服务应用程序和谷歌分析API V3:服务器对服务器OAuth2身份验证?

时间:2021-06-19 15:16:06

I'm trying to make a server application to routinely pull Google Analytics data from my own GA account. Note, it is a personal, server-side application accessing my own data, i.e. there is no end-user accessing this application.

我正在尝试创建一个服务器应用程序,以便从我自己的GA帐户中定期提取谷歌分析数据。注意,它是一个个人的、服务器端应用程序,用于访问我自己的数据,即没有终端用户访问这个应用程序。

As such, I registered my application in the Google API Console as a Service Application, which gave me a Client ID and a Private Key. It is my understanding that Service Applications do NOT use Application Secret and Redirect URL as there is no end-user in this server-to-server authentication flow. Indeed, the Google API Console gave me no Secret and did not prompt me for a Redirect URL.

因此,我将应用程序注册到谷歌API控制台作为一个服务应用程序,这给了我一个客户端ID和一个私钥。我的理解是,服务应用程序不使用应用程序机密和重定向URL,因为在这个服务器到服务器的身份验证流中没有终端用户。实际上,谷歌API控制台没有告诉我任何秘密,也没有提示我输入重定向URL。

Unfortunately, I can not figure out how to authenticate my Service Application within Google's PHP Client API. There is extensive documentation on authenticating web applications with an end-user.

不幸的是,我不知道如何在谷歌的PHP客户端API中验证我的服务应用程序。有大量关于使用最终用户验证web应用程序的文档。

Google's documentation suggests it is possible to authenticate server-to-server by signing a JWT request with the private key. I just can't figure out how to do within the PHP client API (although I've browsed the source and there's definitely a script that signs a request with the private key.)

谷歌的文档表明,通过使用私钥签名JWT请求,可以对服务器对服务器进行身份验证。我只是不知道如何在PHP客户端API中进行操作(尽管我已经浏览了源代码,而且肯定有一个脚本用私钥签名请求)。

Am I missing something here? How can I perform authentication for a Service Application with my private key and the Google PHP client API?

我是不是漏掉了什么?如何使用私钥和谷歌PHP客户端API对服务应用程序执行身份验证?

Edited for clarity

编辑为了清晰

4 个解决方案

#1

107  

UPDATE July 21st, 2012

Google Analytics API V3 now supports OAuth2 tokens returned by a .p12-signed JWT request. That is, we can now use the Analytics API w/ service accounts.

谷歌分析API V3现在支持由.p12签名的JWT请求返回的OAuth2令牌。也就是说,我们现在可以使用分析API w/服务帐户。

Currently pulling 4 years of day-by-day metrics, just for the hell of it.

目前每天都要做4年的测量,只是为了好玩而已。

Here's a quick 'n' dirty step-by-step:

这里有一个快速的n' dirty步骤:

  1. Go to the Google API Console and create a new app

    转到谷歌API控制台并创建一个新的应用程序

  2. In the Services tab, flip the Google Analytics switch

    在Services选项卡中,翻转谷歌分析开关

  3. In the API Access tab, click Create an OAuth2.0 Client ID

    在API Access选项卡中,单击“创建OAuth2.0客户端ID”

    • enter your name, upload a logo, and click Next

      输入你的名字,上传一个标志,然后点击Next

    • select the Service account option and press Create client ID

      选择“服务帐户”选项并按“创建客户端ID”

    • download your private key

      下载您的私钥

  4. Now you're back on the API Access page. You'll see a section called Service account with a Client ID and Email address

    现在回到API访问页面。您将看到一个名为Service account的部分,其中包含客户ID和电子邮件地址

    • Copy the email address (something like ####@developer.gserviceaccount.com)

      复制电子邮件地址(类似###@developer.gserviceaccount.com)

    • Visit your GA Admin and add this email as a user to your properties

      访问您的GA管理员并将此电子邮件作为用户添加到您的属性

    • This is a must; you'll get cryptic errors otherwise.

