Search code examples
authenticationgoogle-oauthandroid-inapp-purchaseserver-to-server

Android publisher permission Denied only check payment(other api successfully)

I'm trying to call api Purchases.products: get to verify your purchase it yields such a result

{
 "error": {
  "errors": [
   {
    "domain": "androidpublisher",
    "reason": "permissionDenied",
    "message": "The current user has insufficient permissions to perform the requested operation."
   }
  ],
  "code": 401,
  "message": "The current user has insufficient permissions to perform the requested operation."
 }
}
  • the project is tied properly
  • A new service account with owner rights has been created
  • This service account has been granted rights in the google play console

Documentation here says what you can do

the received token does not work only for purchase checks for any other api it returns the result(Inappproducts: list is work)

The verification url is built right because if you get a token client to server then this api works too - but I need a server to server auth

scopes =  ['https://www.googleapis.com/auth/androidpublisher']
authorization = Google::Auth.get_application_default(scopes)

uri = "https://www.googleapis.com/androidpublisher/v3/applications/#{ENV['ANDROID_PACKAGE_NAME']}/purchases/products/#{purchasable.purchase_uuid}/tokens/#{purchase_token}?access_token=#{authorization.fetch_access_token!['access_token']}"

response = RestClient::Request.execute method: :get,
                                           url: uri,
                                           headers: {'Content-Type':'application/json'}

and


file = File.read('config/google_key.json')
values = JSON.parse(file)


oauth = Signet::OAuth2::Client.new(
          issuer:               values[:client_email]",
          audience:             "https://www.googleapis.com/oauth2/v4/token",
          scope:                "https://www.googleapis.com/auth/androidpublisher",
          client_id:            values[:client_id],
          signing_key:          OpenSSL::PKey::RSA.new(values[:private_key]),
      )

      jwt = oauth.to_jwt

      url = "https://www.googleapis.com/oauth2/v4/token"
      begin
        response = RestClient::Request.execute method: :post,
                                               url: url,
                                               headers: {'Content-Type': 'application/json'},
                                               payload: {
                                                   grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
                                                   assertion: jwt
                                               }

        result =  JSON.parse response.body
      rescue => e
        puts e.response.to_str
        result =  JSON.parse(e.response.to_s)
      end

I expect this result

update 1

add tokeninfo

Solution

  • I love google.

    after 7 days with my first service account it worked - but 7 days !!!! 7 days !!!! it's just horror

    Guys in Google you need 7 days to give access to api!! - this is ridiculous

    Okay, you need to do this to get access

    • create service account in google cloud (admin rights)
    • create google play console and link project google cloud
    • add email service account in google play console
    • after 1 week it will work