"Access denied" exception is thrown, though the account has access

Question

I'm using a service account to delegate domain wide security in order to pull a user listing from our Google Apps for Education instance via the Directory API and the PHP client library.

I'm fairly certain my service account has all the correct security because it's able to pull a listing using the API reference's "try it" feature.

So, at this point, everything is pointing toward an issue with my code but I can't seem to figure out where:

<?php
require 'vendor/autoload.php';

$clientEmail = '<>@developer.gserviceaccount.com';
$privateKey = file_get_contents(__DIR__ . '/access.p12');
$scopes = array(
    'https://www.googleapis.com/auth/admin.directory.user.readonly',
);

$credentials = new Google_Auth_AssertionCredentials($clientEmail, $scopes, $privateKey);
$credentials->sub = 'service.account@my.domain';

$client = new Google_Client();
$client->setAssertionCredentials($credentials);

if ($client->getAuth()->isAccessTokenExpired()) 
{
    $client->getAuth()->refreshTokenWithAssertion();
}

$directory = new Google_Service_Directory($client);

$result = $directory->users->listUsers(array('domain' => 'my.domain'));

var_dump($result);

The code above throws the following error:

Fatal error: Uncaught exception 'Google_Auth_Exception' with message 'Error refreshing the OAuth2 token, message: ' in C:\wamp\www\quick\vendor\google\apiclient\src\Google\Auth\OAuth2.php on line 358

Google_Auth_Exception: Error refreshing the OAuth2 token, message: '{
  "error" : "access_denied",
  "error_description" : "Requested client not authorized."
}' in C:\wamp\www\quick\vendor\google\apiclient\src\Google\Auth\OAuth2.php on line 358

Call Stack:
    0.0010     132792   1. {main}() C:\wamp\www\quick\index.php:0
    0.0260    1060248   2. Google_Auth_OAuth2->refreshTokenWithAssertion() C:\wamp\www\quick\index.php:18
    0.9230    1163560   3. Google_Auth_OAuth2->refreshTokenRequest() C:\wamp\www\quick\vendor\google\apiclient\src\Google\Auth\OAuth2.php:309

score 1 · Accepted Answer · edited May 23 '17 at 11:51

The call stack should identify the specific line where this error occurred. Note that the second line in the stack seems to point to line 18 of your script, where the code indeed relates to OAuth verification:

$client->getAuth()->refreshTokenWithAssertion();

In other words, when you try to refreshTokenWithAssertion, Google says "access_denied because Requested client not authorized". If you're trying to identify where in your script you hit the error, I think that should answer your question.

If you want to figure out why it got an error, I'd do some google searches for refreshTokenWithAssertion plus that error message and see if you find any other developers working through a similar problem. For example by doing that google search I found this other page on SO that may help you.

Good luck!

Thank you. I appreciate your constructiveness. It opened doors. — cesar.vega, May 13 '15 at 21:23

"Access denied" exception is thrown, though the account has access

1 Answers1