      这是必须的;否则就会出现隐式错误。

  5. Get the latest Google PHP Client API via Github

    通过Github获取最新的谷歌PHP客户端API

    git submodule add https://github.com/google/google-api-php-client.git google-api-php-client-read-only

  6. Rock 'n' roll (thanks all for tips on updated class names):

    Rock 'n' roll(感谢所有更新类名的提示):

    // api dependencies
require_once(PATH_TO_API . 'Google/Client.php');
require_once(PATH_TO_API . 'Google/Service/Analytics.php');

// create client object and set app name
$client = new Google_Client();
$client->setApplicationName(APP_NAME); // name of your app

// set assertion credentials
$client->setAssertionCredentials(
  new Google_Auth_AssertionCredentials(

    APP_EMAIL, // email you added to GA

    array('https://www.googleapis.com/auth/analytics.readonly'),

    file_get_contents(PATH_TO_PRIVATE_KEY_FILE)  // keyfile you downloaded

));

// other settings
$client->setClientId(CLIENT_ID);           // from API console
$client->setAccessType('offline_access');  // this may be unnecessary?

// create service and get data
$service = new Google_Service_Analytics($client);
$service->data_ga->get($ids, $startDate, $endDate, $metrics, $optParams);

 

 

original workaround below

原来下面的解决方案

It seems that, despite ambiguous documentation, most Google APIs do not support service accounts yet, including Google Analytics. They cannot digest OAuth2 tokens returned by a .p12 signed JWT request. So, as of right now, you cannot use Google Analytics API V3 with a service account.

看起来,尽管文档不明确,但是大多数谷歌api还不支持服务帐户,包括谷歌Analytics。它们无法消化.p12签名的JWT请求返回的OAuth2令牌。因此,从现在开始,您不能使用谷歌分析API V3与服务帐户。

Workaround:

处理:

  1. In the Google API console, create a client application.

    在谷歌API控制台,创建一个客户端应用程序。

  2. Follow the steps in the Google PHP Client API examples to generate a client_auth_url using your client_id, client_secret, and redirect_uri

    按照谷歌PHP客户端API示例中的步骤,使用client_id、client_secret和redirect_uri生成一个client_auth_url

  3. Login to Google using cURL. (Be sure to use a cookie file!)

    使用cURL登录谷歌。(一定要使用cookie文件!)

  4. Open the client_auth_url in cURL and complete the form. Make sure you set curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); and curl_setopt($ch, CURLOPT_HEADER, 1); as the authorization_code will be in the Location: header of the response.

    在cURL中打开client_auth_url并完成表单。确保设置了curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);和curl_setopt(ch美元CURLOPT_HEADER 1);正如authorization_code将位于位置:响应的头。

  5. Using your client_id, client_secret, redirect_uri, and the activation code from Step 4, post a request to the Google's OAuth2 Token machine. Make sure you include grant_type = "authorization_code" in your post fields.

    使用您的client_id、client_secret、redirect_uri和步骤4中的激活代码,向谷歌的OAuth2令牌机发出请求。确保在post字段中包含grant_type =“authorization_code”。

  6. Hurray, you now have a refresh_token that never expires, and a working access_token! Post a request to the Google's OAuth2 Token machine with your client_id, client_secret, redirect_uri, and refresh_token when your access_token expires and you'll get a new one.

    Hurray,您现在有了一个永不过期的refresh_token和一个工作的access_token!当access_token过期时,使用client_id、client_secret、redirect_uri和refresh_token向谷歌的OAuth2令牌机发送请求,您将获得一个新的。

#2

4  

The Google API PHP Client now supports service accounts on trunk.

谷歌API PHP客户端现在支持主干上的服务帐户。

The implementation hasn't been released yet, so you'll need to checkout the latest version of the PHP client.

实现还没有发布,所以您需要检查PHP客户机的最新版本。

I've prepared a sample application that demonstrates how you can use service accounts to hit the Google Prediction API. To view the example, take a peek at examples/prediction/serviceAccount.php or visit: http://code.google.com/p/google-api-php-client/source/browse/trunk/examples/prediction/serviceAccount.php

我准备了一个示例应用程序,演示如何使用服务帐户来实现谷歌预测API。要查看示例,请查看示例/预测/serviceAccount。php或访问:http://code.google.com/p/google-api-php-client/source/browse/trunk/examples/prediction/serviceAccount.php

#3

2  

If you are using Google's PHP client API then go to the Google API Console and click on API Access on the left.

