Google-cloud-php: using oauth

Created on 9 Feb 2017  路  6Comments  路  Source: googleapis/google-cloud-php

Hello all,

I'm not sure how to authenticate users with this lib using oauth.
I've been building an app to communicate with GC Storage and I started with storage-getting-started-php.

Everything was coming up nicely until I realized that that project is using google-api-php-client instead of, well, this one google-cloud-php.

In the README.md file of google-api-php-client says I should be using this one if I'm looking to call the Cloud Platform APIs, so I decided to switch to this one. After switching to this one, I got the service account credentials working nicely and I can request bucket and objects information but I don't seem to find any info on how to implement user authentication, which the other repository was using.

Without user authentication, I can only get objects from the bucket if "user=>allUsers" as read permissions, which is something I don't want to have.

Can I use user authentication with this lib? Or do I have to import a different lib on top of it? Or ultimately go back to the original google-php api I was using intially.

Thank you!

core auth p2 question

Most helpful comment

Hey there @ammopt!

We don't have official support for an oauth workflow in this library yet, the main focus has been service accounts - but I believe it is still possible to achieve what you're looking for. :)

I used the PHP league's oauth2 google provider to get things up and running. Please note that the provider requires PHP >= 5.6, and if you prefer the google PHP auth library does include an OAuth2 class which can achieve the same goal without an additional dependency.

Here is a very basic example just to outline it should be possible:

<?php

require 'vendor/autoload.php';

use League\OAuth2\Client\Provider\Google as GoogleProvider;
use Google\Cloud\Storage\StorageClient;

$provider = new GoogleProvider([
    'clientId'     => 'yourClientId',
    'clientSecret' => 'yourClientSecret',
    'redirectUri'  => 'http://localhost:8080/app.php',
    'hostedDomain' => 'https://localhost:8080',
]);

if (empty($_GET['code'])) {
    $authUrl = $provider->getAuthorizationUrl([
        'scope' => [StorageClient::FULL_CONTROL_SCOPE]
    ]);
    header('Location: ' . $authUrl);
}

$token = $provider->getAccessToken('authorization_code', [
    'code' => $_GET['code']
]);

$accessToken = $token->getToken();

if (!$accessToken) {
    die('Something went south!');
}

$storage = new StorageClient([
    'projectId' => 'yourProject',
    'accessToken' => $accessToken
]);

foreach ($storage->buckets() as $bucket) {
   echo $bucket->name() . PHP_EOL;
}

/cc @jgeewax @omaray @bshaffer @tmatsuo @michaelbausor

Do you guys have an opinion as to whether or not we should officially support oauth workflows? I spoke with @stephenplusplus and it appears we don't do so for node at the moment either. Could this be valuable across all the google-cloud-* libraries?

All 6 comments

Hey there @ammopt!

We don't have official support for an oauth workflow in this library yet, the main focus has been service accounts - but I believe it is still possible to achieve what you're looking for. :)

I used the PHP league's oauth2 google provider to get things up and running. Please note that the provider requires PHP >= 5.6, and if you prefer the google PHP auth library does include an OAuth2 class which can achieve the same goal without an additional dependency.

Here is a very basic example just to outline it should be possible:

<?php

require 'vendor/autoload.php';

use League\OAuth2\Client\Provider\Google as GoogleProvider;
use Google\Cloud\Storage\StorageClient;

$provider = new GoogleProvider([
    'clientId'     => 'yourClientId',
    'clientSecret' => 'yourClientSecret',
    'redirectUri'  => 'http://localhost:8080/app.php',
    'hostedDomain' => 'https://localhost:8080',
]);

if (empty($_GET['code'])) {
    $authUrl = $provider->getAuthorizationUrl([
        'scope' => [StorageClient::FULL_CONTROL_SCOPE]
    ]);
    header('Location: ' . $authUrl);
}

$token = $provider->getAccessToken('authorization_code', [
    'code' => $_GET['code']
]);

$accessToken = $token->getToken();

if (!$accessToken) {
    die('Something went south!');
}

$storage = new StorageClient([
    'projectId' => 'yourProject',
    'accessToken' => $accessToken
]);

foreach ($storage->buckets() as $bucket) {
   echo $bucket->name() . PHP_EOL;
}

/cc @jgeewax @omaray @bshaffer @tmatsuo @michaelbausor

Do you guys have an opinion as to whether or not we should officially support oauth workflows? I spoke with @stephenplusplus and it appears we don't do so for node at the moment either. Could this be valuable across all the google-cloud-* libraries?

Hello @dwsupplee !

Thank you so much for your detailed reply.
From my understanding, the standard use case in using an API to work with GCS is for applications storing and managing digital objects themselves, this is probably the reason oauth isn't (or hasn't been) considered, correct me if I'm wrong though.
However, the app I'm building is a web-app bucket browser that allows the user (upon authentication) to browse the contents of a bucket, view the objects' metadata and upload/download from a specific prefix (emulating folders).

I installed league/oauth2-google, gave it a whirl and adapted the code to provide a link to authentication and it's working, the request for objects is only returning successfully if the user has access to the bucket and I've been able to get to the point where I was (regarding authentication), using the former API.
I don't mind having to require an additional library, although it'd be better to have it all in one, I guess.

I look forward to see if you guys decide to support this officially and eventually contribute however I can.

Thank you.

@dwsupplee Sorry for the late reply, but I would defer 3 legged OAuth flow to other libraries as long as you can inject the auth token from that flow.

@dwsupplee @jdpedrie Perhaps we can make a decision to either close this issue, or otherwise move it into the feature request wiki?

Given that we do provide an OAuth2 implementation in the auth library, I believe this would be safe to close out. As a nice to have feature, perhaps we could add documentation about how to easily integrate this into your workflow.

Hi,

I am also planning to have this for Analytics Data API (GA4).

Is this applicable if I can use the oauth token generated from google oauth lib?

Thanks,

Was this page helpful?
0 / 5 - 0 ratings