Google Groups Directory API - Can't add new member

Question

I'm trying to integrate something into our website to add new members to our Google Groups mailing list when they create an account. I'm using the PHP API of the Admin SDK to do so, but have had no luck

Here's the code

include_once 'autoload.php';
$clientId = 'xxxxxxx.apps.googleusercontent.com';

$serviceAccountName = 'xxxxxx@developer.gserviceaccount.com';

$delegatedAdmin = 'admin@website.org';

$keyFile = 'key.p12';

$appName = 'App Name';

$scopes = array(
    'https://www.googleapis.com/auth/admin.directory.group'
);


if (!($creds = new Google_Auth_AssertionCredentials(
    $serviceAccountName,
    $scopes,
    file_get_contents($keyFile)
))) {
    echo 'creds failed';
    exit;
}

if (!($creds->sub = $delegatedAdmin)) {
    echo 'sub failed';
    exit;
}

if (!($client = new Google_Client())) {
    echo 'obj creation failed failed';
    exit;
}
if (!($client->setApplicationName($appName))) {
    echo 'app name failed';
    exit;
}
if (!($client->setClientId($clientId))) {
    echo 'set id failed';
    exit;
}
if (!($client->setAssertionCredentials($creds))) {
    echo 'assertion failed';
    exit;
}
if (!($dir = new Google_Service_Directory($client))) {
    echo 'dir failed';
    exit;
}

if (!($member = new Google_Service_Directory_Member(array(
                        'email' =>'validtestemail@test.test',
                        'kind' => 'admin#directory#member',
                        'role' => 'MEMBER',
                        'type' => 'USER')))) {
    echo 'member failed';
    exit;
}

if (!($list = $dir->members->insert('groupname@googlegroups.com', $member))) {
    echo 'list failed';
    exit;
}
echo 'good';

If I run it, the code stops at the set app name, or setting any properties of $client for that matter. If I comment those sections out, I get a blank page.

score 0 · Accepted Answer · answered Mar 12 '15 at 13:18

Your code, from new Google_Service_Directory($client) onwards, works for me, so I'd guess the problem is with your credentials generation.

Here is some code that I have used successfully:

// Create a new google client.  We need this for all API access.
$client = new Google_Client();
$client->setApplicationName("Google Group Test");

$client_id = '...';
$service_account_name = '...';
$key_file_location = '...';

if (isset($_SESSION['service_token'])) {
    $client->setAccessToken($_SESSION['service_token']);
}
$key = file_get_contents($key_file_location);

// https://www.googleapis.com/auth/admin.directory.group,
// https://www.googleapis.com/auth/admin.directory.group.readonly, 
// https://www.googleapis.com/auth/admin.directory.group.member, 
// https://www.googleapis.com/auth/admin.directory.group.member.readonly,
// https://www.googleapis.com/auth/apps.groups.settings, 
// https://www.googleapis.com/auth/books
$cred = new Google_Auth_AssertionCredentials(
    $service_account_name,
        array(
            Google_Service_Groupssettings::APPS_GROUPS_SETTINGS,
            Google_Service_Directory::ADMIN_DIRECTORY_GROUP,
            Google_Service_Directory::ADMIN_DIRECTORY_GROUP_READONLY,

            Google_Service_Directory::ADMIN_DIRECTORY_GROUP_MEMBER,
            Google_Service_Directory::ADMIN_DIRECTORY_GROUP_MEMBER_READONLY,

            Google_Service_Books::BOOKS,
        ),
        $key,
        'notasecret'
    );
//
// Very important step:  the service account must also declare the
// identity (via email address) of a user with admin priviledges that
// it would like to masquerade as.
//
// See:  http://stackoverflow.com/questions/22772725/trouble-making-authenticated-calls-to-google-api-via-oauth
//
$cred->sub = '...';
$client->setAssertionCredentials($cred);
if ($client->getAuth()->isAccessTokenExpired()) {
    $client->getAuth()->refreshTokenWithAssertion($cred);
}
$_SESSION['service_token'] = $client->getAccessToken();

There are more scopes than you'll need in my example, but I left them all in. Be sure to grant all of the same scopes to your service account in the admin console. See the documentation Using OAuth 2.0 for Server to Server Applications, especially the section "Delegating domain-wide authority to the service account". You'll want to go to the page:

https://admin.google.com/YOURDOMAIN/AdminHome?chromeless=1#OGX:ManageOauthClients

Replace YOURDOMAIN with the domain of your Google Apps account.

Thanks for your help! I overlooked the delegation to the service account. IT seems that the code is able to make it all the way until the $dir->members->insert('groupname@googlegroups.com', $member); any ideas? — user3751672, Mar 12 '15 at 19:13
The code I posted + the code you posted worked for me, so it's probably something on your admin panel, or developer panel. You might check your Google Apps for Business permissions, just in case; there are some here that affect the Group Settings API. I don't think any affect what you are doing, but it's the only thing I can think of. Make sure your delegated admin really is a super admin. — greg_1_anderson, Mar 12 '15 at 20:30

Google Groups Directory API - Can't add new member

1 Answers1