Google OAuth2 Service Accounts API Authorization

Question

I'm trying to authenticate my server app through Google's service account authentication but, for some reason, it is just not pushing through.

In the API console, I already created the project, enabled the service I need (Admin SDK), and created a Service Account and Web Application API Access.

When I do use the web application access credentials I am able to authenticate and retrieve user records. But using service account authentication would keep giving me a login required message.

"error": { "errors": [ { "domain": "global", "reason": "required", "message": "Login Required", "locationType": "header", "location": "Authorization" } ], "code": 401, "message": "Login Required" }

I forgot to add, I am testing this with the PHP client library.

public function init() {
  $client = new Google_Client();

  if (isset($_SESSION['access_token'])) {
    $client->setAccessToken($_SESSION['access_token']);
  }

  $key = file_get_contents(App::SERVICE_KEY_FILE);
  $client->setAssertionCredentials(new Google_AssertionCredentials(
      App::SERVICE_ACCOUNT_NAME,
      App::SERVICE_API_SCOPES,
      $key)
  );

  $client->setClientId(App::SERVICE_CLIENT_ID);
  debug($client, 'CLIENT');

  if ($client->getAccessToken()) {
    $this->access_token = $_SESSION['access_token'] = $client->getAccessToken();
    debug($_SESSION['access_token'], 'TOKEN');
  } else {
    debug('NO TOKEN');
  }
  $this->client = $client;
}

As you can see, the code is basically about the same as the Google example. Am I missing an extra step?

One last thing, when I authenticate using the web app then access my service account script, the service account script can pick up the web app script's session and push through with the user record retrievals. Does that mean the Admin SDK API explicitly needs user interaction through web app authentication?

Answer 1

Instead of service account, I instead opted to use installed applications API Access.

This ruby gem actually helped my figure this out - https://github.com/evendis/gmail_cli
I was playing with it on the console and just followed the authorization steps in the readme, and found that installed applications is more simple when doing server admin apps.

Being a newb, I think I missed the important part the refresh token plays in the entire process. Going via the installed application approach helped me figure that out.

My config file now contains the client id, client secret, api scope, redirect uri, authorization code, and the refresh token; my initialization code now looks like:

public function init() {
  $client = new Google_Client();

  $client->setClientId(App::CLIENT_ID);
  $client->setClientSecret(App::CLIENT_SECRET);
  $client->setScopes(App::API_SCOPES);
  $client->setRedirectUri(App::REDIRECT_URI);

  if (!$client->getAccessToken()) {
    $client->refreshToken(App::REFRESH_TOKEN);
  }
  $this->access_token = $client->getAccessToken();
  $this->client = $client;
}