My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
››

Documentation

If you'd like to see more examples or want more information about how to use the library, please file a feature request in our issue tracker explaining what you'd like to see.

OAuth2  
OAuth 2.0 in the client library
Featured
Updated May 16, 2012 by chirags@google.com

Overview

OAuth 2.0 is an emerging standard for accessing protected resources on the web. The Google APIs and the google-api-php-client library support OAuth 2.0.

Further Reading

Overview

Use OAuth 2.0 to access to protected data through the Google APIs. Google APIs support a variety of flows designed to support different types of client applications. With all of these flows the client application requests an access token that is associated with only your client application and the owner of the protected data being accessed. The access token is also associated with a limited scope that define the kind of data the your client application has access to (for example "Manage your tasks"). An important goal for OAuth 2.0 is to provide secure and convenient access to the protected data, while minimizing the potential impact if an access token is stolen.

Google APIs Console

Before you can use OAuth 2.0, you must register your application using the Google APIs Console.

Visit the Google API Console to generate your developer key, OAuth2 client id, OAuth2 client secret, and register your OAuth2 redirect uri. Copy their values since your will need to input them in your application.

  • From the "Services" screen, activate access to the API you want to use.
  • Click on "API Access" in the left column
  • Click the button labeled "Create an OAuth2 client ID"
  • Give your application a name and click "Next"
  • Select your "Application type"
  • Click "Create client ID"
  • Click "Edit..." for your new client ID
  • Under the callback URL, enter the fully qualified URL for your PHP application (example http://localhost/googleplus/index.php).

Web Application

Now that you've registered your application with the Google APIs Console, you can now create a web application that uses OAuth 2.0. Here is an example demonstrating how to do authentication with OAuth 2.0 in a web application. The full code for this sample is in the repository. 

<?php
require_once 'path/to/apiClient.php';

$client = new apiClient();
$client->setClientId('insert_your_oauth2_client_id');
$client->setClientSecret('insert_your_oauth2_client_secret');
$client->setRedirectUri('insert_your_oauth2_redirect_uri');
$client->setDeveloperKey('insert_your_developer_key');

Service Accounts

Service Accounts provide certificate-based authentication for server-to-server interactions. This means, for example, that a request from a web application to Google Cloud Storage can be authenticated via a certificate instead of a shared key. Certificates offer better security properties than shared keys and passwords, largely because they are not human-readable or guessable.

To get started:

  1. Visit https://code.google.com/apis/console
  2. Press the down arrow in the left panel (under the Google apis logo).
  3. Press create.
  4. Name your project "Prediction Test Project".
  5. Press create project.
  6. Now a list of APIs should appear. You want to find "Prediction API" and switch that API to "ON".
  7. Select the API Access tab on the left side.
  8. Press "Create OAuth 2.0 Client" and create your client.
  9. Select Service Account as the application type.
  10. Press Download private key.

Now open the examples /prediction/serviceAccount.php sample application in your editor.

  • Make sure you have a recent version of the Google APIs PHP Client checked out from trunk.
  • Replace CLIENT_ID with your newly generated clientId. It should look like: 

    • xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com
  • Replace SERVICE_ACCOUNT_NAME with the email address. It should look like: 
    • xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@developer.gserviceaccount.com
  • Replace KEY_FILE with the path to your private key. Make sure it is saved in a safe place, and readable the sample app. 
// Set your client id, service account name, and the path to your private key.
// For more information about obtaining these keys, visit:
// https://developers.google.com/console/help/#service_accounts
const CLIENT_ID = 'insert_your_client_id';
const SERVICE_ACCOUNT_NAME = 'insert_your_service_account_name';

// Make sure you keep your key.p12 file in a secure location, and isn't
// readable by others.
const KEY_FILE = '/super/secret/path/to/key.p12';

// Load the key in PKCS 12 format (you need to download this from the
// Google API Console when the service account was created.
$client = new apiClient();
...
$key = file_get_contents(KEY_FILE);
$client->setClientId(CLIENT_ID);
$client->setAssertionCredentials(new apiAssertionCredentials(
  SERVICE_ACCOUNT_NAME,
  array('https://www.googleapis.com/auth/prediction'),
  $key)
);

There is a full sample of using the Prediction API with a Service account.

Learn more about Service accounts from the announcement.

Powered by Google Project Hosting