议可以通过使用私钥对JWT请求进行签名来验证服务器到服务器的身份。我只是无法弄清楚如何在PHP客户端API中执行操作（尽管我浏览了源代码并且有绝对是一个使用私钥签名请求的脚本）。

<我在这里错过了什么？我如何使用我的私钥和Google PHP客户端API来执行服务应用程序的身份验证？

为清晰起见编辑

$ Google Analytics（分析）API V3现在支持通过Google Analytics（分析）API V3返回的OAuth2令牌一个.p12签名的JWT请求。也就是说，我们现在可以使用Google Analytics API和服务帐户。

目前拉动4年的每日指标， em>

下面是一个快速的'n'脏分步骤：

1. 转到 Google API控制台并创建一个新应用

在服务标签中，翻转 Google Analytics 开关



2. 在 API Access 标签中，点击创建OAuth2.0客户端ID $ b

   
   

   • 输入您的姓名，上传徽标，然后点击下一步

   
   

   • 选择服务帐户选项并按创建客户端ID

   
   

   • 下载您的私钥

     >
   
   



3. 现在您回到了 API Access 页面。您将看到一个名为服务帐户的部分，其中包含客户端ID 和电子邮件地址
   
   

   
   

   • 复制电子邮件地址（类似于 #### @ developer.gserviceaccount.com ）

   
   

   • 访问您的 Google Analytics管理员并将此电子邮件作为用户添加到您的物业

   
   

   • 这是必须的;否则您将收到明显的错误。

   github.com/google/google-api-php-client\"> Google PHP Client API 通过Github

     git子模块添加https://github.com/google/google-api-php-client.git google-api-php-client-read-only 
     

   
   

   • Rock'n'roll（感谢所有关于更新课程名称的提示）：
     
     

       // api dependencies 
      require_once（PATH_TO_API。'Google / Client.php'）; 
      require_once（PATH_TO_API。'Google / Service / Analytics.php'）; 
      
      //创建客户端对象并设置应用程序名称
      $ client = new Google_Client（）; 
      $ client-> setApplicationName（APP_NAME）; //你的应用名称
      
      //设置断言凭证
      $ client-> setAssertionCredentials（
      new Google_Auth_AssertionCredentials（
      
      APP_EMAIL，// email您添加到GA 
      
      array（'https://www.googleapis.com/auth/analytics.readonly'），
      
      file_get_contents（PATH_TO_PRIVATE_KEY_FILE）//您下载的密钥文件
      
     ））; 
      
      //其他设置
      $ client-> setClientId（CLIENT_ID）; //从API控制台
      $ client-> setAccessType（'offline_access'）; //这可能是不必要的？ 
      
      //创建服务并获取数据
      $ service = new Google_Service_Analytics（$ client）; 
      $ service-> data_ga-> get（$ ids，$ startDate，$ endDate，$ metrics，$ optParams）; 
       

   
   

 

_{下面的原始解决方法}

---

看起来，尽管文档不明确，但大多数Google API都会执行
不支持服务帐户，包括Google Analytics（分析）。他们
无法消化由.p12签名的JWT请求返回的OAuth2令牌。因此，截至目前，
您无法将Google Analytics API V3与
服务帐户一起使用。

解决方法：

1. 在 Google API控制台，创建一个客户端应用程序。 p>按照 Google PHP Client API 示例中的步骤生成 client_auth_url 使用您的 client_id ， client_secret ，
和 redirect_uri




2. 登录到 Google 使用cURL。 （确保使用cookie文件！）


在cURL中打开 client_auth_url 并填写表单。确保你设置了 curl_setopt（$ ch，CURLOPT_FOLLOWLOCATION，0）; 和
curl_setopt（$ ch，CURLOPT_HEADER，1）; 作为 authorization_code
将位于响应的 Location：头部。 / p> 使用您的 client_id ， client_secret ， redirect_uri 以及第4步的激活码，请求发送到 Google OAuth2
令牌机。确保在你的帖子栏目中包含 grant_type =
authorization_code。


3. Hurray ，你现在有一个永不过期的 refresh_token 和一个工作的 access_token ！使用您的 client_id Google的OAuth2令牌
机器发送请求。 code>， client_secret ， redirect_uri ，
和 refresh_token code>当您的 access_token 过期时，您将获得新的
。










I'm trying to make a server application to routinely pull Google Analytics data from my own GA account. Note, it is a personal, server-side application accessing my own data, i.e. there is no end-user accessing this application.

