Overview
OAuth 2.0 is an emerging standard for accessing protected resources on the web. The Google APIs and the google-api-php-client library support OAuth 2.0.
Further Reading
Overview
Use OAuth 2.0 to access to protected data through the Google APIs. Google APIs support a variety of flows designed to support different types of client applications. With all of these flows the client application requests an access token that is associated with only your client application and the owner of the protected data being accessed. The access token is also associated with a limited scope that define the kind of data the your client application has access to (for example "Manage your tasks"). An important goal for OAuth 2.0 is to provide secure and convenient access to the protected data, while minimizing the potential impact if an access token is stolen.
Google APIs Console
Before you can use OAuth 2.0, you must register your application using the
Google APIs Console.
Visit the
Google API Console to generate your developer key, OAuth2 client id, OAuth2 client secret, and register your OAuth2 redirect uri. Copy their values since your will need to input them in your application.
- From the "Services" screen, activate access to the API you want to use.
- Click on "API Access" in the left column
- Click the button labeled "Create an OAuth2 client ID"
- Give your application a name and click "Next"
- Select your "Application type"
- Click "Create client ID"
- Click "Edit..." for your new client ID
- Under the callback URL, enter the fully qualified URL for your PHP application (example http://localhost/googleplus/index.php).
Web Application
Now that you've registered your application with the Google APIs Console, you can now create a web application that uses OAuth 2.0. Here is an example demonstrating how to do authentication with OAuth 2.0 in a web application. The
full code for this sample is in the repository.
<?php
require_once 'path/to/Google_Client.php';
$client = new Google_Client();
$client->setClientId('insert_your_oauth2_client_id');
$client->setClientSecret('insert_your_oauth2_client_secret');
$client->setRedirectUri('insert_your_oauth2_redirect_uri');
$client->setDeveloperKey('insert_your_developer_key');
If the user has been redirected back to our page with an authorization code, exchange the code for an access token.
if (isset($_GET['code'])) {
$client->authenticate();
$_SESSION['token'] = $client->getAccessToken();
header('Location: http://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']);
}
Service Accounts
Service Accounts provide certificate-based authentication for server-to-server interactions. This means, for example, that a request from a web application to Google Cloud Storage can be authenticated via a certificate instead of a shared key. Certificates offer better security properties than shared keys and passwords, largely because they are not human-readable or guessable.
Warning: Very few Google APIs currently support Service Accounts. Service accounts are currently supported by the following Google developer services:
- Google Cloud Storage
- Google Prediction API
- Google URL Shortener
- Google OAuth 2.0 Authorization Server
- Google BigQuery
To get started:
- Visit https://code.google.com/apis/console
- Press the down arrow in the left panel (under the Google apis logo).
- Press create.
- Name your project "Prediction Test Project".
- Press create project.
- Now a list of APIs should appear. You want to find "Prediction API" and switch that API to "ON".
- Select the API Access tab on the left side.
- Press "Create OAuth 2.0 Client" and create your client.
- Select Service Account as the application type.
- Press Download private key.
Now open the examples
/prediction/serviceAccount.php sample application in your editor.
- Make sure you have a recent version of the Google APIs PHP Client downloaded from here.
- Replace CLIENT_ID with your newly generated clientId. It should look like:
xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
- Replace SERVICE_ACCOUNT_NAME with the email address. It should look like:
xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@developer.gserviceaccount.com
- Replace KEY_FILE with the path to your private key. Make sure it is saved in a safe place, and readable the sample app.
// Set your client id, service account name, and the path to your private key.
// For more information about obtaining these keys, visit:
// https://developers.google.com/console/help/#service_accounts
const CLIENT_ID = 'insert_your_client_id';
const SERVICE_ACCOUNT_NAME = 'insert_your_service_account_name';
// Make sure you keep your key.p12 file in a secure location, and isn't
// readable by others.
const KEY_FILE = '/super/secret/path/to/key.p12';
// Load the key in PKCS 12 format (you need to download this from the
// Google API Console when the service account was created.
$client = new Google_Client();
...
$key = file_get_contents(KEY_FILE);
$client->setClientId(CLIENT_ID);
$client->setAssertionCredentials(new Google_AssertionCredentials(
SERVICE_ACCOUNT_NAME,
array('https://www.googleapis.com/auth/prediction'),
$key)
);
There is a
full sample of using the Prediction API with a Service account.
Learn more about Service accounts from the
announcement.
Solving invalid_grant errors
Make sure your server's clock is in sync with NTP.
