I need to recover user info after javascript google login.
Authentication work fine and i send googleUser.Ka object to my php where there's this code
$api = new Google_Client();
$api->setApplicationName($this->_configCustomer['google']['api']['application_name']);
$api->setClientId($this->_configCustomer['google']['api']['client_id']); // Set Client ID
$api->setClientSecret($this->_configCustomer['google']['api']['client_secret']); //Set client Secret
$api->setAccessType('online'); // Access method
$api->setScopes(array('https://www.googleapis.com/auth/plus.login', 'https://www.googleapis.com/auth/plus.me', 'https://www.googleapis.com/auth/userinfo.email', 'https://www.googleapis.com/auth/userinfo.profile'));
//$api->setRedirectUri('http://www.infotuts.com/demo/googlelogin/login.php');
$service = new Google_Service_Plus($api);
$oauth2 = new \Google_Service_Oauth2($api);
$api->setAccessToken(json_encode($_POST));
//ADDED AFTER ERROR
if($api->isAccessTokenExpired()) {
$api->authenticate();
$NewAccessToken = json_decode($api->getAccessToken());
$api->refreshToken($NewAccessToken->refresh_token);
}
//END ADDED AFTER FIRST ERROR
//$api->authenticate($_POST['access_token']);
if ($api->getAccessToken()) {
$data = $service->people->get('me');
$user_data = $oauth2->userinfo->get();
var_dump($user_data);
die();
}
this code generate the error:
The OAuth 2.0 access token has expired, and a refresh token is not available. Refresh tokens are not returned for responses that were auto-approved.
i added code indicate from comment follow this link
OAuth 2.0 access token has expired, and a refresh token is not available
but in the last version of php authenticate method require $code parameter. What is it?
Thanks
i solved in this way
$api = new Google_Client();
$api->setApplicationName($this->_configCustomer['google']['api']['application_name']);
$api->setClientId($this->_configCustomer['google']['api']['client_id']); // Set Client ID
$api->setClientSecret($this->_configCustomer['google']['api']['client_secret']); //Set client Secret
$api->setAccessType('online'); // Access method
$api->setScopes(array('https://www.googleapis.com/auth/plus.login', 'https://www.googleapis.com/auth/plus.me', 'https://www.googleapis.com/auth/userinfo.email', 'https://www.googleapis.com/auth/userinfo.profile'));
$api->setRedirectUri('postmessage');
$result = $api->verifyIdToken($_POST['id_token']);
i send id_token, obtained from the ajax login, and recovery user info using verifyIdToken method of client library
Related
I previously worked on an OAuth2 application where the logic was to generate a new access token via refresh token once the old one expired.
Now working with Google APIs, I'm not experiencing the same thing. I have received both an access token and refresh token, and after allowing the access token to expire, I attempt to use the refresh token
var myToken = new TokenResponse
{
RefreshToken = sRefreshToken
};
var credentials = new UserCredential(new GoogleAuthorizationCodeFlow(
new GoogleAuthorizationCodeFlow.Initializer
{
ClientSecrets = new ClientSecrets
{
ClientId = clientId,
ClientSecret = clientSecret
}
}), "user", myToken);
service = new CalendarService(new BaseClientService.Initializer()
{
HttpClientInitializer = credentials,
ApplicationName = "XYZ",
});
It seems after doing so I can make API calls. But I have tried to retrieve the access/refresh tokens after doing this with:
ACCESS_TOKEN = credentials.Token.AccessToken;
REFRESH_TOKEN = credentials.Token.RefreshToken;
And both the access and refresh tokens are the same as the old ones. I had thought refreshing would generate a new token altogether? Is this not the case?
If the access token expires after 30 minutes and you then just need to pass in the refresh token (but nothing re-generates), what is the point of the refresh token?
I previously worked on an OAuth2 application where the logic was to generate a new access token via refresh token once the old one expired.
This idea also applies to Google access/refresh tokens. But if you're using the .NET client library (as your code snippet suggests), you don't have to perform the refreshes yourself. You can just continue using the UserCredential object and it'll automatically fetch a new access token every ~1h.
