php - Use service account to verify Google InAppPurchase

Question

I've tried so many things in the last days but now I'm out of ideas :(

I want to verify an inAppPurchase that has been made in my android app.

1) I created a new service account in the google API console.

1a) The service account is listed unter permissions and has "can view" permission

2) I'm using the most current version of https://github.com/google/google-api-php-client

3) code snippet from my PHP script:

$client = new Google_Client(); 
$client->setApplicationName('myAppName' );
$client->setClientId('123456789123-vxoasdt8qwe6awerc9ysdfmjysdfysf64werweria8fh.apps.googleusercontent.com');
$key = file_get_contents('/shr/data/stor/b516cexx3123asdf3988345d8133e7f86bfas2553-privatekey.p12');
$service_account_name = '123456789123-vxoasdt8qwe6awerc9ysdfmjysdfysf64werweria8fh@developer.gserviceaccount.com';

$client->setScopes(array('https://www.googleapis.com/auth/androidpublisher') );
$cred = new Google_Auth_AssertionCredentials( $service_account_name, array('https://www.googleapis.com/auth/androidpublisher'), $key );
$client->setAssertionCredentials($cred);

try {  
    $service = new Google_Service_AndroidPublisher( $client ); 
    $googleApiResult = $service->inapppurchases->get($externalAppId, $externalProductId, $purchaseToken);
} catch (Exception $e) {  
    var_dump( $e->getMessage() ); 
}

4) Response from Google:

GET https://www.googleapis.com/androidpublisher/v1.1/applications/de.test.myapp/inapp/de.test.inapp.google.balance5eur/purchases/[PURCHASETOKEN]: (401) The current user has insufficient permissions to perform the requested operation.

[PURCHASETOKEN] is the purchase token I received from google

5) Setting $cred->sub = 'foo@bar.de' to my mail address brings up

Error refreshing the OAuth2 token, message: '{ "error" : "unauthorized_client", "error_description" : "Unauthorized client or scope in request." }'

Answer 1

Ok I found the solution!

You must to connect your API with your app. You must go to your Google Play publish page (https://play.google.com/apps/publish) and invite a user with the service account email in Settings->User account & rights->Invite new user and give it the privileges of "View financial reports".

This means that, whereas you normally might see a number of users from your domain listed in the Google Play Console (Email: user1@mydomain.com, Role: Finance; Email: user2@mydomain.com, Role: Administrator), you will now add another user and give him a Finance role (Email: XXX@developer.gserviceaccount.com, Role: Finance).

Thanks works for me, good luck!