Asked  7 Months ago    Answers:  2   Viewed   34 times

I'm trying to make a server application to routinely pull Google Analytics data from my own GA account. Note, it is a personal, server-side application accessing my own data, i.e. there is no end-user accessing this application.

As such, I registered my application in the Google API Console as a Service Application, which gave me a Client ID and a Private Key. It is my understanding that Service Applications do NOT use Application Secret and Redirect URL as there is no end-user in this server-to-server authentication flow. Indeed, the Google API Console gave me no Secret and did not prompt me for a Redirect URL.

Unfortunately, I can not figure out how to authenticate my Service Application within Google's PHP Client API. There is extensive documentation on authenticating web applications with an end-user.

Google's documentation suggests it is possible to authenticate server-to-server by signing a JWT request with the private key. I just can't figure out how to do within the PHP client API (although I've browsed the source and there's definitely a script that signs a request with the private key.)

Am I missing something here? How can I perform authentication for a Service Application with my private key and the Google PHP client API?

Edited for clarity

 Answers

31

UPDATE July 21st, 2012

Google Analytics API V3 now supports OAuth2 tokens returned by a .p12-signed JWT request. That is, we can now use the Analytics API w/ service accounts.

Currently pulling 4 years of day-by-day metrics, just for the hell of it.

Here's a quick 'n' dirty step-by-step:

  1. Go to the Google API Console and create a new app

  2. In the Services tab, flip the Google Analytics switch

  3. In the API Access tab, click Create an OAuth2.0 Client ID

    • enter your name, upload a logo, and click Next

    • select the Service account option and press Create client ID

    • download your private key

  4. Now you're back on the API Access page. You'll see a section called Service account with a Client ID and Email address

    • Copy the email address (something like ####@developer.gserviceaccount.com)

    • Visit your GA Admin and add this email as a user to your properties

    • This is a must; you'll get cryptic errors otherwise.

  5. Get the latest Google PHP Client API via Github

    git submodule add https://github.com/google/google-api-php-client.git google-api-php-client-read-only
    
  6. Rock 'n' roll (thanks all for tips on updated class names):

    // api dependencies
    require_once(PATH_TO_API . 'Google/Client.php');
    require_once(PATH_TO_API . 'Google/Service/Analytics.php');
    
    // create client object and set app name
    $client = new Google_Client();
    $client->setApplicationName(APP_NAME); // name of your app
    
    // set assertion credentials
    $client->setAssertionCredentials(
      new Google_Auth_AssertionCredentials(
    
        APP_EMAIL, // email you added to GA
    
        array('https://www.googleapis.com/auth/analytics.readonly'),
    
        file_get_contents(PATH_TO_PRIVATE_KEY_FILE)  // keyfile you downloaded
    
    ));
    
    // other settings
    $client->setClientId(CLIENT_ID);           // from API console
    $client->setAccessType('offline_access');  // this may be unnecessary?
    
    // create service and get data
    $service = new Google_Service_Analytics($client);
    $service->data_ga->get($ids, $startDate, $endDate, $metrics, $optParams);
    

 

original workaround below


It seems that, despite ambiguous documentation, most Google APIs do not support service accounts yet, including Google Analytics. They cannot digest OAuth2 tokens returned by a .p12 signed JWT request. So, as of right now, you cannot use Google Analytics API V3 with a service account.

Workaround:

  1. In the Google API console, create a client application.

  2. Follow the steps in the Google PHP Client API examples to generate a client_auth_url using your client_id, client_secret, and redirect_uri

  3. Login to Google using cURL. (Be sure to use a cookie file!)

  4. Open the client_auth_url in cURL and complete the form. Make sure you set curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); and curl_setopt($ch, CURLOPT_HEADER, 1); as the authorization_code will be in the Location: header of the response.

  5. Using your client_id, client_secret, redirect_uri, and the activation code from Step 4, post a request to the Google's OAuth2 Token machine. Make sure you include grant_type = "authorization_code" in your post fields.

  6. Hurray, you now have a refresh_token that never expires, and a working access_token! Post a request to the Google's OAuth2 Token machine with your client_id, client_secret, redirect_uri, and refresh_token when your access_token expires and you'll get a new one.

Wednesday, March 31, 2021
 
Karsten
answered 7 Months ago
83

One thing for starters you should change:

You instantiate the AnalyticsService twice. Take out the one you're not using:

$service = new Google_AnalyticsService($client);

See if that helps your problem at all.

Friday, August 6, 2021
 
talkhabi
answered 3 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :