I have 3 service accounts that use the sdk drive.
1, works, 2 do not.
The error that is returned: "OAuth2 token update error, message:" {"error": "unauthorized_client", "error_description": "Unauthorized client or scope in the request."} "
All 3 accounts are registered in the developer console. All 3 are allowed to access the managed client API in the Google Apps console. All 3 have a scope of https://www.googleapis.com/auth/drive.readonly . "All 3 on the drive have a specific folder for which it is shared for viewing only.
I use PHP and I pass one parameter to a page called "type" and reflects what the purpose of the account is for, 1 for sharing, 1 for members and 1 for admin.
for instance
http://www.somehost.com/oauth_client.php?type=googledrive_admin
The p12 certificate and user values are stored on the server. All ini files have the same value structure, client_id, client_email, scope and query filter. In all cases, the only element that changes between files is client_id and client_email.
My code is as follows:
<?php
include (__DIR__ . "/google-api-php-client/autoload.php");
google_api_php_client_autoload("Google_Auth_AssertionCredentials");
google_api_php_client_autoload("Google_Client");
google_api_php_client_autoload("Google_Service_Drive");
google_api_php_client_autoload("Google_Service_OAuth2");
$type = $_GET['type'];
$path = __DIR__ . "/secure/";
$certificate = $path . $type . ".p12";
$ini_path = $path . $type . ".ini";
$ini = parse_ini_file($ini_path);
$service_scope = $ini['scope'];
$service_account_id = $ini['id'];
$service_account_email = $ini['email'];
$service_query = $ini['q'];
$service_account_key = file_get_contents($certificate);
$credentials = new Google_Auth_AssertionCredentials(
$service_account_email,
array($service_scope),
$service_account_key
);
$credentials -> sub = $service_account_email;
$google_client = new Google_Client();
$google_client -> setAssertionCredentials($credentials);
if ($google_client -> getAuth() -> isAccessTokenExpired()) {
$google_client -> getAuth() -> refreshTokenWithAssertion(); **
}
$drive = new Google_Service_Drive($google_client);
$result = array();
$pageToken = NULL;
do {
try {
$parameters = array();
if ($pageToken) {
$parameters['pageToken'] = $pageToken;
}
$parameters['q'] = $service_query;
$files = $drive -> files -> listFiles($parameters);
$result = array_merge($result, $files -> getItems());
$pageToken = $files -> getNextPageToken();
} catch (Exception $e) {
print "An error occurred: " . $e -> getMessage();
$pageToken = NULL;
}
} while ($pageToken);
echo json_encode($result) . "\n";
?>
Each ini file is structured as follows
id="35{code}.apps.googleusercontent.com"
email="35{code}@developer.gserviceaccount.com"
scope="https://www.googleapis.com/auth/drive.readonly"
q="mimeType != 'application/vnd.google-apps.folder'"
I just can't understand why this works for one service account and not for others when I went through the same process for everyone. Any ideas and help appreciated.
IMBRO