Using New Google API Console project getting unauthorized_client ,Client is unauthorized to retrieve access tokens using this method

Question

I created a Google API Console project and client ID with web application type.Then Using OAuth 2.0 Playground - Google Developers I authorized to drive, sheet and calendar scopes using my client id.

Also, Service account client id and scopes added and authorized in G Suite.

I tried to list files in a folder in the drive using the below sample

index.php

<?php
require_once 'vendor/autoload.php';
require_once 'vendor/google/apiclient/examples/templates/base.php';
$service = get_service_document();
$folderid='FOLDER_ID';


try {
   $children1 = $service->files->listFiles(array(
       'q' => "'$folderid' in parents "));
   $filearray1 = $children1;
}
catch(Exception $e){
   echo $e->getMessage();
}
print_r($children1);
exit;

function buildServiceDrive($userEmail,$service_id,$scope,$service_filename) {

   $client = new Google_Client();
   putenv("GOOGLE_APPLICATION_CREDENTIALS=".$service_filename);
   if ($credentials_file = checkServiceAccountCredentialsFile()) {
// set the location manually
       $client->setAuthConfig($credentials_file);
   }
   elseif (getenv('GOOGLE_APPLICATION_CREDENTIALS')) {
// use the application default credentials
       $client->useApplicationDefaultCredentials();
   }
   else {
       echo missingServiceAccountDetailsWarning();
       return;
   }
   $client->setApplicationName("DRIVE");
   $client->setScopes('https://www.googleapis.com/auth/drive');
   $client->setSubject($userEmail);
   return new Google_Service_Drive($client);
}
//COMMON FUNCTION TO CREATE CALENDAR ID
function get_service_document(){

   $userstamp='user@domain.com';
   $driveService =buildServiceDrive($userstamp,'','','project-id-451a5f6b12ce.json';
   return $driveService;
}

But I got this issue

{
 "error": "unauthorized_client",
 "error_description": "Client is unauthorized to retrieve access tokens using this method."
}

I m getting this issues newly created Google API Console project only

Please help me to solve this. Thanks in advance

score 3 · Accepted Answer · answered May 31 '17 at 19:32

3

This is a common error when running an API call with a service account but not properly completing the domain-wide delegation (DWD) or because the authorization in the admin console has not propagated yet.

This article explains in details the process of DWD. If you have done that, wait 24 hours and it should work. If it doesn't work after that, then it must be something else but as far as I can say right now, the DWD process is the issue.

PLEASE NOTE: DWD is available only to G Suite customers. If you are using a consumer gmail.com account, you won't be able to do this. Instead, you'll have to go through the user consent OAuth flow.

answered May 31 '17 at 19:32

Morfinismo

4,985
4
19
36

Thanks Morfinismo, I added Client id with scopes and Service Account client id with scopes in G SUITE. Also authrozed Using OAuthplayground 2.0. But still I m getting ssame issue. – Sattanathan Jun 02 '17 at 06:53
Sometimes it can take up to 24 hours for the DWD to propagate. If after 24 hours is still not working, please remove this `if ($credentials_file = checkServiceAccountCredentialsFile()) { // set the location manually $client->setAuthConfig($credentials_file); }` – Morfinismo Jun 02 '17 at 20:02
Thanks morfinismo, After 24 hrs not working, I removed this if ($credentials_file = checkServiceAccountCredentialsFile()) { // set the location manually $client->setAuthConfig($credentials_file); }, But Same issue only – Sattanathan Jun 05 '17 at 05:02
I just ran the same code you posted with a new project. I am not getting the problem and it is returning the files. This means that either the DWD has failed completely (very unlikely), The email address of the user is from another domain or the service account credentials are not the correct one. No idea what else could be. – Morfinismo Jun 05 '17 at 23:09
Thanks Morfinismo, I also tried with new project. New project DWD working fine.Don't know why previously created project JSON ,DWD not working. – Sattanathan Jun 10 '17 at 16:27

score 0 · Answer 2 · answered Jan 10 '19 at 15:33

This error could also occur if API client only have write permissions and in scope you specify that you only need readonly access.

{
   "error": "unauthorized_client",
   "error_description": "Client is unauthorized to retrieve access tokens using this method."
}

Using New Google API Console project getting unauthorized_client ,Client is unauthorized to retrieve access tokens using this method

2 Answers2

Linked