I want my PHP web application to create spreadsheets in a specific google account (not arbitrary user's account, but a specific account of our company).
I have required the google/apiclient PHP client library. It is up and running.
I have those private methods in my controller:
private function getGoogleDriveService( string $scopes ) : \Google_Service_Drive
{
$client = $this->getClient( $scopes );
$service = new \Google_Service_Drive( $client );
return $service;
}
private function getClient( string $scopes ) : \Google_Client
{
$client = new \Google_Client();
$client->setApplicationName( 'My nice application name.' );
$client->setAuthConfig( $this->getSecretPath() );
$client->setScopes( $scopes );
$client->setAccessType( 'offline' );
return $client;
}
private function getSecretPath() : string
{
$projectDir = $this->get( 'kernel' )->getProjectDir();
$credentialsFullPath = $projectDir . '/app/config/googleApiSecret.json';
return $credentialsFullPath;
}
I call the getGoogleDriveService telling what scopes I want for the specific controller action, to create the Google Service. The service is created first by calling the getClient which returns an initialized \Google_Client object, which in turn gets the credentials.json path passed into it.
So far, so good. This works.
For example with a code like this:
$driveService = $this->getGoogleDriveService( \Google_Service_Drive::DRIVE );
$file = new \Google_Service_Drive_DriveFile();
$file->setName( 'My nice dummy file' );
$file->setMimeType( 'application/vnd.google-apps.spreadsheet' );
$file = $driveService->files->create( $file );
$feedbackMessage = sprintf( 'Created spreadsheet via DRIVE API with Id: %s', $file->id );
But handicap!! This is working as a "Service Account". It creates and modifies the files in some sort of "secret" place which is not visible from the Drive web frontend.
I have a user (call it for example alice@gmail.com) and this user is the one that created the "Service account". The credentials file contains some sort of "ficticious email address" more or less ressembling this: alice@my-nice-super-project.iam.gserviceaccount.com
The .json is more or less like this one:
{
"type": "service_account",
"project_id": "my-nice-super-project",
"private_key_id": "7777777777777788888888888888899999999999",
"private_key": "-----BEGIN PRIVATE KEY-----\nxxx[...]xxx==\n-----END PRIVATE KEY-----\n",
"client_email": "alice@my-nice-super-project.iam.gserviceaccount.com",
"client_id": "123456789123456789123",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://accounts.google.com/o/oauth2/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/alice%40my-nice-super-project.iam.gserviceaccount.com"
}
What happens is:
alice@gmail.com and I manually create the spreadsheet file Hello-1 then I cannot read it from the application.Hello-1 from the website logged in as alice@gmail.com and sharing it to alice@my-nice-super-project.iam.gserviceaccount.com, then I can read the file from the application. But I cannot delete it from the application.Hello-2 from the application, it's not visible from the alice@gmail.com web frontend.It seems that even if the Service Account was created from alice@gmail.com it works as a completely separated storage and the files from the "human Alice" and the "robot Alice" are treated as from different users.
What I want is that the application can read/write the files of alice@gmail.com WITHOUT prompting for OAuth permissions.
So, to be clear: I don't want my PHP web application to be able to "edit anyone's Drive with his consent", but what I want is that "anyone can edit Alice's Drive".
The reason behind is that we already own the Alice account and it is like the "central storage" for some documents.
Multiple agents in the company must be able to edit the content via the application and only the boss will be able to login via the Google Drive site. The agents won't have Alice password so they can't consent via OAuth. But the company owns the Alice account so we can enter there and create API Keys, and set them in the server.
I can manage to make the software work from the Service Account. But this is not what I want: I want that the software works "on Alice's documents", not on an "Alice Service Account's documents" as they seem they live in separate worlds.
I don't know how to initialize the
$service = new \Google_Service_Drive( $client );
so it works with Alice's files without OAuth consent.
alice@gmail.com using the service account.alice@gmail.com with the service account.For achieving above situation, I would like to propose the following methods. Please think of this as just one of several possible answers.
alice@gmail.com and sharing the folder with the service account.alice@gmail.com and sharing it with the service account.By above methods, the application can write and read the file of alice@gmail.com and alice@gmail.com can see the file in own account with the browser.
alice@gmail.com is different from the Drive of the service account. And the Drive of the service account cannot be directly seen by the browser. So in this method, the share is used.