Hi Julian, You've produced an excellent post which would belong on stackoverflow.com. Google Groups isn't the place to post specific technical issues, as this forum is meant more for general discussion of the platform and services.
I'll give you the advice before you post there that it seems you've combined examples from different kinds of OAuth flow and this might be the cause of your issues. I see that there's a variable "emailScope" - this is a scope which a user would actually grant to your application, not one which a service account could grant. The service account and its credentials are used to call APIs on behalf of your application, although I don't think I've seen this pattern before, where you want to call an endpoint on your own app using a service account. As far as I know, service accounts have only been used to authenticate with Google APIs, although I suppose it might be possible to write an endpoint which correctly authenticates it. You could do some more reading on OAuth2 <https://developers.google.com/identity/protocols/OAuth2>, OpenID Connect <https://developers.google.com/identity/protocols/OpenIDConnect?hl=en>, Service Accounts <https://developers.google.com/identity/protocols/OAuth2ServiceAccount>, and the Google Identity Platform <https://developers.google.com/identity/>, and try to repost your question to stackoverflow.com. That would be the best action as there are many more users there ready to help with a technical question. If you would like to open a thread in this forum discussing the platform or services in more broad terms, starting a discussion that would be useful for other users to join in to, feel free to do so. Have a great day! [1] http://www.stackoverflow.com/ [2] http://www.serverfault.com/ [3] http://code.google.com/p/google-appengine/issues/list On Wednesday, August 5, 2015 at 1:32:41 AM UTC-4, Julian Bunn wrote: > > I have a GAE application with an endpoint that requires authentication, > which I need to call from an application (rather than from in a browser). I > was using ClientLogin, but that is now obsolete, so I have set up a Service > Account in the Google Console, and stored its keypair .p12 file so that I > can use the OAuth methods as described in the documentation. > > Although the GoogleCredential builder successfully returns an > authorization token, if I then use that token in an HTTP get call to the > endpoint, the response is always the Google Login page. > > Why, if I use the token, does GAE not take my application call as > authorized? Am I doing this all wrong or missing a step? > > Here is the code: > > String emailAddress = "xxxxx...@developer.gserviceaccount.com"; > JsonFactory JSON_FACTORY = JacksonFactory.getDefaultInstance(); > String emailScope = "https://www.googleapis.com/auth/userinfo.email";; > String keyFileName = "YYYYY.p12"; > String baseURL = "http://ZZZZZ.appspot.com";; > HttpTransport httpTransport; > try { > httpTransport = GoogleNetHttpTransport.newTrustedTransport(); > > File keyFile = new File(keyFileName); > if(!keyFile.exists()) { > System.err.println("Key file "+keyFileName+" missing"); > System.exit(0); > } > > GoogleCredential credential = new GoogleCredential.Builder() > .setTransport(httpTransport) > .setJsonFactory(JSON_FACTORY) > .setServiceAccountId(emailAddress) > .setServiceAccountScopes(Collections.singleton(emailScope)) > .setServiceAccountPrivateKeyFromP12File(keyFile) > .build(); > > boolean success = credential.refreshToken(); > System.out.println("Access token refresh "+ success); > > String token = credential.getAccessToken(); > > System.out.println("Token "+token); > > String uri = "http://ZZZZZ.appspot.com/gcm/home";; > > System.out.println("uri: " + uri); > > HttpGet get = new HttpGet(uri); > get.setHeader("Cookie", token); > > HttpClient client = new DefaultHttpClient(); > HttpResponse response = client.execute(get); > response.getEntity().writeTo(System.out); > > Typical output: > > Access token refresh true > Token ya29.xQGG1kxxxxxxxxxxxxxxxxxxx > uri: http://ZZZZZ.appspot.com/gcm/home > > <!DOCTYPE html> > <html lang="en"> > <head> > <meta charset="utf-8"> > <meta content="width=300, initial-scale=1" name="viewport"> > <meta name="google-site-verification" > content="LrdTUW9psUAMbh4Ia074-BPEVmcpBxF6Gwf0MSgQXZs"> > <title>Sign in - Google Accounts</title> > ..... > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/d69bb868-677c-4ba0-ac97-44a7c6e397e2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
