Google drive service account and “Unauthorized client or scope in request”

Question

I have 3 service accounts that are using the drive sdk.

1, works, 2 do not.

The error that comes back is \"Error refreshing the OAuth2 token, message: \'{ \"

Answer 1

Thanks for this post and your comment about "Resolved by removing the line $credentials -> sub = $service_account_email;"

I am facing a similar issue here. Apparently, $credentials -> sub = $service_account_email is only accepted for the first/primary service account created in the Google Developers Console. Besides that, it will also produce unexpected errors with certain OAuth2 scopes (as what I encountered with Fusion Tables).

Hence, here is the general advise:

DO NOT include $credentials -> sub = $service_account_email unnecessarily.

Only do this when you are trying to impersonating a difference user (with the condition that the appropriate setup has been correctly done in Google Apps Admin Console).

Even though it may not produce any error under certain cases, there are some unexpected behaviors when including an email address of the service account itself in the JWT claim set as the value of the "sub" field.