Search code examples
phpandroidapigoogle-api-php-clientpublisher

Use service account to verify Google InAppPurchase

I want to verify an inAppPurchase that has been made in my Android app.

  1. I created a new service account in the Google API console.

    a. The service account is listed under permissions and has "can view" permission

  2. I'm using the most current version of https://github.com/google/google-api-php-client

  3. code snippet from my PHP script:

    $client = new Google_Client();
$client->setApplicationName('myAppName' );
$client->setClientId('123456789123-vxoasdt8qwe6awerc9ysdfmjysdfysf64werweria8fh.apps.googleusercontent.com');
$key = file_get_contents('/shr/data/stor/b516cexx3123asdf3988345d8133e7f86bfas2553-privatekey.p12');
$service_account_name = '123456789123-vxoasdt8qwe6awerc9ysdfmjysdfysf64werweria8fh@developer.gserviceaccount.com';

$client->setScopes(array('https://www.googleapis.com/auth/androidpublisher') );
$cred = new Google_Auth_AssertionCredentials( $service_account_name, array('https://www.googleapis.com/auth/androidpublisher'), $key );
$client->setAssertionCredentials($cred);

try {
    $service = new Google_Service_AndroidPublisher( $client );
    $googleApiResult = $service->inapppurchases->get($externalAppId, $externalProductId, $purchaseToken);
} catch (Exception $e) {
    var_dump( $e->getMessage() );
}

  4. Response from Google:

    GET https://www.googleapis.com/androidpublisher/v1.1/applications/de.test.myapp/inapp/de.test.inapp.google.balance5eur/purchases/[PURCHASETOKEN]: (401) The current user has insufficient permissions to perform the requested operation.

    [PURCHASETOKEN] is the purchase token I received from Google

  5. Setting $cred->sub = '[email protected]' to my mail address brings up

    Error refreshing the OAuth2 token, message: '{ "error": "unauthorized_client", "error_description": "Unauthorized client or scope in request." }'

Solution

  • You must to connect your API with your app. You must go to your Google Play publish page (https://play.google.com/apps/publish) and invite a user with the service account email in Settings->User account & rights->Invite new user and give it the privileges of "View financial reports".

    This means that, whereas you normally might see a number of users from your domain listed in the Google Play Console (Email: [email protected], Role: Finance; Email: [email protected], Role: Administrator), you will now add another user and give him a Finance role (Email: [email protected], Role: Finance).