0

I have a Google Calendar API setup with Oauth 2.0. My web-application has teachers and students. Teachers create event and students can join. I have already created features for all users to connect their Google account with permissions for the calendar API, and teacher's can create events and delete them successfully, the event is added and removed from their primary calendar.

To accomplish this, I do not need the teacher's account email address. When they authorize my apps API access to their account, I get a token with CALENDAR_EVENTS scope and I can use it alone to create an event in their calendar. The token contents are like this:

{
    "access_token":"[redacted]",
    "expires_in":3599,
    "refresh_token":"[redacted]",
    "scope":"https:\/\/www.googleapis.com\/auth\/calendar.events",
    "token_type":"Bearer",
    "created":1656203897
}

I also have Oauth 2 authorization from the students with a similar token. When a student joins the event, I want to update the event and add that student as an attendee. The email address of their account on my app may not match their Google account used when they authorize Oauth 2 for my app. So, I need a way to get the Google email address of the account they authorized.

Is this the proper process for adding authorized user as an attendee? I have looked around for ways to get the user's account information and found mostly outdated information. I would prefer to use the Google_Client() object from the PHP Google SDK, or even better the Google_Service_Calendar() object.

As mentioned I only requested Google_Service_Calendar::CALENDAR_EVENTS scope. Do I need to add more scope to get this information? I also found this Google Identify documentation but not sure if I need this.

I tried to use another method to try the oauth2 API with GET request:

<?php   
    $resp = file_get_contents("https://www.googleapis.com/oauth2/v3/userinfo?access_token=[redacted]");
    print($resp);
?>

    Warning: file_get_contents(https://www.googleapis.com/oauth2/v3/userinfo?access_token=[redacted]): failed to open stream: HTTP request failed! HTTP/1.0 401 Unauthorized in /path/to/api_user.php on line 4

EDIT:

After reading the first answer I have read the documentation here and using the PHP code provided in the docs:

require_once 'vendor/autoload.php';

// Get $id_token via HTTPS POST.

$client = new Google_Client(['client_id' => $CLIENT_ID]);  // Specify the CLIENT_ID of the app that accesses the backend
$payload = $client->verifyIdToken($id_token);
if ($payload) {
  $userid = $payload['sub'];
  // If request specified a G Suite domain:
  //$domain = $payload['hd'];
} else {
  // Invalid ID token
}

The first part of the code works fine, I can get the $client object with the client_id. However, It doesn't explain where to get the $id_token. I see from this post that the id_token is a field in the Oauth2 response, but my response JSON does not include this field.

raw-bin hood
  • 5,839
  • 6
  • 31
  • 45

3 Answers3

0

You need to add the https://www.googleapis.com/auth/userinfo.email scope

  • With this scope you will be able to retrieve the user's email.
ziganotschka
  • 25,866
  • 2
  • 16
  • 33
  • So, I cannot do it with the `https:\\www.googleapis.com\auth\calendar.events` scope, even if the user authorizes the Calendar API? – raw-bin hood Jun 28 '22 at 18:06
  • I don't think so, but what's wrong with https://www.googleapis.com/auth/userinfo.email? It's a non-sensitive scope. – ziganotschka Jun 28 '22 at 18:41
  • @raw-binhood. I saw a notification about you asking about the ID-token. I was going to explain it and also propose you an alternative solution, but you do not seem interested anymore? – ziganotschka Jun 29 '22 at 10:56
  • I put the answer that is relevant to PHP and that adds the userinfo.email scope to the requested scopes when getting authorization, which is the direct answer to the OP. The authorizaiton request now returns that scope as well. The only remaining issue is that the authorization page from Google adds a checkbox for the Calendar scope when I do it this way, and it's not user friendly: https://stackoverflow.com/questions/72793032/google-calendar-api-requesting-multiple-scopes-puts-checkbox-in-authorization/72793618#72793618 – raw-bin hood Jun 29 '22 at 14:50
  • The answer I provided was for a browser integration where you have a client- and server-side. Did not realize that this is not your intentation. As for the checkboxes - see https://stackoverflow.com/questions/64573910/disable-checkboxes-on-google-consent-screen – ziganotschka Jun 29 '22 at 17:11
  • Thanks for the link, but the answer is the same as the link in my comment. It is not good practice to just include links in your answer on StackOverflow, at least not without understanding the question and proving a relevant contextual answer with valuable details. When you provide a non-contextual answer and some links, you don’t answer the OP question, but others see that an answer has been provided and may assume that the problem is solved. – raw-bin hood Jun 29 '22 at 17:20
  • I provided you the link above out of courtesy - just to confirm the correctness of the answer you already got to your linked post. Even if this is not the answer you would like -unfortunately it is the correct one. However, it is not related to the current post, thus I refrained from further explaining it. – ziganotschka Jun 30 '22 at 07:16
  • Okey-dokey karaoke – raw-bin hood Jun 30 '22 at 14:41
0

To get your user's email address you can request it at the time they user is authorizing your app for the Google Calendar API. You simply include the scope in the setScopes(). Below is a code example in PHP for including that scope. Notice that setScopes() has an array with 2 scopes.

function sendUserToGoogleCalendarAPIAuthorization()
  {
    // Require the Google API SDK
    require_once 'vendor/Google/autoload.php';
    // Setup the client object
    $client = new Google_Client();
    $client->setApplicationName('Your App');
    // Set scope with added user email scope
    $client->setScopes([Google_Service_Calendar::CALENDAR_EVENTS, 'https://www.googleapis.com/auth/userinfo.email']);
    $client->setAuthConfig('path/to/your/apps/oauth2/client_id.json');
    $client->setAccessType('offline');
    $client->setPrompt('select_account consent');
    // Request authorization from the user.
    $authUrl = $client->createAuthUrl();
    // Header to the authUrl to get user to authorize
    header('Location: '.$authUrl);
  }

After that point you cannot get the user's email with the Google Calendar API.

raw-bin hood
  • 5,839
  • 6
  • 31
  • 45
0

Okay this took some SERIOUS DIGGING but I figured it out (if I understand your question correctly).

If you want to get the email address of the account that just connected their Google Calendar, use the following code.

$this->service = new Google_Service_Calendar($this->client);
$CalendarEmailAddress = $this->service->calendars->get('primary')->id;

The $this->client is created using $this->client = new Google_Client();

You don't need any more scopes. I only use the following scopes:

private $required_scopes=array(    
    Google_Service_Calendar::CALENDAR,
    Google_Service_Calendar::CALENDAR_EVENTS,
);

I found the api resource here: https://developers.google.com/resources/api-libraries/documentation/calendar/v3/php/latest/class-Google_Service_Calendar_Calendars_Resource.html even though this is some of the worst documentation I've ever seen.

J.Keefe
  • 100
  • 1
  • 9