Google Admin SDK PHP无法创建用户。未授权
我在PHP中实现Google Admin SDK时遇到问题。它总是会出错Google Admin SDK PHP无法创建用户。未授权,php,google-admin-sdk,Php,Google Admin Sdk,我在PHP中实现Google Admin SDK时遇到问题。它总是会出错 Fatal error: Uncaught exception 'Google_Service_Exception' with message 'Error calling POST https://www.googleapis.com/admin/directory/v1/users: (403) Not Authorized to access this resource/api' in ..\google-api
Fatal error: Uncaught exception 'Google_Service_Exception' with message 'Error calling POST
https://www.googleapis.com/admin/directory/v1/users: (403) Not Authorized to access this
resource/api' in ..\google-api-php-client\src\Google\Http\REST.php on line 79
<?php
session_start();
/* * **********************************************
Make an API request authenticated with a service
account.
* ********************************************** */
set_include_path("google-api-php-client/src" . PATH_SEPARATOR . get_include_path());
require_once 'Google/Client.php';
require_once 'Google/Service/Directory.php';
/* * **********************************************
ATTENTION: Fill in these values! You can get
them by creating a new Service Account in the
API console. Be sure to store the key file
somewhere you can get to it - though in real
operations you'd want to make sure it wasn't
accessible from the webserver!
The name is the email address value provided
as part of the service account (not your
address!)
Make sure the Books API is enabled on this
account as well, or the call will fail.
* ********************************************** */
$client_id = 'my_client_id'; //Client ID
$service_account_name = 'email'; //Email Address
$key_file_location = 'key.p12'; //key.p12
if ($client_id == '<YOUR_CLIENT_ID>' || !strlen($service_account_name) || !strlen($key_file_location)) {
echo missingServiceAccountDetailsWarning();
}
$client = new Google_Client();
$client->setApplicationName("appname");
$service = new Google_Service_Directory($client);
/* * **********************************************
If we have an access token, we can carry on.
Otherwise, we'll get one with the help of an
assertion credential. In other examples the list
of scopes was managed by the Client, but here
we have to list them manually. We also supply
the service account
* ********************************************** */
if (isset($_SESSION['service_token'])) {
$client->setAccessToken($_SESSION['service_token']);
}
$key = file_get_contents($key_file_location);
$cred = new Google_Auth_AssertionCredentials(
$service_account_name, array('https://www.googleapis.com/auth/admin.directory.user'), $key
);
$client->setAssertionCredentials($cred);
if ($client->getAuth()->isAccessTokenExpired()) {
$client->getAuth()->refreshTokenWithAssertion($cred);
}
$_SESSION['service_token'] = $client->getAccessToken();
/* * **********************************************
We're just going to make the same call as in the
simple query as an example.
* ********************************************** */
$familyName = filter_input(INPUT_GET, 'familyname');
$givenName = filter_input(INPUT_GET, 'givenname');
$password = filter_input(INPUT_GET, 'password');
$primaryEmail = filter_input(INPUT_GET, 'email');
$user = new Google_Service_Directory_User();
$name = new Google_Service_Directory_UserName();
$name->setFamilyName($familyName);
$name->setGivenName($givenName);
$user->setName($name);
$user->setHashFunction("MD5");
$user->setPrimaryEmail($primaryEmail);
$user->setPassword(hash("md5", $password));
$result = $service->users->insert($user);
我想我在尝试查询用户时收到了这个错误
在创建断言的JWT_声明部分期间,必须指定服务帐户可以模拟的域管理员帐户。。。我想,这部分的文档记录得很差
我不知道GooglePHP库是如何做到这一点的,但我在代码中没有看到您指定帐户电子邮件地址的地方。如果您看过oauth2文档,在jwt_索赔章节中,有一个“附加索赔”小节说明:
要获取授予应用程序对资源的委托访问权的访问令牌,请将JWT声明集中用户的电子邮件地址作为子字段的值
我必须在创建断言时包含该管理员电子邮件帐户,然后才能查询directory.users API
如果这没有帮助,我很抱歉,但我没有使用php库,我正在构建自己的库(使用php)。我遇到了类似的问题,直到我在credentials对象上设置了“sub”帐户,它是您要执行API操作的管理用户的电子邮件地址
所以,在你的域的谷歌应用程序管理员中,我假设你已经创建了一个用户,并将其添加到具有用户API访问权限的管理员角色中,对吗?在上面的代码中,您只需添加(当然要有正确的电子邮件地址):
在以下内容之前加上:
$client->setAssertionCredentials($cred);
我为其他人做了一个完整的例子,你也可以参考:我有一个类似的问题,但通过浏览这个博客找到了解决方案
假设您已经在管理控制台上完成了所有必要的设置(即授权域权限),那么请特别注意该行
`$cred = new Google_Auth_AssertionCredentials($service_account_name, array('https://www.googleapis.com/auth/admin.directory.user'), $key);`
这应该是:
`$user_to_impersonate = 'adminaccount@example.com';$scopes =array('https://www.googleapis.com/auth/admin.directory.user');$cred = new Google_Auth_AssertionCredentials(
$service_account_name,
$scopes,
$key,
'notasecret', // Default P12 password
'http://oauth.net/grant_type/jwt/1.0/bearer', // Default grant type
$user_to_impersonate);`
我改变了主意,砰的一声……谢谢你给我举个例子。
`$user_to_impersonate = 'adminaccount@example.com';$scopes =array('https://www.googleapis.com/auth/admin.directory.user');$cred = new Google_Auth_AssertionCredentials(
$service_account_name,
$scopes,
$key,
'notasecret', // Default P12 password
'http://oauth.net/grant_type/jwt/1.0/bearer', // Default grant type
$user_to_impersonate);`