JWT"invalid_grant"在Google OAuth2的签名中 [英] JWT "invalid_grant" in Signature in Google OAuth2
问题描述
我正在编写一些代码,以尝试从OAuth2中的Google获得令牌.这是用于服务帐户的,因此说明在这里:
I am writing some code to try to get a token to use from Google in OAuth2. This is for a service account, so the instructions are here:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
当我将JWT发布到Google时,我一直收到此错误:
I keep getting this error when I post the JWT to Google:
{"error":"invalid_grant","error_description":无效的JWT签名." }
{ "error": "invalid_grant", "error_description": "Invalid JWT Signature." }
这是代码:
try{
var nowInSeconds : Number = (Date.now() / 1000);
nowInSeconds = Math.round(nowInSeconds);
var fiftyNineMinutesFromNowInSeconds : Number = nowInSeconds + (59 * 60);
var claimSet : Object = {};
claimSet.iss = "{{RemovedForPrivacy}}";
claimSet.scope = "https://www.googleapis.com/auth/plus.business.manage";
claimSet.aud = "https://www.googleapis.com/oauth2/v4/token";
claimSet.iat = nowInSeconds;
claimSet.exp = fiftyNineMinutesFromNowInSeconds;
var header : Object = {};
header.alg = "RS256";
header.typ = "JWT";
/* Stringify These */
var claimSetString = JSON.stringify(claimSet);
var headerString = JSON.stringify(header);
/* Base64 Encode These */
var claimSetBaseSixtyFour = StringUtils.encodeBase64(claimSetString);
var headerBaseSixtyFour = StringUtils.encodeBase64(headerString);
var privateKey = "{{RemovedForPrivacy}}";
/* Create the signature */
var signature : Signature = Signature();
signature = signature.sign(headerBaseSixtyFour + "." + claimSetBaseSixtyFour, privateKey , "SHA256withRSA");
/* Concatenate the whole JWT */
var JWT = headerBaseSixtyFour + "." + claimSetBaseSixtyFour + "." + signature;
/* Set Grant Type */
var grantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
/* Create and encode the body of the token post request */
var assertions : String = "grant_type=" + dw.crypto.Encoding.toURI(grantType) + "&assertion=" + dw.crypto.Encoding.toURI(JWT);
/* Connect to Google And Ask for Token */
/* TODO Upload Certs? */
var httpClient : HTTPClient = new HTTPClient();
httpClient.setRequestHeader("content-type", "application/x-www-form-urlencoded; charset=utf-8");
httpClient.timeout = 30000;
httpClient.open('POST', "https://www.googleapis.com/oauth2/v4/token");
httpClient.send(assertions);
if (httpClient.statusCode == 200) {
//nothing
} else {
pdict.errorMessage = httpClient.errorText;
}
}
catch(e){
Logger.error("The error with the OAuth Token Generator is --> " + e);
}
有人知道为什么JWT失败吗?
Does anyone know why the JWT is failing?
非常感谢! 布拉德
推荐答案
问题可能与您的StringUtils.encodeBase64()方法可能执行标准base64编码的事实有关.
The problem might be related to the fact that your StringUtils.encodeBase64() method is likely to perform a standard base64 encoding.
根据 JWT规范,它不是需要使用的标准base64编码,而是 URL和文件名安全的Base64编码,省略了=填充字符.
According to the JWT spec, however, it's not the standard base64 encoding that needs to be used, but the the URL- and filename-safe Base64 encoding, with the = padding characters omitted.
如果没有方便的用于base64URL编码的实用程序方法,则可以通过
If you don't have a utility method handy for base64URL encoding, you can verify by
- 将所有
+替换为-; - 将所有
/替换为_; - 删除所有
=
- replacing all
+with-; - replacing all
/with_; - removing all
=
以base64编码的字符串中的
in your base64-encoded strings.
此外,您的签名是否也以base64编码?必须遵循与上述相同的规则.
Also, is your signature also base64-encoded? It needs to be, following the same rules as described above.
这篇关于JWT"invalid_grant"在Google OAuth2的签名中的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