I am requesting access to the user's Google Classroom data with the following PHP code block:
public function getGoogleClassroomToken(){
if($this->user==null){
return ["result"=>"error","message"=>"You need to log in to do that!"];
}
if ($this->user['gc_token']) {
return ["result"=>"error","message"=>"User already has access token!"];
}
$client = new Google_Client();
$client->setApplicationName('example.com');
$client->setAuthConfig('/var/www/client_secret.json');
$client->setAccessType('offline');
$client->setPrompt('select_account consent');
$client->addScope(Google_Service_Classroom::CLASSROOM_COURSEWORK_STUDENTS);
$client->addScope(Google_Service_Classroom::CLASSROOM_COURSES_READONLY);
$client->addScope(Google_Service_Classroom::CLASSROOM_ROSTERS_READONLY);
$redirect_uri = 'https://example.com/gc.php';
$client->setRedirectUri($redirect_uri);
$authUrl = $client->createAuthUrl();
return ["result"=>"success","authUrl"=>$authUrl];
}
..which seems to work fine. I am then instantiating the Google Client with the following code block:
public function getGoogleClassroomClient(){
if($this->user==null){return false;}
if (!$this->user['gc_token']) {return false;}
$client = new Google_Client();
$client->setAuthConfig('/var/www/client_secret.json');
$client->setAccessToken((array)json_decode($this->user['gc_token']));
if ($client->isAccessTokenExpired()) {
if ($client->getRefreshToken()) {
$token = $client->fetchAccessTokenWithRefreshToken($client->getRefreshToken());
var_dump($token);
}
}
return $client;
}
.. which works fine UNLESS THE TOKEN HAS EXPIRED, in which case the $token variable outputs:
array(2) { ["error"]=> string(13) "invalid_grant" ["error_description"]=> string(11) "Bad Request" }
Does anyone know what could be going wrong here?
Answer
As per the Google APIs Client Library for PHP your refresh token can't be null without throwing this exception refresh token must be passed in or set as part of setAccessToken which makes sense because you are calling $client->getRefreshToken() and that returns 2 options: the refresh token or null.
If you take a look into the Google Identity Platform: Using OAuth 2.0 to Access Google APIs > Refresh token expiration it seems like your refresh token has expired, there are some possible scenarios:
The user has revoked your app's access.
The refresh token has not been used for six months.
The user changed passwords and the refresh token contains Gmail scopes.
The user account has exceeded a maximum number of granted (live) refresh tokens.
The client has reached a limit of 50 refresh tokens per account if it's not a service account.
Reference
Google API Client for PHP
Google Identity Platform: Using OAuth 2.0 to Access Google APIs
I can't get an offline access token with this code...
Why ?
$client = new Google_Client();
$client->setApplicationName('MyAppName');
$client->setScopes(array('https://www.googleapis.com/auth/plus.me'));
$client->setClientId('MyCientID');
$client->setClientSecret('MyClientSecret');
$client->setRedirectUri('http://mydomain.com/googlecallback');
$client->setApprovalPrompt('force');
$client->setAccessType('offline');
$client->setDeveloperKey('MyDeveloperKey');
$plus = new Google_Service_Plus($client);
header('Location: '.$client->createAuthUrl());
This is redirect to the google login page, which ask only for an 1hour access token...
I'm lost in the dark...
Thanks a lot!
EDIT :
here is my login page code :
$client = new Google_Client();
$client->setClientId('qvdsfvqdsf');
$client->setClientSecret('qsdfvqsdf');
$client->setRedirectUri('?a=callback');
$client->setDeveloperKey('qdcQSDCQSD');
$client->setApprovalPrompt('auto');
$client->setAccessType('offline');
$client->setScopes(array('https://www.googleapis.com/auth/plus.me'));
$plus = new Google_Service_Plus($client);
if($_GET['a'] == 'authorize'){
header('Location: '.$client->createAuthUrl());
}
elseif($_GET['a'] == 'callback' && isset($_GET['code']) && !isset($_GET['error'])){
$client->authenticate($_GET['code']);
if($client->getAccessToken()){
STORE ACCESS TOKEN
}
}
And my API usage :
$client = new Google_Client();
$client->setClientId('qsdfsqd');
$client->setClientSecret('qsdfqsd');
$client->setRedirectUri('qdfq');
$client->setDeveloperKey('sdfvsdf');
$client->setApprovalPrompt('auto');
$client->setAccessType('offline');
$client->setScopes(array('https://www.googleapis.com/auth/plus.me'));
$plus = new Google_Service_Plus($client);
$client->setAccessToken('STORED ACCESS TOKEN');
$activities = $plus->activities->listActivities('me', 'public', array('maxResults'=>10));
What I am doing wrong ?
You need to have the "http://mydomain.com/googlecallback" URL set as a redirect URI on the application settings page.
The $client->createAuthUrl() method creates the URL to the authentication page. After going to that page and authorizing the application, Google will redirect you back to /googlecallback with a query string param called 'code', which you should pass to the authenticate() method of the client. Only then you'll have access to the token.
