I want my PHP web application to create spreadsheets in a specific google account (not arbitrary user's account, but a specific account of our company).
I have required the google/apiclient PHP client library. It is up and running.
I have those private methods in my controller:
private function getGoogleDriveService( string $scopes ) : \Google_Service_Drive
{
$client = $this->getClient( $scopes );
$service = new \Google_Service_Drive( $client );
return $service;
}
private function getClient( string $scopes ) : \Google_Client
{
$client = new \Google_Client();
$client->setApplicationName( 'My nice application name.' );
$client->setAuthConfig( $this->getSecretPath() );
$client->setScopes( $scopes );
$client->setAccessType( 'offline' );
return $client;
}
private function getSecretPath() : string
{
$projectDir = $this->get( 'kernel' )->getProjectDir();
$credentialsFullPath = $projectDir . '/app/config/googleApiSecret.json';
return $credentialsFullPath;
}
I call the getGoogleDriveService telling what scopes I want for the specific controller action, to create the Google Service. The service is created first by calling the getClient which returns an initialized \Google_Client object, which in turn gets the credentials.json path passed into it.
So far, so good. This works.
For example with a code like this:
$driveService = $this->getGoogleDriveService( \Google_Service_Drive::DRIVE );
$file = new \Google_Service_Drive_DriveFile();
$file->setName( 'My nice dummy file' );
$file->setMimeType( 'application/vnd.google-apps.spreadsheet' );
$file = $driveService->files->create( $file );
$feedbackMessage = sprintf( 'Created spreadsheet via DRIVE API with Id: %s', $file->id );
But handicap!! This is working as a "Service Account". It creates and modifies the files in some sort of "secret" place which is not visible from the Drive web frontend.
I have a user (call it for example [email protected]) and this user is the one that created the "Service account". The credentials file contains some sort of "ficticious email address" more or less ressembling this: [email protected]
The .json is more or less like this one:
{
"type": "service_account",
"project_id": "my-nice-super-project",
"private_key_id": "7777777777777788888888888888899999999999",
"private_key": "-----BEGIN PRIVATE KEY-----\nxxx[...]xxx==\n-----END PRIVATE KEY-----\n",
"client_email": "[email protected]",
"client_id": "123456789123456789123",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/alice%40my-nice-super-project.iam.gserviceaccount.com"
}
What happens is:
[email protected] and I manually create the spreadsheet file Hello-1 then I cannot read it from the application.Hello-1 from the website logged in as [email protected] and sharing it to [email protected], then I can read the file from the application. But I cannot delete it from the application.Hello-2 from the application, it's not visible from the [email protected] web frontend.It seems that even if the Service Account was created from [email protected] it works as a completely separated storage and the files from the "human Alice" and the "robot Alice" are treated as from different users.
What I want is that the application can read/write the files of [email protected] WITHOUT prompting for OAuth permissions.
So, to be clear: I don't want my PHP web application to be able to "edit anyone's Drive with his consent", but what I want is that "anyone can edit Alice's Drive".
The reason behind is that we already own the Alice account and it is like the "central storage" for some documents.
Multiple agents in the company must be able to edit the content via the application and only the boss will be able to login via the Google Drive site. The agents won't have Alice password so they can't consent via OAuth. But the company owns the Alice account so we can enter there and create API Keys, and set them in the server.
I can manage to make the software work from the Service Account. But this is not what I want: I want that the software works "on Alice's documents", not on an "Alice Service Account's documents" as they seem they live in separate worlds.
I don't know how to initialize the
$service = new \Google_Service_Drive( $client );
so it works with Alice's files without OAuth consent.
[email protected] using the service account.[email protected] with the service account.For achieving above situation, I would like to propose the following methods. Please think of this as just one of several possible answers.
[email protected] and sharing the folder with the service account.[email protected] and sharing it with the service account.By above methods, the application can write and read the file of [email protected] and [email protected] can see the file in own account with the browser.
[email protected] is different from the Drive of the service account. And the Drive of the service account cannot be directly seen by the browser. So in this method, the share is used.