php – Google云端硬盘服务帐户和“未经授权的客户端或请求范围”

我有3个服务帐户正在使用驱动器sdk.

1,作品,2不.

返回的错误是“刷新OAuth2令牌时出错,消息:'{”错误“:”unauthorized_client“,”error_description“:”请求中未经授权的客户端或范围.“}’”

所有3个帐户都在开发者控制台中注册.
所有3个都有权在Google Apps控制台中进行“托管客户端API访问”.
所有3的范围都是“https://www.googleapis.com/auth/drive.readonly”.
所有3个驱动器,都有一个特定的文件夹,共享为“仅查看”.

我正在使用PHP并将一个参数传递给名为“type”的页面,并反映了该帐户的用途,1表示公共,1表示成员,1表示管理员.

例如

http://www.somehost.com/oauth_client.PHP?type=googledrive_admin

p12证书和用户值存储在服务器上.所有“ini”文件都具有相同的值结构,client_id,client_email,范围和查询过滤器.在所有情况下,文件之间唯一更改的项是client_id和client_email.

我的代码如下:

<?PHP

 include (__DIR__ . "/google-api-PHP-client/autoload.PHP");

 google_api_PHP_client_autoload("Google_Auth_AssertionCredentials");
 google_api_PHP_client_autoload("Google_Client");
 google_api_PHP_client_autoload("Google_Service_Drive");
 google_api_PHP_client_autoload("Google_Service_OAuth2");

 $type = $_GET['type'];
 $path = __DIR__ . "/secure/";
 $certificate = $path . $type . ".p12";
 $ini_path = $path . $type . ".ini";

 $ini = parse_ini_file($ini_path);
 $service_scope = $ini['scope'];
 $service_account_id = $ini['id'];
 $service_account_email = $ini['email'];
 $service_query = $ini['q'];

 $service_account_key = file_get_contents($certificate);
 $credentials = new Google_Auth_AssertionCredentials(
  $service_account_email,array($service_scope),$service_account_key
 );
 $credentials -> sub = $service_account_email;

 $google_client = new Google_Client();

 $google_client -> setAssertionCredentials($credentials);
 if ($google_client -> getAuth() -> isAccessTokenExpired()) {
  $google_client -> getAuth() -> refreshTokenWithAssertion(); **//FAILS HERE**
 }  

 $drive = new Google_Service_Drive($google_client);

 $result = array();
 $pageToken = NULL;

 do {
  try {
   $parameters = array();
   if ($pageToken) {
    $parameters['pageToken'] = $pageToken;
   }
   $parameters['q'] = $service_query;

   $files = $drive -> files -> listFiles($parameters);

   $result = array_merge($result,$files -> getItems());
   $pageToken = $files -> getNextPageToken();
  } catch (Exception $e) {
   print "An error occurred: " . $e -> getMessage();
   $pageToken = NULL;
  }
 } while ($pageToken);

 echo json_encode($result) . "\n";
?>

每个ini文件的结构如下

id="35{code}.apps.googleusercontent.com"
email="35{code}@developer.gserviceaccount.com"
scope="https://www.googleapis.com/auth/drive.readonly"
q="mimeType != 'application/vnd.google-apps.folder'"

我无法解决的问题是,当我为所有这些帐户完成相同的过程时,为什么这适用于一个服务帐户而不适用于其他服务帐户.任何想法和帮助表示赞赏.

感谢您发布此帖和您对“通过删除行$凭据已解决 – > sub = $service_account_email;”的评论

我面临类似的问题here.显然,$凭证 – > sub = $service_account_email仅接受在Google Developers Console中创建的第一个/主要服务帐户.除此之外,它还会在某些OAuth2范围内产生意外错误(就像我在Fusion Tables中遇到的那样).

因此,这里是一般建议:

DO NOT include $credentials -> sub = $service_account_email unnecessarily.

Only do this when you are trying to impersonating a
difference user (with the condition that the appropriate setup has
been correctly done in Google Apps Admin Console).

Even though it may not produce any error under certain cases,there are some unexpected behaviors when including an email address of the service account itself in the JWT claim set as the value of the “sub” field.

相关文章

Hessian开源的远程通讯,采用二进制 RPC的协议,基于 HTTP 传输。可以实现PHP调用Java,Python,C#等多语...
初识Mongodb的一些总结,在Mac Os X下真实搭建mongodb环境,以及分享个Mongodb管理工具,学习期间一些总结...
边看边操作,这样才能记得牢,实践是检验真理的唯一标准.光看不练假把式,光练不看傻把式,边看边练真把式....
在php中,结果输出一共有两种方式:echo和print,下面将对两种方式做一个比较。 echo与print的区别: (...
在安装好wampServer后,一直没有使用phpMyAdmin,今天用了一下,phpMyAdmin显示错误:The mbstring exte...
变量是用于存储数据的容器,与代数相似,可以给变量赋予某个确定的值(例如:$x=3)或者是赋予其它的变...