dongzhong2018 2014-07-30 12:13
浏览 233
已采纳

OAuth2 Google服务帐户invalid_grant

The keys I've posted here are from a container I've deleted, but were all valid keys that have been provided to me by Google.

I'm attempting to implement: https://developers.google.com/analytics/devguides/config/mgmt/v3/mgmtReference/management/uploads/uploadData

The uploadData function works fine, and everything is accepted in Google Analytics. My problem lies with Google's OAuth2: https://developers.google.com/analytics/devguides/config/mgmt/v3/mgmtAuthorization

From what I've gathered, for the end-point I wish to hit, I must use an OAuth2 token, and cannot use an api key. The request doesn't accept ?key={api}, and only Bearer Authorization. Using the Service Account request, all I receive is invalid_grant. I've updated my clocks and does various miss-matches of values to no avail. Mind you, with similar keys, all other workflows work, but I don't wish to have user interaction as this is a background task.

json for key data (provided by Google): { "private_key_id": "825119b6ab0eabf2029a4e1cf562fa88090736a0", "private_key": "-----BEGIN PRIVATE KEY----- MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANCQ+tGWdTUOL6py hk/KGK/ClNFQnzRrzPvOgeHCqENqeunN5LJYBlrf0OOmRzJjV67WZc3cHKu95kYr I+Sz0NlsmPYiwP2eMUKL5HX2JEXx/T8Bf7SWK78G7BnPKxA1fKISSftJ1IJ9neH5 qhe4zEIB2NUcc6h3GHqBoQx4/4/dAgMBAAECgYEAsegpe2RrQEGEmVEtjpwmaK6D QPUTiKS36sdhdREVdMQ8anmtrg92BEhMqBNrQekJn2LU3j/22OyYo5wi9vAHohPI KYODw6mUemk/ULyuMGesC7nRq9sM7YnJk3KlkYrtLVR9THwAPfZ73k4UswsGFw4e aCX6SwtNnQTHruCvCAECQQD8ZkxRf2LdP0LZYrqcB0TD2P1rYeX+IHW5sC6mdDjQ v6HWXjviEBfQH6kaxpUvRaSHTk1p2a5pHOjVu9DdkGXdAkEA04qc+nXH6xkBf4yE LODzUuAMo/QU1C+SC9AS1WbfAuRyRCkuD0SNTbK8Ec+pkqy/Q6VuvjLvvTosB9+O VhIyAQJASYY3RypXj2HFRHQZLiiD5JVKRUSwbdXg1WW4QS7r+gtIxpyOzyym8y61 4SHmBW5BHlU2AdayktYkEVbz4gcVVQJBAI9JOZEwzEyDMI+btz/K0yYUmptHTgB3 hF45/zfLKU2FPZzLo+Y1kdzKLzeFSKAQILGKUdvFFrw+tepTU88bHgECQAlp4/sy J2m+zo5HsGBRP4gSxoVqiPuysT9tywJoUeo/3f+0jkDbVylTKTHpnqNk2ijFd1YS 5ARPrKY4iXG7UoU\u003d -----END PRIVATE KEY----- ", "client_email": "42064665633-fbbnb79350js2h22e8k1s3h9t52rursu@developer.gserviceaccount.com", "client_id": "42064665633-fbbnb79350js2h22e8k1s3h9t52rursu.apps.googleusercontent.com", "type": "service_account" }

The other 2 associated tags to create {Base64url encoded header}.{Base64url encoded claim set}.{Base64url encoded signature} are:

$header = [
    'alg' => 'RS256',
    'typ' => 'JWT'
];
$body = [
    "iss" => "42064665633-fbbnb79350js2h22e8k1s3h9t52rursu.apps.googleusercontent.com",
    "scope" => "https:\/\/www.googleapis.com\/auth\/analytics https:\/\/www.googleapis.com\/auth\/analytics.edit",
    "aud" => "https:\/\/accounts.google.com\/o\/oauth2\/token",
    "exp" => strtotime('1 hour'),
    "iat" => strtotime('now')
];
$header = base64_encode(json_encode($header));
$body = base64_encode(json_encode($body));

The signature is defined as the private_key in the google docs link above. I've tried every excerpt of information from Java questions pertaining to this method of authentication, from escaping slashes (shown above), to omitting fields.

What have I done wrong/left out that causes {"error" : "invalid_grant"}?

  • 写回答

2条回答 默认 最新

  • doufan1363 2014-07-30 14:13
    关注

    While not a proper solution to getting JWT Service Accounts to work, I'm now storing a refresh token for the web route. Everything is working well, it's just a lot of information I need to keep in my config.yml file that I'd rather not.

    https://developers.google.com/accounts/docs/OAuth2WebServer#refresh

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 怎么实现输入一个要删除的数后删除后显示剩余数再输入再删除显示剩余数(语言-c语言)
  • ¥35 引用csv数据文件(4列1800行),通过高斯-赛德尔法拟合曲线,在选取(每五十点取1点)数据,求该数据点的曲率中心。
  • ¥20 程序只发送0X01,串口助手显示不正确,配置看了没有问题115200-8-1-no,如何解决?
  • ¥15 Google speech command 数据集获取
  • ¥15 vue3+element-plus页面崩溃
  • ¥15 像这种代码要怎么跑起来?
  • ¥15 安卓C读取/dev/fastpipe屏幕像素数据
  • ¥15 pyqt5tools安装失败
  • ¥15 mmdetection
  • ¥15 nginx代理报502的错误