如果您正在使用谷歌的PHP客户端API,那么请转到谷歌API控制台并单击左侧的API访问。

Then Create a Client ID. That will give you the secret and it is where you set your redirect URL. It won't give you a redirect URL - that is the URL the app sends the user back to after authenticating.

然后创建一个客户端ID,这会给你一个秘密,你可以在这里设置重定向URL。它不会给你重定向URL——这是应用程序在验证后发送给用户的URL。

There are other authentication methods you can look at.

您还可以查看其他的身份验证方法。

#4

2  

you can use very usefull php library GAPI (Google Analytics API PHP Interface) to access Google Analytics without OAuth. It's easy to use.

您可以使用非常有用的php库GAPI(谷歌Analytics API php接口)访问没有OAuth的谷歌分析。它很容易使用。

#1

107  

UPDATE July 21st, 2012

Google Analytics API V3 now supports OAuth2 tokens returned by a .p12-signed JWT request. That is, we can now use the Analytics API w/ service accounts.

谷歌分析API V3现在支持由.p12签名的JWT请求返回的OAuth2令牌。也就是说,我们现在可以使用分析API w/服务帐户。

Currently pulling 4 years of day-by-day metrics, just for the hell of it.

目前每天都要做4年的测量,只是为了好玩而已。

Here's a quick 'n' dirty step-by-step:

这里有一个快速的n' dirty步骤:

  1. Go to the Google API Console and create a new app

    转到谷歌API控制台并创建一个新的应用程序

  2. In the Services tab, flip the Google Analytics switch

    在Services选项卡中,翻转谷歌分析开关

  3. In the API Access tab, click Create an OAuth2.0 Client ID

    在API Access选项卡中,单击“创建OAuth2.0客户端ID”

    • enter your name, upload a logo, and click Next

      输入你的名字,上传一个标志,然后点击Next

    • select the Service account option and press Create client ID

      选择“服务帐户”选项并按“创建客户端ID”

    • download your private key

      下载您的私钥

  4. Now you're back on the API Access page. You'll see a section called Service account with a Client ID and Email address

    现在回到API访问页面。您将看到一个名为Service account的部分,其中包含客户ID和电子邮件地址

    • Copy the email address (something like ####@developer.gserviceaccount.com)

      复制电子邮件地址(类似###@developer.gserviceaccount.com)

    • Visit your GA Admin and add this email as a user to your properties

      访问您的GA管理员并将此电子邮件作为用户添加到您的属性

    • This is a must; you'll get cryptic errors otherwise.

      这是必须的;否则就会出现隐式错误。

  5. Get the latest Google PHP Client API via Github

    通过Github获取最新的谷歌PHP客户端API

    git submodule add https://github.com/google/google-api-php-client.git google-api-php-client-read-only

  6. Rock 'n' roll (thanks all for tips on updated class names):

    Rock 'n' roll(感谢所有更新类名的提示):

    // api dependencies
require_once(PATH_TO_API . 'Google/Client.php');
require_once(PATH_TO_API . 'Google/Service/Analytics.php');

// create client object and set app name
$client = new Google_Client();
$client->setApplicationName(APP_NAME); // name of your app

// set assertion credentials
$client->setAssertionCredentials(
  new Google_Auth_AssertionCredentials(

    APP_EMAIL, // email you added to GA

    array('https://www.googleapis.com/auth/analytics.readonly'),

    file_get_contents(PATH_TO_PRIVATE_KEY_FILE)  // keyfile you downloaded

));

// other settings
$client->setClientId(CLIENT_ID);           // from API console
$client->setAccessType('offline_access');  // this may be unnecessary?