As such, I registered my application in the Google API Console as a Service Application, which gave me a Client ID and a Private Key. It is my understanding that Service Applications do NOT use Application Secret and Redirect URL as there is no end-user in this server-to-server authentication flow. Indeed, the Google API Console gave me no Secret and did not prompt me for a Redirect URL.

Unfortunately, I can not figure out how to authenticate my Service Application within Google's PHP Client API. There is extensive documentation on authenticating web applications with an end-user.

Google's documentation suggests it is possible to authenticate server-to-server by signing a JWT request with the private key. I just can't figure out how to do within the PHP client API (although I've browsed the source and there's definitely a script that signs a request with the private key.)

Am I missing something here? How can I perform authentication for a Service Application with my private key and the Google PHP client API?

Edited for clarity

解决方案

UPDATE July 21st, 2012

Google Analytics API V3 now supports OAuth2 tokens returned by a .p12-signed JWT request. That is, we can now use the Analytics API w/ service accounts.

Currently pulling 4 years of day-by-day metrics, just for the hell of it.

Here's a quick 'n' dirty step-by-step:

1. Go to the Google API Console and create a new app

2. In the Services tab, flip the Google Analytics switch

3. In the API Access tab, click Create an OAuth2.0 Client ID

   • enter your name, upload a logo, and click Next

   • select the Service account option and press Create client ID

   • download your private key

4. Now you're back on the API Access page. You'll see a section called Service account with a Client ID and Email address

   • Copy the email address (something like ####@developer.gserviceaccount.com)

   • Visit your GA Admin and add this email as a user to your properties

   • This is a must; you'll get cryptic errors otherwise.

5. Get the latest Google PHP Client API via Github

   git submodule add https://github.com/google/google-api-php-client.git google-api-php-client-read-only
   

6. Rock 'n' roll (thanks all for tips on updated class names):

   // api dependencies
   require_once(PATH_TO_API . 'Google/Client.php');
   require_once(PATH_TO_API . 'Google/Service/Analytics.php');
   
   // create client object and set app name
   $client = new Google_Client();
   $client->setApplicationName(APP_NAME); // name of your app
   
   // set assertion credentials
   $client->setAssertionCredentials(
     new Google_Auth_AssertionCredentials(
   
       APP_EMAIL, // email you added to GA
   
       array('https://www.googleapis.com/auth/analytics.readonly'),
   
       file_get_contents(PATH_TO_PRIVATE_KEY_FILE)  // keyfile you downloaded
   
   ));
   
   // other settings
   $client->setClientId(CLIENT_ID);           // from API console
   $client->setAccessType('offline_access');  // this may be unnecessary?
   
   // create service and get data
   $service = new Google_Service_Analytics($client);
   $service->data_ga->get($ids, $startDate, $endDate, $metrics, $optParams);
   

 

_{original workaround below}

---

It seems that, despite ambiguous documentation, most Google APIs do not support service accounts yet, including Google Analytics. They cannot digest OAuth2 tokens returned by a .p12 signed JWT request. So, as of right now, you cannot use Google Analytics API V3 with a service account.

Workaround:

1. In the Google API console, create a client application.

2. Follow the steps in the Google PHP Client API examples to generate a client_auth_url using your client_id, client_secret, and redirect_uri

3. Login to Google using cURL. (Be sure to use a cookie file!)

4. Open the client_auth_url in cURL and complete the form. Make sure you set curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); and curl_setopt($ch, CURLOPT_HEADER, 1); as the authorization_code will be in the Location: header of the response.

5. Using your client_id, client_secret, redirect_uri, and the activation code from Step 4, post a request to the Google's OAuth2 Token machine. Make sure you include grant_type = "authorization_code" in your post fields.

6. Hurray, you now have a refresh_token that never expires, and a working access_token! Post a request to the Google's OAuth2 Token machine with your client_id, client_secret, redirect_uri, and refresh_token when your access_token expires and you'll get a new one.

这篇关于服务应用程序和Google Analytics API V3：服务器到服务器的OAuth2身份验证？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！