Something like this (assuming this is on /googlecallback):
$client = new Google_Client();
$client->setApplicationName('MyAppName');
$client->setScopes(array('https://www.googleapis.com/auth/plus.me'));
$client->setClientId('MyCientID');
$client->setClientSecret('MyClientSecret');
$client->setRedirectUri('http://mydomain.com/googlecallback');
$client->setApprovalPrompt('force');
$client->setAccessType('offline');
$client->setDeveloperKey('MyDeveloperKey');
if (empty($_GET['code'])) {
header('Location: '.$client->createAuthUrl());
} else {
$client->authenticate($_GET['code']);
$access_token = $client->getAccessToken();
// save the token somewhere so you can use later
// without having to go to the auth page again
}
Finally got the answer :
Using $client->setApprovalPrompt('force'); was blocking the normal Google token refresh process, while $client->setApprovalPrompt('auto'); do it like a charm.
Thanks.
If a user has previously authenticated against the ClientID without requesting offline mode, and you then request offline mode, it wont give you the refresh token.
The user needs to de-authorize themselves from app and then re-authorize once the app will request offline mode.
I am trying to use the scribe oAuth plugin (in a grails environment). I am able to get the user to authorize my app and authenticate. I can then get the xml response. my question, though, is how do I re-query a users profile without having to have them re-authorize my app. Once they authorize it the first time, I capture their Token and Secret key. So, shouldn't I be able to re-query the profile (as long as they do not revoke their authorization.)? I was able to do this with the older version of the plugin. The problem is with creating a new token. I don't see a way to create the Authorization token without the Verifier and Request Token (which wont exist because my code is executing the query on their behalf, with their permission.)
If I try to create the token like this:
Token accessToken = new Token()
accessToken.secret="XXX"
accessToken.token = "YYY"
I get an initialization error.
I can't create it like this, because I dont have the Request token and verifier:
Token accessToken = service.getAccessToken(requestToken, verifier);
accessTokenSecret = accessToken.secret
accessTokenKey = accessToken.token
And If i dont have the access token object, I am unable to sign my request. The full code looks like this (assuming their is a request token and verifier)
OAuthService service=new ServiceBuilder()
.provider(LinkedInApi.class)
.apiKey(apiKey)
.apiSecret(apiSecret)
.build();
Verifier v = new Verifier(ver);
Token accessToken = service.getAccessToken(rt, v);
accessTokenSecret = accessToken.secret
accessTokenKey = accessToken.token
OAuthRequest request = new OAuthRequest(Verb.GET, apiUrl);
service.signRequest(accessToken, request);
Response response = request.send();
xmlString=response.getBody();
Thanks for your help
jason
well, after some time, I got this to work:
public getProfileWithTokens(getAccessToken, getAccessTokenSecret){
Token newAccessToken = new Token(getAccessToken, getAccessTokenSecret);
String xmlString =""
OAuthService service=new ServiceBuilder()
.provider(LinkedInApi.class)
.apiKey(apiKey)
.apiSecret(apiSecret)
.build();
OAuthRequest request = new OAuthRequest(Verb.GET, apiUrl);
service.signRequest(newAccessToken, request);
Response response = request.send();
xmlString=response.getBody();
}
I'm working with client who provided me with somewhat vague
instructions. Here's what I'm doing (using CommonsHttpOAuthConsumer as
consumer and DefaultOAuthProvider as provider)
I'm able to get response token from doing this:
String requestToken = provider.retrieveRequestToken
(OAuth.OUT_OF_BAND);
this is in form of URL with params so I'm parsing the actual token
out for example:
https://foobar.com/oauth/login_authorize?oauth_token=XRFCGPbES3M2bYZy...
Now - the instructions that I get say:
Given the request token obtained in step 1, login with the user’s
credentials (name and password) as POST parameters and sign the
request with the request token/secret
POST https://foobar.com/oauth/login_authorize
That's where I'm having difficulties. Obviously I have to input that
requestToken somewhere so I do this (post is HttpPost that contains user credentials):
consumer.setTokenWithSecret(requestToken, SECRET);
consumer.sign(post);
It doesn't work. It actually generates 200 status but what I get is a
generic error message.
retrieveRequestToken does not return a request token, it returns an authenticationUrl that you need to send your users to so they can sign in. Request token is saved in provider object.
String authenticationUrl = provider.retrieveRequestToken( call_back_url )
Note: According to the oauth standard the users sign in on the providers site with their credentials. After they have done that you (as a consumer) can get the Access Token and after that you can access their data on the providers site.
// After user has signed in
provider.retrieveAccessToken(null)
// access token is saved in provider and provider knows which consumer uses it
// so now you can sign with your consumer and connect with the request
URL url = new URL( protected_resources_url )
HttpURLConnection request = (HttpURLConnection) url.openConnection();
consumer.sign(request)
request.connect()
If you have the user credentials you can do the authorization in your script
// Using grails and functional-tests
get(authenticationUrl)
// Image the site shows a simple form with username/password and a login button
setRedirectEnabled false
form {
username = "mario"
password = "peach"
click "login"
}
And then do retrieveRequestToken and the code mentioned above
Hope this helps you
// Jonas