How to Server-side verification of Google Play subscriptions

gistfile1.txt

1.create google app (google console)
	Example:
		Client ID	xxx.apps.googleusercontent.com
		Email address	[email protected]
		Client secret	xxx
		Redirect URIs	
			https://localhost/oauth2callback
		Javascript Origins	
			https://localhost

2.get Authorization code:

	Request URL(GET):

		https://accounts.google.com/o/oauth2/auth?redirect_uri={REDIRECT_URI}&response_type=code&client_id={CLIENT_ID}&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fandroidpublisher&approval_prompt=force&access_type=offline

			
	Note:
		{CLIENT_ID} = from google console
		{REDIRECT_URI} = from google console (must encode url)

	Response:
		[code]

	Example:
		https://accounts.google.com/o/oauth2/auth?redirect_uri=https%3A%2F%2Flocalhost%2Foauth2callback&response_type=code&client_id=xxx.apps.googleusercontent.com&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fandroidpublisher&approval_prompt=force&access_type=offline


	Response:(code)
		https://localhost/oauth2callback?code=4/NWmwI5Qmuqer2CmiGxvAsAXVw9lb.opOrLaIVal0WXE-sT2ZLcbRHKlFXiwI

	
		[code] = 4/NWmwI5Qmuqer2CmiGxvAsAXVw9lb.opOrLaIVal0WXE-sT2ZLcbRHKlFXiwI

3.get Refresh token
	Request URL(POST):
		https://accounts.google.com/o/oauth2/token

		Parameter:
		grant_type 		==>'authorization_code'
		client_id  		==>[GOOGLE_CLIENT_ID]
		client_secret   ==>[GOOGLE_CLIENT_SECRET]
		code            ==>[code]
		redirect_uri    ==>[GOOGLE_REDIRECT_URI]

		Notes:
		[GOOGLE_CLIENT_ID] from google api console
		[GOOGLE_CLIENT_SECRET] from google api console
		[GOOGLE_REDIRECT_URI] from google api console
		[code]  from step 2


	Response:
		{
		"access_token":"ya29.1.AADtN_VQsXaZPIhT1E_JKTjHG6nED5KuwAt-mOwdYFaEXxweJ8iqYzt06OCiozKlr3w8AQ",
		"token_type":"Bearer",
		"expires_in":3600,
		"refresh_token":"1/CZi1-1yRSAFfgJTYFNmX9vlf0SdYr92FuQ3WnUY_khE"
		}


4. Using the Access Token to make API request
Document 
	https://developers.google.com/android-publisher/v1_1/purchases/


	option 1 : GET with custome header

		[PHP]
			$lAccessToken = "{The access token you got in}" ;
			$lPackageNameStr = "{your apps package name com.something.something}";
			$lURLStr =  "https://www.googleapis.com/androidpublisher/v1.1/applications/[PACKAGENAME]/subscriptions/[SKU]/purchases/[PURCHASETOKEN]";

			$curl = curl_init($lURLStr);

			curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
			curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
			curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); 
			$curlheader[0] = "Authorization: Bearer " . $lAccessToken;
			curl_setopt($curl, CURLOPT_HTTPHEADER, $curlheader);

			$json_response = curl_exec($curl);
			curl_close($curl);
			$responseObj = json_decode($json_response,true);

	option 2 : GET with url(parameter)

		[subscriptions]
			https://www.googleapis.com/androidpublisher/v1.1/applications/[PACKAGENAME]/subscriptions/[SKU]/purchases/[PURCHASETOKEN]?authorization_token=[ACCESS_TOKEN]

		[inapp]
			https://www.googleapis.com/androidpublisher/v1.1/applications/[PACKAGENAME]/inapp/[SKU]/purchases/[PURCHASETOKEN]?authorization_token=[ACCESS_TOKEN]

	Notes:
		[PACKAGENAME] 	==> package name (ex. com.ace.payment)
		[SKU] 			==> package name (ex. item1)
		[PURCHASETOKEN] ==> from android device purchase


	Response:
		{
		  "kind": "androidpublisher#subscriptionPurchase",
		  "initiationTimestampMsec": long,
		  "validUntilTimestampMsec": long,
		  "autoRenewing": boolean
		}