Google Apps Admin SDK Directory API 403 in PHP

Question

I'm getting

 Error calling GET https://www.googleapis.com/admin/directory/v1/users/email@example.com.com: (403) Not Authorized to access this resource/api

when running

        $client = new Google_Client();
        $client->setClientId(GOOGLEAPPS_CLIENT_ID);
        $client->setApplicationName(SITE_NAME);
        $key = file_get_contents(APPLICATION_PATH . 'googleapps-privatekey.p12');
        $assertion = new Google_AssertionCredentials(
                    GOOGLEAPPS_EMAIL_ADDRESS, // the service account name
                    array('https://www.googleapis.com/auth/admin.directory.user'), // see https://developers.google.com/admin-sdk/directory/v1/guides/authorizing
                    $key);
        $client->setAssertionCredentials($assertion);
        $service = new Google_DirectoryService($client);
        $user = $service->users->get('email@example.com');

I followed the instructions https://developers.google.com/admin-sdk/directory/v1/guides/prerequisites and ticked Enable API Access. I used the Google APIs console https://code.google.com/apis/console to generate a Service Account key and got that working OK.

https://groups.google.com/forum/#!msg/google-api-php-client/LM-mwmuZe7I/IA_K5v1R1UMJ

I used the Google PHP library and followed the instructions https://code.google.com/p/google-api-php-client/wiki/OAuth2?hl=no#Service_Accounts to try and get service accounts working. Debugging into their code: I'm authorising fine and getting a fresh Access token as expected https://developers.google.com/accounts/docs/OAuth2ServiceAccount.

I can't figure out why I'm getting the "Not Authorized to access this resource/api" message when everything I have read says I've switched it all on OK. Any ideas?

Answer 1

Just got it working. You need to include the user email of the admin so oAuth authorizes you for that user. Try

    $assertion = new Google_AssertionCredentials(
                GOOGLEAPPS_EMAIL_ADDRESS, // the service account name
                array('https://www.googleapis.com/auth/admin.directory.user'), // see https://developers.google.com/admin-sdk/directory/v1/guides/authorizing
                $key,
                'notasecret',
                'http://oauth.net/grant_type/jwt/1.0/bearer',
                'admin_user@email.com'
    );

Also after that you need to authorize the client_id for the scope you are requesting from Admin console->Security->Advanced Settings->Authentication->Manage OAuth Client access

Answer 2

I was having a similar problem. I'm using the .NET libraries. The [DriveService][1] example was missing a parameter when creating the provider: ServiceAccountUser, which appears to have to be the email address of an ADMIN. I missed that it was an admin and was getting:

Not Authorized to access this resource/api [403]

as soon as I switched it to an admin account, it worked. I'm afraid I don't speak PHP but I hope this helps.

Answer 3

If you get an error

Class 'Google_AssertionCredentials' not found

you are using the newer libraries, and Google_AssertionCredentials is now Google_Auth_AssertionCredentials.

See: https://github.com/google/google-api-php-client/blob/master/src/Google/Auth/AssertionCredentials.php

Answer 4

Did you grant the service account access to the given scopes within your Control Panel? See the instructions in the Drive SDK and substitute in the Admin SDK scopes as needed.