Google Apps Password Change PHP Example/Sample Code

Readme.MD

You must get the google api PHP code here: https://github.com/google/google-api-php-client (For composer "google/apiclient": "~1.1".)

My example code is from Laravel 5.1, but it should be easily adaptable to any framework/code base.

This roughly explains what to do for a generic admin account: https://developers.google.com/admin-sdk/directory/v1/guides/delegation

So you would

1. Create the user
2. Log in as the user
3. Go to: https://console.developers.google.com/
4. Create a new app
5. Enable the Admin SDK under APIs & Auth -> APIs
6. Go to APIs & Auth -> Credentials click Add Credentials -> Service Account
7. Key Type is JSON (Download and save the key)

Then go back into the Domain Admin Console

1. Go to your Google Apps domain’s Admin console.
2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
3. Select Advanced settings from the list of options.
4. Select Manage third party OAuth Client access in the Authentication section.
5. In the Client name field enter the service account's Client ID.
6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to (see image below). For example if you need domain-wide access to Users and Groups and Group Membership enter: https://www.googleapis.com/auth/admin.directory.user, https://www.googleapis.com/auth/admin.directory.group,https://www.googleapis.com/auth/admin.directory.group.member (I think we plan to use all 3 of these permissions eventually so people can use MySBTS to create google groups for their department or other needs. Troy started this but never integrated Google.)
7. Click the Authorize button.

Once all that is done, I need the JSON file and the email address of the generic account.

GoogleDirectoryAPI.php

<?php

namespace App\Models\User;

/**
 * Class GoogleDirectoryApi
 *
 * Stores all the password reset information
 */
class GoogleDirectoryApi
{
    public function resetStudentPassword($email, $passwordSha1)
    {
        // This is the email address to emulate and should be an actual admin account not the service account email
        $admin_email = config('api.google_student.admin_email');
        // This JSON file contains all the service account keys and is what you downloaded from Google
        $json = base_path('config/keys/google_student.json');

        $client = new \Google_Client();
        $client->setApplicationName("YourApp");
        $users = new \Google_Service_Directory($client);
        $data = json_decode(file_get_contents($json));
        if (isset($data->type) && $data->type == 'service_account') {
            // Service Account format.
            $cred = new \Google_Auth_AssertionCredentials(
                $data->client_email,
                [\Google_Service_Directory::ADMIN_DIRECTORY_USER],
                $data->private_key,
                'notasecret',
                'http://oauth.net/grant_type/jwt/1.0/bearer',
                $admin_email
            );
        } else {
            throw new \Exception("Invalid service account JSON file.");
        }
        $client->setAssertionCredentials($cred);

        if ($client->getAuth()->isAccessTokenExpired()) {
            $client->getAuth()->refreshTokenWithAssertion($cred);
        }

        // You can get users by email address or Google ID
        // Google recommends using their ID, but I don't have that.
        // This function will work fine with the google ID too if you have it.
        // ie. $user = $users->users->get($id);
        $user = $users->users->get($email);
        
        // Just change what you need to
        // Adding $user->changePasswordAtNextLogin will force a password change at the next login
        // and could be used to create expiring passwords
        $user->password = $passwordSha1;
        $user->hashFunction = 'SHA-1';

        // Find based on page views in the last week
        $response = $users->users->patch(
            $email,
            $user
        );

        return $response;
    }
}