4

We are trying to build a service to export google drive files for in our gsuite domain.

We're working with the https://github.com/google/google-api-php-client

We made a service user, downloaded and saved the user credentials and granted domain-wide-access to the service user.

With the simplest example like below (like in every doc, i found):

putenv('GOOGLE_APPLICATION_CREDENTIALS='/service-account-credentials.json');

$client = new \Google_Client();
$client->setAuthConfig('service-account-credentials.json');

$client->setScopes('https://www.googleapis.com/auth/drive.file');

$client->useApplicationDefaultCredentials();
$client->setSubject('admin@mydomain.com');

$service = new \Google_Service_Drive($client);

$service->files->listFiles();

as soon as we include the line $client->setSubject('admin@mydomain.com'); it's dropping the following error:

{
    "error": "unauthorized_client",
    "error_description": "Client is unauthorized to retrieve access tokens using this method."
}

has anyone an idea, or can share a code sample for this problem. It's a real blocker for us and for now I don't have any idea why this error appears

vanBrunneren
  • 797
  • 2
  • 10
  • 29
  • Could be just a typo copying here perhaps, but your first and third lines are each missing a quote mark so your strings are all messed up. – Pacio Mar 10 '17 at 08:10
  • thx, but this were just typos here on stackoverflow – vanBrunneren Mar 10 '17 at 08:38
  • You may refer with this [thread](http://stackoverflow.com/questions/42067338/client-is-unauthorized-to-retrieve-access-tokens-using-this-method). You error means that there is something wrong with your authentication. Double check if you [grant the service account access](https://developers.google.com/api-client-library/php/auth/service-accounts#delegatingauthority) properly. The service account that you created needs to be granted access to the user data that you want to access. – abielita Mar 10 '17 at 09:06
  • I tried granting access, creating service accounts, creating oAuthClients etc. I checked the documentation several times but nothing seems to work – vanBrunneren Mar 10 '17 at 10:02

1 Answers1

4

I finally made it

After a couple of trys I realized I was delegating domain-wide-access to the wrong Client-ID. I always thought this should be the same as the "client_email" I'm using in the script. But it is really (really, really, really) important, that this is the "client_id" (as mentioned in the documentation by the way). This is not an email or a string it's just a simple number you get when you create a key for the Service Account.

vanBrunneren
  • 797
  • 2
  • 10
  • 29
  • Not sure I'm following. You assign the Domain-wide-access to the service account, not a specific Client-ID (although the service account has a Client-ID). Did you create multiple service accounts and assign DwD to the wrong account? Include code if possible! – sboss Jan 29 '18 at 12:35
  • 2
    but if you put in the client_email into that once you click "authorize" it'll replace that email looking thingy with the client id. I'm very jealous that you got this to work though because I'm still struggling with it. – user3505901 Feb 15 '18 at 20:40
  • 1
    I'm also not getting it. It makes no difference whether you use the ID or the email, it resolves to the same thing. – Will Oct 02 '18 at 18:37