// create service and get data
$service = new Google_Service_Analytics($client);
$service->data_ga->get($ids, $startDate, $endDate, $metrics, $optParams);

 

 

original workaround below

原来下面的解决方案

It seems that, despite ambiguous documentation, most Google APIs do not support service accounts yet, including Google Analytics. They cannot digest OAuth2 tokens returned by a .p12 signed JWT request. So, as of right now, you cannot use Google Analytics API V3 with a service account.

看起来,尽管文档不明确,但是大多数谷歌api还不支持服务帐户,包括谷歌Analytics。它们无法消化.p12签名的JWT请求返回的OAuth2令牌。因此,从现在开始,您不能使用谷歌分析API V3与服务帐户。

Workaround:

处理:

  1. In the Google API console, create a client application.

    在谷歌API控制台,创建一个客户端应用程序。

  2. Follow the steps in the Google PHP Client API examples to generate a client_auth_url using your client_id, client_secret, and redirect_uri

    按照谷歌PHP客户端API示例中的步骤,使用client_id、client_secret和redirect_uri生成一个client_auth_url

  3. Login to Google using cURL. (Be sure to use a cookie file!)

    使用cURL登录谷歌。(一定要使用cookie文件!)

  4. Open the client_auth_url in cURL and complete the form. Make sure you set curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); and curl_setopt($ch, CURLOPT_HEADER, 1); as the authorization_code will be in the Location: header of the response.

    在cURL中打开client_auth_url并完成表单。确保设置了curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);和curl_setopt(ch美元CURLOPT_HEADER 1);正如authorization_code将位于位置:响应的头。

  5. Using your client_id, client_secret, redirect_uri, and the activation code from Step 4, post a request to the Google's OAuth2 Token machine. Make sure you include grant_type = "authorization_code" in your post fields.

    使用您的client_id、client_secret、redirect_uri和步骤4中的激活代码,向谷歌的OAuth2令牌机发出请求。确保在post字段中包含grant_type =“authorization_code”。

  6. Hurray, you now have a refresh_token that never expires, and a working access_token! Post a request to the Google's OAuth2 Token machine with your client_id, client_secret, redirect_uri, and refresh_token when your access_token expires and you'll get a new one.

    Hurray,您现在有了一个永不过期的refresh_token和一个工作的access_token!当access_token过期时,使用client_id、client_secret、redirect_uri和refresh_token向谷歌的OAuth2令牌机发送请求,您将获得一个新的。

#2

4  

The Google API PHP Client now supports service accounts on trunk.

谷歌API PHP客户端现在支持主干上的服务帐户。

The implementation hasn't been released yet, so you'll need to checkout the latest version of the PHP client.

实现还没有发布,所以您需要检查PHP客户机的最新版本。

I've prepared a sample application that demonstrates how you can use service accounts to hit the Google Prediction API. To view the example, take a peek at examples/prediction/serviceAccount.php or visit: http://code.google.com/p/google-api-php-client/source/browse/trunk/examples/prediction/serviceAccount.php

我准备了一个示例应用程序,演示如何使用服务帐户来实现谷歌预测API。要查看示例,请查看示例/预测/serviceAccount。php或访问:http://code.google.com/p/google-api-php-client/source/browse/trunk/examples/prediction/serviceAccount.php

#3

2  

If you are using Google's PHP client API then go to the Google API Console and click on API Access on the left.

如果您正在使用谷歌的PHP客户端API,那么请转到谷歌API控制台并单击左侧的API访问。

Then Create a Client ID. That will give you the secret and it is where you set your redirect URL. It won't give you a redirect URL - that is the URL the app sends the user back to after authenticating.

然后创建一个客户端ID,这会给你一个秘密,你可以在这里设置重定向URL。它不会给你重定向URL——这是应用程序在验证后发送给用户的URL。

There are other authentication methods you can look at.

您还可以查看其他的身份验证方法。

#4

2  

you can use very usefull php library GAPI (Google Analytics API PHP Interface) to access Google Analytics without OAuth. It's easy to use.

您可以使用非常有用的php库GAPI(谷歌Analytics API php接口)访问没有OAuth的谷歌分析。它很容易使用。

标签:

相关文章