dongzhong2018 2014-07-30 12:13
浏览 233
已采纳

OAuth2 Google服务帐户invalid_grant

The keys I've posted here are from a container I've deleted, but were all valid keys that have been provided to me by Google.

I'm attempting to implement: https://developers.google.com/analytics/devguides/config/mgmt/v3/mgmtReference/management/uploads/uploadData

The uploadData function works fine, and everything is accepted in Google Analytics. My problem lies with Google's OAuth2: https://developers.google.com/analytics/devguides/config/mgmt/v3/mgmtAuthorization

From what I've gathered, for the end-point I wish to hit, I must use an OAuth2 token, and cannot use an api key. The request doesn't accept ?key={api}, and only Bearer Authorization. Using the Service Account request, all I receive is invalid_grant. I've updated my clocks and does various miss-matches of values to no avail. Mind you, with similar keys, all other workflows work, but I don't wish to have user interaction as this is a background task.

json for key data (provided by Google): { "private_key_id": "825119b6ab0eabf2029a4e1cf562fa88090736a0", "private_key": "-----BEGIN PRIVATE KEY----- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANCQ+tGWdTUOL6py hk/KGK/ClNFQnzRrzPvOgeHCqENqeunN5LJYBlrf0OOmRzJjV67WZc3cHKu95kYr I+Sz0NlsmPYiwP2eMUKL5HX2JEXx/T8Bf7SWK78G7BnPKxA1fKISSftJ1IJ9neH5 qhe4zEIB2NUcc6h3GHqBoQx4/4/dAgMBAAECgYEAsegpe2RrQEGEmVEtjpwmaK6D QPUTiKS36sdhdREVdMQ8anmtrg92BEhMqBNrQekJn2LU3j/22OyYo5wi9vAHohPI KYODw6mUemk/ULyuMGesC7nRq9sM7YnJk3KlkYrtLVR9THwAPfZ73k4UswsGFw4e aCX6SwtNnQTHruCvCAECQQD8ZkxRf2LdP0LZYrqcB0TD2P1rYeX+IHW5sC6mdDjQ v6HWXjviEBfQH6kaxpUvRaSHTk1p2a5pHOjVu9DdkGXdAkEA04qc+nXH6xkBf4yE LODzUuAMo/QU1C+SC9AS1WbfAuRyRCkuD0SNTbK8Ec+pkqy/Q6VuvjLvvTosB9+O VhIyAQJASYY3RypXj2HFRHQZLiiD5JVKRUSwbdXg1WW4QS7r+gtIxpyOzyym8y61 4SHmBW5BHlU2AdayktYkEVbz4gcVVQJBAI9JOZEwzEyDMI+btz/K0yYUmptHTgB3 hF45/zfLKU2FPZzLo+Y1kdzKLzeFSKAQILGKUdvFFrw+tepTU88bHgECQAlp4/sy J2m+zo5HsGBRP4gSxoVqiPuysT9tywJoUeo/3f+0jkDbVylTKTHpnqNk2ijFd1YS 5ARPrKY4iXG7UoU\u003d -----END PRIVATE KEY----- ", "client_email": "42064665633-fbbnb79350js2h22e8k1s3h9t52rursu@developer.gserviceaccount.com", "client_id": "42064665633-fbbnb79350js2h22e8k1s3h9t52rursu.apps.googleusercontent.com", "type": "service_account" }

The other 2 associated tags to create {Base64url encoded header}.{Base64url encoded claim set}.{Base64url encoded signature} are:

$header = [
    'alg' => 'RS256',
    'typ' => 'JWT'
];
$body = [
    "iss" => "42064665633-fbbnb79350js2h22e8k1s3h9t52rursu.apps.googleusercontent.com",
    "scope" => "https:\/\/www.googleapis.com\/auth\/analytics https:\/\/www.googleapis.com\/auth\/analytics.edit",
    "aud" => "https:\/\/accounts.google.com\/o\/oauth2\/token",
    "exp" => strtotime('1 hour'),
    "iat" => strtotime('now')
];
$header = base64_encode(json_encode($header));
$body = base64_encode(json_encode($body));

The signature is defined as the private_key in the google docs link above. I've tried every excerpt of information from Java questions pertaining to this method of authentication, from escaping slashes (shown above), to omitting fields.

What have I done wrong/left out that causes {"error" : "invalid_grant"}?

  • 写回答

2条回答 默认 最新

  • doufan1363 2014-07-30 14:13
    关注

    While not a proper solution to getting JWT Service Accounts to work, I'm now storing a refresh token for the web route. Everything is working well, it's just a lot of information I need to keep in my config.yml file that I'd rather not.

    https://developers.google.com/accounts/docs/OAuth2WebServer#refresh

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥20 docker里部署springboot项目,访问不到扬声器
  • ¥15 netty整合springboot之后自动重连失效
  • ¥15 悬赏!微信开发者工具报错,求帮改
  • ¥20 wireshark抓不到vlan
  • ¥20 关于#stm32#的问题:需要指导自动酸碱滴定仪的原理图程序代码及仿真
  • ¥20 设计一款异域新娘的视频相亲软件需要哪些技术支持
  • ¥15 stata安慰剂检验作图但是真实值不出现在图上
  • ¥15 c程序不知道为什么得不到结果
  • ¥15 键盘指令混乱情况下的启动盘系统重装
  • ¥40 复杂的限制性的商函数处理