带有服务帐户的Google协调中心OAuth2

Question

I have a C# console application with Google Coordinate .Net library and Service Account open authentication.

private const string SERVICE_ACCOUNT_EMAIL = "XXX@developer.gserviceaccount.com";
private const string SERVICE_ACCOUNT_PKCS12_FILE_PATH = @"<path-to-private-key-file>\YYY-privatekey.p12";
private const string GOOGLE_COORDINATE_TEAM_ID = "ZZZ";

private CoordinateService BuildService()
{
    X509Certificate2 certificate = new X509Certificate2(SERVICE_ACCOUNT_PKCS12_FILE_PATH, "notasecret", X509KeyStorageFlags.Exportable);

    var provider = new AssertionFlowClient(GoogleAuthenticationServer.Description, certificate){
        ServiceAccountId = SERVICE_ACCOUNT_EMAIL,
        Scope = CoordinateService.Scopes.Coordinate.GetStringValue()
    };
    var auth = new OAuth2Authenticator<AssertionFlowClient>(provider, AssertionFlowClient.GetState);

    return new CoordinateService(new BaseClientService.Initializer(){
        Authenticator = auth
    });
}

//some code that retrieves data from coordinate service
public void DoSomething()
{
    CoordinateService service = BuildService();
    var response = service.Jobs.List(GOOGLE_COORDINATE_TEAM_ID).Fetch();
    ...
}

On retrieving list of jobs from Coordinate Service there is DotNetOpenAuth.Messaging.ProtocolException occured (inner exception "The remote server returned an error: (400) Bad Request"). Using Fiddler I managed to see response from Google OAuth service. JSON response object:

{
  "error" : "invalid_grant"
}

I have read some articles that suggest to change local server time in order to match with Google OAth server time. But after changing time to one and other side the problem remains the same. Could you please give me some ideas why this is happening? Thanks for all responses!

Answer 1

Service accounts cannot be used with the Coordinate API. [this is because the Coordinate API requires authenticated API users to have a Coordinate license, but it is not possible to attach a Coordinate license to a service account]

You can use the web server flow instead, please find the sample below.

Make sure to update the code below, where there are comments containing "TO UPDATE".

using System; 
using System.Diagnostics; 
using System.Collections.Generic; 
using DotNetOpenAuth.OAuth2; 
using Google.Apis.Authentication.OAuth2; 
using Google.Apis.Authentication.OAuth2.DotNetOpenAuth; 
using Google.Apis.Coordinate.v1; 
using Google.Apis.Coordinate.v1.Data;

namespace Google.Apis.Samples.CoordinateOAuth2
{ 
    /// <summary> 
    /// This sample demonstrates the simplest use case for an OAuth2 service. 
    /// The schema provided here can be applied to every request requiring authentication. 
    /// </summary> 
    public class ProgramWebServer
    { 
        public static void Main (string[] args)
        { 
            // TO UPDATE, can be found in the Coordinate application URL
            String TEAM_ID = "jskdQ--xKjFiFqLO-IpIlg"; 

            // Register the authenticator. 
            var provider = new WebServerClient (GoogleAuthenticationServer.Description);
            // TO UPDATE, can be found in the APIs Console.
            provider.ClientIdentifier = "335858260352.apps.googleusercontent.com";
            // TO UPDATE, can be found in the APIs Console.
            provider.ClientSecret = "yAMx-sR[truncated]fX9ghtPRI"; 
            var auth = new OAuth2Authenticator<WebServerClient> (provider, GetAuthorization); 

            // Create the service. 
            var service = new CoordinateService(new BaseClientService.Initializer()
                       {
                          Authenticator = auth
                       });

            //Create a Job Resource for optional parameters https://developers.google.com/coordinate/v1/jobs#resource 
            Job jobBody = new Job (); 
            jobBody.Kind = "Coordinate#job"; 
            jobBody.State = new JobState (); 
            jobBody.State.Kind = "coordinate#jobState"; 
            jobBody.State.Assignee = "user@example.com"; 


            //Create the Job 
            JobsResource.InsertRequest ins = service.Jobs.Insert (jobBody, TEAM_ID, "My Home", "51", "0", "Created this Job with the .Net Client Library");
            Job results = ins.Fetch (); 

            //Display the response 
            Console.WriteLine ("Job ID:"); 
            Console.WriteLine (results.Id.ToString ()); 
            Console.WriteLine ("Press any Key to Continue"); 
            Console.ReadKey (); 
        }

        private static IAuthorizationState GetAuthorization (WebServerClient client)
        { 
            IAuthorizationState state = new AuthorizationState (new[] { "https://www.googleapis.com/auth/coordinate" }); 
            // The refresh token has already been retrieved offline
            // In a real-world application, this has to be stored securely, since this token
            // gives access to all user data on the Coordinate scope, for the user who accepted the OAuth2 flow
            // TO UPDATE (see below the sample for instructions)
            state.RefreshToken = "1/0KuRg-fh9yO[truncated]yNVQcXcVYlfXg";

            return state;
        } 

    } 
}

A refresh token can be retrieved by using the OAuth2 Playground:

• In the APIs Console, add the OAuth Playground URL, https://developers.google.com/oauthplayground , as an authorized redirect URI (we'll need that when we retrieve a refresh token in the OAuth Playground, below)
• Go to the OAuth Playground, in a browser session that has your API user authenticated (this user needs to have a Coordinate license). Make sure to provide you own OAuth2 client ID (Settings > Use your own OAuth credentials) . Otherwise, your refresh token will be tied to the OAuth2 playground's internal OAuth2 client ID, and will be rejected when you want to use the refresh token with your own client IDs to get an access token.
• Use the scope https://www.googleapis.com/auth/coordinate In Step 1, hit “Authorize the API” In Step 2, hit “Exchange Authorization codes for tokens”
• Copy the refresh token in your code. Keep it secure.
• This refresh token does not expire, so your app will stay authenticated.