google-auth-library-php icon indicating copy to clipboard operation
google-auth-library-php copied to clipboard
verified publisher icon googleapis

ServiceAccountJwtAccessCredentials example?

Open grandpaslab opened this issue 1 year ago • 4 comments

I'm attempting to use ServiceAccountJwtAccessCredentials to connect to a 3rd-party google cloud endpoint. AFAICT there's no example for using this class, and I haven't been able to get it to work. I've got a python example working, so I know the audience and whatnot are correct. I've cobbled together some code based on the ServiceAccountCredentials example, but I can't tell what I'm doing wrong. The error I'm getting from the API is 401: "jwt is missing".

`

$path = 'cred.json';
$sa = new ServiceAccountJwtAccessCredentials($path);

$metadata = $sa->updateMetadata(
    [
       'issuer' => '[email protected]',
       'client_email' => '[email protected]',
       'audience' => 'https://ham-sandwich.a.run.app'
    ],
    "https://accounts.google.com/o/oauth2/auth" # auth_uri
);

$middleware = new AuthTokenMiddleware($sa); 
$stack = HandlerStack::create(); 
$stack->push($middleware);
$client = new Client([ 
    'handler' => $stack, 
    'base_uri' => $BASE_URI, 
    'auth' => 'google_auth'
]);

$res = $client->request('POST', $SERVICE_URI, [
    ['body' => json_encode($quote_data)]
]);

`

Can an example for using this class be added to the docs?

grandpaslab avatar May 08 '24 18:05 grandpaslab

Hello @grandpaslab!

By any chance, have you had the opportunity to debug if the token is being sent to the 3rd party at all? Or is it completely missing?

Hectorhammett avatar Jun 14 '24 23:06 Hectorhammett

Hi @Hectorhammett,

Unfortunately no. I gave up and wrote a separate microservice in python that just gets the JWT. Would've been nice to keep it in PHP, since this was for a Wordpress integration, but I didn't have time to fight with it anymore.

grandpaslab avatar Jun 16 '24 22:06 grandpaslab

That's weird, nothing stands up as being wrong with this. I wonder if the 3rd party was not sending the token to the google API but the mention that Python works makes me doubt that, will take a deeper look and confirm if there is a bug in the code or not.

Thanks for the message!

Hectorhammett avatar Jun 27 '24 20:06 Hectorhammett

@grandpaslab The issue is that either a $scope or $authUri are required to use the Self Signed JWTs, and since AuthTokenMiddleware does not pass in an $authUri (this may be something that python does... if so we may be able to fix it...), you need to add scopes as the second argument when creating the ServiceAccountJwtAccessCredentials class if you want this to work:

$path = 'cred.json';
$scope = 'https://www.googleapis.com/auth/cloud-platform';
$sa = new ServiceAccountJwtAccessCredentials($path, $scope);

Additionally, you seem to be calling updateMetadata for no reason

I am curious what the behavior of Python is, as we typically try to have feature and behavior parity with their implementation. Would you be able to provide us with a sample of what you're doing?

bshaffer avatar Jul 02 '24 15:07 bshaffer