0

I have a service account.

I wrote a PHP script that receives a token:

<?php

require_once 'JWT_1.php';
require_once 'JWT_KEY_1.php';

use Firebase\JWT\JWT;
use Firebase\JWT\Key;

$privateKey = <<<EOD
-----BEGIN PRIVATE KEY-----
someKey
-----END PRIVATE KEY-----
EOD;

$publicKey = <<<EOD
-----BEGIN PUBLIC KEY-----
someKey
-----END PUBLIC KEY-----
EOD;

$payload = array(
  "iss" => "myName@name.iam.gserviceaccount.com",
  "scope" => "https://www.googleapis.com/auth/postmaster.readonly",
  "aud" => "https://oauth2.googleapis.com/token",
  "exp" => (time() + 600),
  "iat" => time()
);

$jwt = JWT::encode($payload, $privateKey, 'RS256');

$urlToken = 'https://oauth2.googleapis.com/token';
$url = 'https://gmailpostmastertools.googleapis.com/v1/domains';

$payloadToken = array(
  "grant_type" => "urn:ietf:params:oauth:grant-type:jwt-bearer",
  "assertion" => $jwt
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $urlToken);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payloadToken);
// Timeout in seconds
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
$tokenAnswer = json_decode(curl_exec($ch), true);
$token = $tokenAnswer['access_token'];
curl_close($ch);

$ch = curl_init();
$headers = array(
  'Authorization: Bearer ' . $token,
  'Accept: application/json'
);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'GET');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_ENCODING , "");
// Timeout in seconds
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
echo curl_exec($ch);

When trying to get a list of domains, https://gmailpostmastertools.googleapis.com/v1/domains, the response is an empty array.

At the same time, if I do a test check of the method, I get a list: https://i.stack.imgur.com/kkvcS.png

What may the problem be?

Peter Mortensen
  • 30,738
  • 21
  • 105
  • 131
Evgen Test
  • 1

2 Answers2

0

You are using two different identities. Only one of the identities will fetch the list of domains. You are authenticating with a service account. The domains are registered to a user's identity. Since the service account does not have a registered domain, the list is empty.

The solution is to use a user's identity to authorize this API call. That means using Google OAuth 2.0

The Postmaster Tools API states:

All requests to the Postmaster Tools API must be authorized by an authenticated user.

Authorizing requests with OAuth 2.0

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • Thanks for the clarification! But doesn't the description from [this](https://developers.google.com/identity/protocols/oauth2/service-account) article allow me to get a list of domains for a service account? – Evgen Test Jun 29 '22 at 07:06
  • @EvgenTest - where does it say that in your link? Do not confuse **Workspace domain** with registered domain names. When possible refer to the official documentation for a service. I provided that in my answer. – John Hanley Jun 29 '22 at 07:51
-1

Menu

Manage Users -> adduser(+) -> input your service account email

Destroy666
  • 892
  • 12
  • 19
MartinOrz
  • 1
  • The illustration is unclear and shows very little. [There are ways](https://pmortensen.eu/world2/2021/09/10/taking-a-screenshot-of-a-menu-in-cinnamon-linux/) to capture a menu being open ("Manage Users"? "Add user"?). At least annotate it with some explaining text (but *** *** *** *** *** ***[without](https://meta.stackexchange.com/a/131011)*** *** *** *** *** *** "Edit:", "Update:", or similar - the answer should appear as if it was written today.) – Peter Mortensen May 24 '23 at 15:05
  • ***Is this a bogus answer?*** It isn't clear either how it answers the question (the other answer is very different). Can you address it directly? – Peter Mortensen May 24 '23 at 15:08
  • 1
    This does not provide an answer to the question. Once you have sufficient [reputation](https://stackoverflow.com/help/whats-reputation) you will be able to [comment on any post](https://stackoverflow.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/34433804) – treckstar May 26 '23 at 06:30