Google-api-php-client: Client is unauthorized to retrieve access tokens using this method.

Domain wide delegation can take up to 24 hours to kick in. So if 24 hours
haven't passed, this might be a propagation issue.

Francisco Morfín
Web Developer
https://mygapps.tools/
https://stackoverflow.com/users/5983596/morfinismo
https://twitter.com/morfinismo
https://plus.google.com/u/0/+FranciscoMorfin9

On Tue, Jan 30, 2018 at 3:54 AM, hfrid notifications@github.com wrote:

I have done the following:

1. Created a service account with Domain-wide Delegation, downloaded
   the corresponding .JSON
2. Setup https://mail.google.com/ permissions for the client-ID of the
   account created in step 1.
3. Installed v2.2.1 of google-api-php-client.

Trying to run the following code:

putenv('GOOGLE_APPLICATION_CREDENTIALS=service-account.json');
$client = new Google_Client();
$client->useApplicationDefaultCredentials();
$client->setScopes('https://mail.google.com');
$client->setSubject('[email protected]');

$google_mail = new Google_Service_Gmail($client);
$google_mail->users_messages->listUsersMessages('me');

Getting "Client is unauthorized to retrieve access tokens using this
method." error.. this is on a Ubuntu server 14.04.5 LTS and PHP 5.5.9
please advice!

—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/google/google-api-php-client/issues/1379, or mute
the thread
https://github.com/notifications/unsubscribe-auth/APwTbTyVJX9IlmKla5uPM3eS4mAnZh9bks5tPubNgaJpZM4RyC9b
.

Seems like my problem was resolved by adding more scopes to the google admin api rights:

https://mail.google.com/, https://www.googleapis.com/auth/email.migration, https://www.googleapis.com/auth/gmail.insert, https://www.googleapis.com/auth/gmail.labels

I'm facing this issue as well. I have followed the instructions on creating a service account, including allowing API access in Cloud Console and adding scopes.

I have tested the query in API Explorer, and confirmed that it only requires the scopes I have permitted it.

```$client = new \Google_Client();
$client->setApplicationName('My App');
$client->useApplicationDefaultCredentials();
$client->setSubject('[email protected]);
$client->setScopes([\Google_Service_Directory::ADMIN_DIRECTORY_USER_READONLY]);

// Option 1
$service = new \Google_Service_Directory($client);
$options = ['domain' => 'my.domain.com'];
$service->users->listUsers($options);

// Option 2
$httpClient = $client->authorize();
$httpClient->get('https://www.googleapis.com/admin/directory/v1/users?domain=my.domain.com');
```

With option 2, it errors out on making a POST request to https://oauth2.googleapis.com/token, but only on calling $httpClient->get(). An access token is successfully fetched, as is confirmed when I test with the $client->setTokenCallback() method.

Any help would be most welcome.

FTR, I had a similar issue with "Client is unauthorized to retrieve access tokens using this method." and the fix was to enter the Client ID (ie a number) and not the service account name ([email protected]) in the Client Access when authorizing the scopes.

@hfrid thx for sharing, after hours of fiddling around, the automatic service account email to id transform of the GSuite was the issue, after delete the record and adding the rule with the Client ID instead of the service account email solved my issue.

This was my issue as well -- I added the service account email as the client name instead of its "Unique ID". What is interesting is that when I used the email it correctly translated it to the unique ID, but only when I added the unique ID directly as the client name did it actually work.