Skip to content
Advertisement

Google API – Auth server to server

I need a service to manipulate emails in a gmail account within a project developed in PHP Symfony…

I found this example : https://github.com/googleapis/google-api-php-client/blob/main/docs/oauth-server.md But more confusing than helping…

I wrote this code :

src/Service/Gmail.php

<?php

namespace AppService;

use GoogleClient;


class Gmail
{
    private GoogleServiceGmail $api;


    private function getGoogleClient(): Client
    {
        $credentialsPath = getenv('GOOGLE_APPLICATION_CREDENTIALS');
        if (empty($credentialsPath)) {
            throw new Exception('You need to set env var GOOGLE_APPLICATION_CREDENTIALS');
        }

        if (!file_exists($credentialsPath)) {
            throw new Exception('Credentials file path ' . getenv('GOOGLE_APPLICATION_CREDENTIALS') . ' set in GOOGLE_APPLICATION_CREDENTIALS does not exist');
        }

        $client = new Client();
        $client->useApplicationDefaultCredentials();
        return $client;
    }

    private function getApi(): GoogleServiceGmail
    {
        if (!isset($this->api)) {
            $this->api = new GoogleServiceGmail($this->getGoogleClient());
        }

        return $this->api;
    }

    public function getUserMessages($userId): GoogleServiceGmailListMessagesResponse
    {
        return $this->getApi()->users_messages->listUsersMessages($userId);
    }
}

Then I followed the steps described in Google Workspace for developers :

  1. Create a new project : https://developers.google.com/workspace/guides/create-project?hl=en
  2. Enable Gmail API : https://developers.google.com/workspace/guides/enable-apis?hl=en
  3. Create credentials for web application server-side : https://developers.google.com/workspace/guides/create-credentials?hl=en

But at this point I have no idea what type of credentials I need : “OAuth client ID” or a “Service account” ??? If I choose “Oauth client ID” I suppose I have to use the application type “Web application” with server side url ? Or do I choose “Service account” ?

With service account I got this error :

In REST.php line 134:
                                                                                                                                                                                        
  {                                                                                                                                                                                     
    "error": {                                                                                                                                                                          
      "code": 401,                                                                                                                                                                      
      "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.  
  google.com/identity/sign-in/web/devconsole-project.",                                                                                                                                 
      "errors": [                                                                                                                                                                       
        {                                                                                                                                                                               
          "message": "Login Required.",                                                                                                                                                 
          "domain": "global",                                                                                                                                                           
          "reason": "required",                                                                                                                                                         
          "location": "Authorization",                                                                                                                                                  
          "locationType": "header"                                                                                                                                                      
        }                                                                                                                                                                               
      ],                                                                                                                                                                                
      "status": "UNAUTHENTICATED",                                                                                                                                                      
      "details": [                                                                                                                                                                      
        {                                                                                                                                                                               
          "@type": "type.googleapis.com/google.rpc.ErrorInfo",                                                                                                                          
          "reason": "CREDENTIALS_MISSING",                                                                                                                                              
          "domain": "googleapis.com",                                                                                                                                                   
          "metadata": {                                                                                                                                                                 
            "service": "gmail.googleapis.com",                                                                                                                                          
            "method": "caribou.api.proto.MailboxService.ListMessages"                                                                                                                   
          }                                                                                                                                                                             
        }                                                                                                                                                                               
      ]                                                                                                                                                                                 
    }                                                                                                                                                                                   
  }

Advertisement

Answer

You have not proeprly authorized your service account to delegate to a user on your domain.

require_once('../../vendor/autoload.php');

// Some user within your workspace domain
$user_to_impersonate = "your@domain.com";

$sender = $user_to_impersonate;
$to = 'another@domain.com';
$subject = 'Hello';
$messageText = 'How are you doing?';

// The path to your service account credentials goes here.
putenv("GOOGLE_APPLICATION_CREDENTIALS=credentials.json");
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->setSubject($sender);
$client->setApplicationName("Quickstart");
$client->setScopes(["https://mail.google.com/"]);
$service = new Google_Service_Gmail($client);
User contributions licensed under: CC BY-SA
4 People found this is helpful
Advertisement