Search code examples
pythongoogle-oauthgoogle-chrome-appchrome-web-store

Use to Chrome Store Publishing API with OAuth2 Service Account

I try to update a chrome app programmatically by using the Chrome Web Store Publishing API.

I need to use a server to server authentication method and therefor created an oauth2 service account on the Google developer console for my project. And downloaded the credentials as key.p12.

I then try to use the Google API Client for Python. Even though the API does not support the Chrome Web Store, it should be possible to use parts of it.

I created a small script in Python to try to get a list of my Chrome Web Store items:

"""Creates a connection to Google Chrome Webstore Publisher API."""

from apiclient.discovery import build
import httplib2
from oauth2client import client

import os

SERVICE_ACCOUNT_EMAIL = (
    '[email protected]')

def getservice():
    # get relative path to p12 key
  dir = os.path.dirname(__file__)
  filename = os.path.join(dir, 'key.p12')

  # Load the key in PKCS 12 format that you downloaded from the Google APIs
  # Console when you created your Service account.
  f = file(filename, 'rb')
  key = f.read()
  f.close()

  # Create an httplib2.Http object to handle our HTTP requests and authorize it
  # with the Credentials. Note that the first parameter, service_account_name,
  # is the Email address created for the Service account. It must be the email
  # address associated with the key that was created.
  credentials = client.SignedJwtAssertionCredentials(
      SERVICE_ACCOUNT_EMAIL,
      key,
      scope='https://www.googleapis.com/auth/chromewebstore.readonly')
  http = httplib2.Http()
  http = credentials.authorize(http)

  response = http.request('https://www.googleapis.com/chromewebstore/v1.1/items/[___my_chrome_webstore_app_id___]')

  print response

Even though the authentication towards https://www.googleapis.com/auth/chromewebstore.readonly is successful, the response results in a 403 error.

My questions:

  1. Does the 403 occur, because the service account does not have acces to my google chrome webstore items?
  2. Is it possible to authenticate and use the Chrome Store API without using my personal account, that publishes into the web store (but the connected service account)?
  3. How could I retrieve a valid authToken to use for the Chrome Web Store API without having a user to authenticate through the flow.
Solution

  • There were actually two problems with my script.

    1. User

      a) To get the service account to act on behalf of the user, who published an item to the chrome web store, you need to add a sub parameter, when creating the credentials:

      credentials = client.SignedJwtAssertionCredentials( SERVICE_ACCOUNT_EMAIL, key, scope='https://www.googleapis.com/auth/chromewebstore.readonly', sub='[email protected]')

      b) If the user is part of a Google Apps Domain, the Chrome Web Store Publish API needs to be granted access to domain wide users at the Google Apps Dashboard > Security > Extended Settings > Manage API access

    2. The API call to get an item has a required query parameter projection with the values draft or published. It's stated as optional in the documentation, but it's actually required.

    With these two changes, the API can be used with the http object. Thanks to all of you, who helped me find the solution, and to Google support, who pointed out the parameter to be required.