問題描述

我正在嘗試制作一個服務器應用程序，以便定期從我自己的 GA 帳戶中提取 Google Analytics(分析)數據.請注意，它是訪問我自己數據的個人服務器端應用程序，即沒有最終用戶訪問此應用程序.

I'm trying to make a server application to routinely pull Google Analytics data from my own GA account. Note, it is a personal, server-side application accessing my own data, i.e. there is no end-user accessing this application.

因此，我在 Google API 控制臺 中將我的應用程序注冊為服務應用程序，它給了我一個客戶 ID 和一個私鑰.我的理解是，服務應用程序不使用應用程序機密和重定向 URL，因為在此服務器到服務器身份驗證流程中沒有最終用戶.事實上，Google API 控制臺沒有給我任何秘密，也沒有提示我輸入重定向 URL.

As such, I registered my application in the Google API Console as a Service Application, which gave me a Client ID and a Private Key. It is my understanding that Service Applications do NOT use Application Secret and Redirect URL as there is no end-user in this server-to-server authentication flow. Indeed, the Google API Console gave me no Secret and did not prompt me for a Redirect URL.

不幸的是，我無法弄清楚如何在 Google 的內部驗證我的服務應用程序PHP 客戶端 API.有大量關于向最終用戶驗證 Web 應用程序的文檔.

Unfortunately, I can not figure out how to authenticate my Service Application within Google's PHP Client API. There is extensive documentation on authenticating web applications with an end-user.

Google 的文檔建議 可以通過使用私鑰.我只是不知道如何在 PHP 客戶端 API 中執行(盡管我已經瀏覽了源代碼并且有 絕對是一個用私鑰簽署請求的腳本.)

Google's documentation suggests it is possible to authenticate server-to-server by signing a JWT request with the private key. I just can't figure out how to do within the PHP client API (although I've browsed the source and there's definitely a script that signs a request with the private key.)

我在這里遺漏了什么嗎?如何使用我的私鑰和 Google PHP 客戶端 API 對服務應用程序執行身份驗證?

Am I missing something here? How can I perform authentication for a Service Application with my private key and the Google PHP client API?

為清晰起見進行了編輯

推薦答案

2012 年 7 月 21 日更新

Google Analytics API V3 現在支持由 .p12 簽名的 JWT 請求返回的 OAuth2 令牌.也就是說，我們現在可以使用帶有服務帳戶的 Analytics API.

目前正在提取 4 年的逐日指標，只是為了它.

Currently pulling 4 years of day-by-day metrics, just for the hell of it.

這是一個快速的n"步驟:

Here's a quick 'n' dirty step-by-step:

1. 轉到 Google API 控制臺并創建一個新應用

在服務標簽中，打開Google Analytics開關

在API 訪問選項卡中，點擊創建 OAuth2.0 客戶端 ID

• 輸入您的姓名，上傳徽標，然后單擊下一步

選擇服務帳戶選項，然后按創建客戶 ID

下載您的私鑰

現在您又回到了API 訪問頁面.您將看到一個名為服務帳戶的部分，其中包含一個客戶 ID 和電子郵件地址

Now you're back on the API Access page. You'll see a section called Service account with a Client ID and Email address

• 復制電子郵件地址(類似于####@developer.gserviceaccount.com)

訪問您的GA管理員并將此電子郵件添加為用戶到您的屬性

這是必須的；否則你會得到神秘的錯誤.

This is a must; you'll get cryptic errors otherwise.

通過 Github 獲取最新的 Google PHP 客戶端 API

Get the latest Google PHP Client API via Github

git submodule add https://github.com/google/google-api-php-client.git google-api-php-client-read-only

// api dependencies
require_once(PATH_TO_API . 'Google/Client.php');
require_once(PATH_TO_API . 'Google/Service/Analytics.php');

// create client object and set app name
$client = new Google_Client();
$client->setApplicationName(APP_NAME); // name of your app

// set assertion credentials
$client->setAssertionCredentials(
  new Google_Auth_AssertionCredentials(

    APP_EMAIL, // email you added to GA

    array('https://www.googleapis.com/auth/analytics.readonly'),

    file_get_contents(PATH_TO_PRIVATE_KEY_FILE)  // keyfile you downloaded

));

// other settings
$client->setClientId(CLIENT_ID);           // from API console
$client->setAccessType('offline_access');  // this may be unnecessary?

// create service and get data
$service = new Google_Service_Analytics($client);
$service->data_ga->get($ids, $startDate, $endDate, $metrics, $optParams);

_{下面的原始解決方法}

似乎，盡管文檔含糊不清，大多數 Google API 都可以尚不支持服務帳戶，包括 Google Analytics.他們無法消化 .p12 簽名的 JWT 請求返回的 OAuth2 令牌.所以，就目前而言，您不能將 Google Analytics API V3 與服務帳號.

It seems that, despite ambiguous documentation, most Google APIs do not support service accounts yet, including Google Analytics. They cannot digest OAuth2 tokens returned by a .p12 signed JWT request. So, as of right now, you cannot use Google Analytics API V3 with a service account.

解決方法:

1. 在 Google API 控制臺中，創建一個 客戶端應用程序.

1. In the Google API console, create a client application.

按照 Google PHP Client API 示例中的步驟生成client_auth_url 使用您的 client_id、client_secret、和 redirect_uri

Follow the steps in the Google PHP Client API examples to generate a client_auth_url using your client_id, client_secret, and redirect_uri

使用 cURL 登錄 Google.(一定要使用cookie文件！)

Login to Google using cURL. (Be sure to use a cookie file!)

在 cURL 中打開 client_auth_url 并完成表單.確保你設置了 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); 和curl_setopt($ch, CURLOPT_HEADER, 1); 作為authorization_code將位于響應的 Location: 標頭中.

Open the client_auth_url in cURL and complete the form. Make sure you set curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); and curl_setopt($ch, CURLOPT_HEADER, 1); as the authorization_code will be in the Location: header of the response.

使用您的 client_id、client_secret、redirect_uri 和第 4 步中的激活碼，向 Google 的 OAuth2令牌機.確保包含 grant_type =authorization_code" 在您的帖子字段中.

Using your client_id, client_secret, redirect_uri, and the activation code from Step 4, post a request to the Google's OAuth2 Token machine. Make sure you include grant_type = "authorization_code" in your post fields.

萬歲，您現在擁有一個永不過期的 refresh_token 和一個有效的 access_token！向 Google 的 OAuth2 令牌發布請求機器和你的client_id、client_secret、redirect_uri，和 refresh_token 當您的 access_token 到期時，您將獲得新的.

Hurray, you now have a refresh_token that never expires, and a working access_token! Post a request to the Google's OAuth2 Token machine with your client_id, client_secret, redirect_uri, and refresh_token when your access_token expires and you'll get a new one.

這篇關于服務應用程序和 Google Analytics API V3:服務器到服務器 OAuth2 身份驗證?的文章就介紹到這了，希望我們推薦的答案對大家有所幫助，也希望大家多多支持html5模板網！