Service Applications and Google Analytics API V3: Server-to-server OAuth2 authentication?

UPDATE July 21st, 2012

Google Analytics API V3 now supports OAuth2 tokens returned by a .p12-signed JWT request. That is, we can now use the Analytics API w/ service accounts.

Currently pulling 4 years of day-by-day metrics, just for the hell of it.

Here's a quick 'n' dirty step-by-step:

1. Go to the Google API Console and create a new app

2. In the Services tab, flip the Google Analytics switch

3. In the API Access tab, click Create an OAuth2.0 Client ID

   • enter your name, upload a logo, and click Next

   • select the Service account option and press Create client ID

   • download your private key

4. Now you're back on the API Access page. You'll see a section called Service account with a Client ID and Email address

   • Copy the email address (something like ####@developer.gserviceaccount.com)

   • Visit your GA Admin and add this email as a user to your properties

   • This is a must; you'll get cryptic errors otherwise.

5. Get the latest Google PHP Client API via Github

   git submodule add https://github.com/google/google-api-php-client.git google-api-php-client-read-only

6. Rock 'n' roll (thanks all for tips on updated class names):

   // api dependenciesrequire_once(PATH_TO_API . 'Google/Client.php');require_once(PATH_TO_API . 'Google/Service/Analytics.php');// create client object and set app name$client = new Google_Client();$client->setApplicationName(APP_NAME); // name of your app// set assertion credentials$client->setAssertionCredentials(  new Google_Auth_AssertionCredentials(    APP_EMAIL, // email you added to GA    array('https://www.googleapis.com/auth/analytics.readonly'),    file_get_contents(PATH_TO_PRIVATE_KEY_FILE)  // keyfile you downloaded));// other settings$client->setClientId(CLIENT_ID);           // from API console$client->setAccessType('offline_access');  // this may be unnecessary?// create service and get data$service = new Google_Service_Analytics($client);$service->data_ga->get($ids, $startDate, $endDate, $metrics, $optParams);

_{original workaround below}

It seems that, despite ambiguous documentation, most Google APIs do not support service accounts yet, including Google Analytics. They cannot digest OAuth2 tokens returned by a .p12 signed JWT request. So, as of right now, you cannot use Google Analytics API V3 with a service account.

Workaround:

1. In the Google API console, create a client application.

2. Follow the steps in the Google PHP Client API examples to generate a client_auth_url using your client_id, client_secret, and redirect_uri

3. Login to Google using cURL. (Be sure to use a cookie file!)

4. Open the client_auth_url in cURL and complete the form. Make sure you set curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); and curl_setopt($ch, CURLOPT_HEADER, 1); as the authorization_code will be in the Location: header of the response.

5. Using your client_id, client_secret, redirect_uri, and the activation code from Step 4, post a request to the Google's OAuth2 Token machine. Make sure you include grant_type = "authorization_code" in your post fields.

6. Hurray, you now have a refresh_token that never expires, and a working access_token! Post a request to the Google's OAuth2 Token machine with your client_id, client_secret, redirect_uri, and refresh_token when your access_token expires and you'll get a new one.

The Google API PHP Client now supports service accounts on trunk.

The implementation hasn't been released yet, so you'll need to checkout the latest version of the PHP client.

I've prepared a sample application that demonstrates how you can use service accounts to hit the Google Prediction API.To view the example, take a peek at examples/prediction/serviceAccount.php or visit:http://code.google.com/p/google-api-php-client/source/browse/trunk/examples/prediction/serviceAccount.php

If you are using Google's PHP client API then go to the Google API Console and click on API Access on the left.

Then Create a Client ID. That will give you the secret and it is where you set your redirect URL. It won't give you a redirect URL - that is the URL the app sends the user back to after authenticating.

There are other authentication methods you can look at.