php – Google云端硬盘服务帐户和“未经授权的客户端或请求范围

发布时间：2020-12-13 13:51:52 所属栏目：PHP教程来源：网络整理

导读：我有3个服务帐户正在使用驱动器sdk. 1,作品,2不. 返回的错误是“刷新OAuth2令牌时出错,消息：'{”错误“：”unauthorized_client“,”error_description“：”请求中未经授权的客户端或范围.“}’” 所有3个帐户都在开发者控制台中注册. 所有3个都有权在Goog

我有3个服务帐户正在使用驱动器sdk.

1,作品,2不.

返回的错误是“刷新OAuth2令牌时出错,消息：'{”错误“：”unauthorized_client“,”error_description“：”请求中未经授权的客户端或范围.“}’”

所有3个帐户都在开发者控制台中注册.
所有3个都有权在Google Apps控制台中进行“托管客户端API访问”.
所有3的范围都是“https://www.googleapis.com/auth/drive.readonly”.
所有3个驱动器,都有一个特定的文件夹,共享为“仅查看”.

我正在使用PHP并将一个参数传递给名为“type”的页面,并反映了该帐户的用途,1表示公共,1表示成员,1表示管理员.

例如

http://www.somehost.com/oauth_client.php?type=googledrive_admin

p12证书和用户值存储在服务器上.所有“ini”文件都具有相同的值结构,client_id,client_email,范围和查询过滤器.在所有情况下,文件之间唯一更改的项是client_id和client_email.

我的代码如下：

<?php

 include (__DIR__ . "/google-api-php-client/autoload.php");

 google_api_php_client_autoload("Google_Auth_AssertionCredentials");
 google_api_php_client_autoload("Google_Client");
 google_api_php_client_autoload("Google_Service_Drive");
 google_api_php_client_autoload("Google_Service_OAuth2");

 $type = $_GET['type'];
 $path = __DIR__ . "/secure/";
 $certificate = $path . $type . ".p12";
 $ini_path = $path . $type . ".ini";

 $ini = parse_ini_file($ini_path);
 $service_scope = $ini['scope'];
 $service_account_id = $ini['id'];
 $service_account_email = $ini['email'];
 $service_query = $ini['q'];

 $service_account_key = file_get_contents($certificate);
 $credentials = new Google_Auth_AssertionCredentials(
  $service_account_email,array($service_scope),$service_account_key
 );
 $credentials -> sub = $service_account_email;

 $google_client = new Google_Client();

 $google_client -> setAssertionCredentials($credentials);
 if ($google_client -> getAuth() -> isAccessTokenExpired()) {
  $google_client -> getAuth() -> refreshTokenWithAssertion(); **//FAILS HERE**
 }  

 $drive = new Google_Service_Drive($google_client);

 $result = array();
 $pageToken = NULL;

 do {
  try {
   $parameters = array();
   if ($pageToken) {
    $parameters['pageToken'] = $pageToken;
   }
   $parameters['q'] = $service_query;

   $files = $drive -> files -> listFiles($parameters);

   $result = array_merge($result,$files -> getItems());
   $pageToken = $files -> getNextPageToken();
  } catch (Exception $e) {
   print "An error occurred: " . $e -> getMessage();
   $pageToken = NULL;
  }
 } while ($pageToken);

 echo json_encode($result) . "n";
?>

每个ini文件的结构如下

id="35{code}.apps.googleusercontent.com"
email="35{code}@developer.gserviceaccount.com"
scope="https://www.googleapis.com/auth/drive.readonly"
q="mimeType != 'application/vnd.google-apps.folder'"

我无法解决的问题是,当我为所有这些帐户完成相同的过程时,为什么这适用于一个服务帐户而不适用于其他服务帐户.任何想法和帮助表示赞赏.

感谢您发布此帖和您对“通过删除行$凭据已解决 – > sub = $service_account_email;”的评论

我面临类似的问题here.显然,$凭证 – > sub = $service_account_email仅接受在Google Developers Console中创建的第一个/主要服务帐户.除此之外,它还会在某些OAuth2范围内产生意外错误(就像我在Fusion Tables中遇到的那样).

因此,这里是一般建议：

DO NOT include $credentials -> sub = $service_account_email unnecessarily.

Only do this when you are trying to impersonating a
difference user (with the condition that the appropriate setup has
been correctly done in Google Apps Admin Console).

Even though it may not produce any error under certain cases,there are some unexpected behaviors when including an email address of the service account itself in the JWT claim set as the value of the “sub” field.

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!