云端点 oauth2 错误 [英] Cloud endpoints oauth2 error
问题描述
在 YouTube 上观看了 IMO 有用的 GDL 剧集后,我最近才能够重构我的应用引擎应用程序以支持 Cloud Endpoints.
我正在使用 javascript 客户端来测试我的网站来处理授权,然后返回一个最有效的项目列表.但是当我调用端点以返回项目列表时,我在 App Engine 日志中收到了这组错误:
I 2013-03-14 08:52:14.748 检查 id_token.W 2013-03-14 08:52:14.748 id_token 验证失败:令牌中的段数错误:ya29.AHES6ZSpbeiTPTOJhCTtRdypgldcrRBQBKH8oQ8Y_FpxG5-Lr3OW6dEI 2013-03-14 08:52:14.748 检查 oauth 令牌.W 2013-03-14 08:52:14.885 发现 1 个没有匹配响应的 RPC 请求(大概是由于超时或其他错误)据我所知,谷歌返回的所有身份验证令牌中只有 2 个段",而不是 3 个,所以我不清楚这意味着什么.
这是来自我的浏览器控制台的授权请求标头:授权承载ya29.AHES6ZSpbeiTPTOJhCTtRdypgldcrRBQBKH8oQ8Y_FpxG5-Lr3OW6dE
任何帮助将不胜感激.
令牌有两种类型:ID 令牌和标准不记名令牌.
不记名令牌:
这是通过 OAuth 舞蹈检索到的标准令牌.
ID 令牌:
典型的 ID 令牌看起来像eyJhbGciOiJSUzI1NiIsImtpZCI6IjIxZWFlMTVkODE.eyJpc3MiOiJhY2NvdW50cy5n.oXLawgz_ed(除了更长的段)并且是签名的 JWT.
可以在 JavaScript 中通过将 'id_token' 添加到响应类型来获取 ID 令牌,就像在我们的井字游戏 示例.
这样,令牌返回 OAuth 请求也会有一个 ID 令牌:
var token = gapi.auth.getToken();//使用 id_token 代替不记名令牌token.access_token = token.id_token;您在日志中看到的内容:
线
W 2013-03-14 08:52:14.748 id_token 验证失败:令牌中的段数错误:ya29.AHES6ZSpbeiTPTOJhCTtRdypgldcrRBQBKH8oQ8Y_FpxG5-Lr3OW6dE只是一个警告,意味着观察到的令牌ya29.AHE...不是ID令牌和日志中的下一行
I 2013-03-14 08:52:14.748 检查 oauth 令牌.表示它正在继续检查令牌是否为不记名令牌.
这并不意味着您的令牌无效,只是它正在检查不记名令牌.
线
W 2013-03-14 08:52:14.885 发现 1 个没有匹配响应的 RPC 请求(大概是由于超时或其他错误)可能意味着有一个 RPC 来验证失败的令牌.验证承载令牌的主要部分是调用
oauth.get_current_user(EMAIL_SCOPE)和请求
https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=ya29.AHE...验证令牌上的客户端 ID 和受众.
ID 令牌深入:
第一段是所用加密的 base64url 编码描述.例如.
<预><代码>>>>导入 base64、json>>>segment = id_token.split('.')>>>first_segment = segment[0] + '=' * ((4 - len(segments[0])) % 4)>>>json.loads(base64.urlsafe_b64decode(first_segment)){u'alg': u'RS256', u'kid': u'21eae15d817c1b4a8f6ff4501930512d07cbe684'}第二段是对令牌内容的 base64url 编码描述:
<预><代码>>>>second_segment = segment[1] + '=' * ((4 - len(segments[0])) % 4)>>>base64.urlsafe_b64decode(second_segment){u'at_hash': u'xxxyyyzzz', # 假数据u'aud': u'someclient_id.apps.googleusercontent.com',u'azp': u'someclient_id.apps.googleusercontent.com',u'cid': u'someclient_id.apps.googleusercontent.com',u'email': u'joe@mail.com',u'email_verified': u'true',u'exp':1363289943,u'hd': u'google.com',u'iat': 1363286043,u'id': u'123456789', # 假数据u'iss': u'accounts.google.com',u'sub': u'123456789', # 假数据u'token_hash': u'xxxyyyzzz', # 假数据u'verified_email': u'true'}第三部分是前两者的组合,用 Google 的私钥签名.
I just recently was able to refactor my app engine application to support Cloud Endpoints after watching the IMO helpful GDL episodes on YouTube.
I'm testing my site using the javascript client to handle authorization and then return a list of items which mostly works. But when I'm calling the endpoint to return the list of items I get this set of errors in my App Engine logs:
I 2013-03-14 08:52:14.748 Checking for id_token.
W 2013-03-14 08:52:14.748 id_token verification failed: Wrong number of segments in token: ya29.AHES6ZSpbeiTPTOJhCTtRdypgldcrRBQBKH8oQ8Y_FpxG5-Lr3OW6dE
I 2013-03-14 08:52:14.748 Checking for oauth token.
W 2013-03-14 08:52:14.885 Found 1 RPC request(s) without matching response (presumably due to timeouts or other errors)
From what I can tell there are only 2 "segments" in all the auth tokens that google is returning not 3 so I'm not clear what this means.
Here's the Authorization request header from my browser console: Authorization Bearer ya29.AHES6ZSpbeiTPTOJhCTtRdypgldcrRBQBKH8oQ8Y_FpxG5-Lr3OW6dE
Any help would be appreciated.
There are two types of tokens: ID tokens and standard Bearer tokens.
Bearer Token:
This is the standard token retrieved through the OAuth dance.
ID Token:
A typical ID token will look something like
eyJhbGciOiJSUzI1NiIsImtpZCI6IjIxZWFlMTVkODE.eyJpc3MiOiJhY2NvdW50cy5n.oXLawgz_ed
(except with segments that are much longer) and is a signed JWT.
An ID token can be obtained in JavaScript by adding 'id_token' to the response type, as is done in our Tic-Tac-Toe sample.
This way, the token returned from the OAuth request will also have an ID token:
var token = gapi.auth.getToken();
// Use id_token instead of bearer token
token.access_token = token.id_token;
What You Are Seeing in the Logs:
The line
W 2013-03-14 08:52:14.748 id_token verification failed: Wrong number of segments in token: ya29.AHES6ZSpbeiTPTOJhCTtRdypgldcrRBQBKH8oQ8Y_FpxG5-Lr3OW6dE
is only a warning, meaning that the observed token ya29.AHE... is not an ID token and the next line in the log
I 2013-03-14 08:52:14.748 Checking for oauth token.
means that it is moving on to check if the token is a Bearer Token.
This DOES NOT mean your token was invalid, just that it was checking the Bearer Token.
The line
W 2013-03-14 08:52:14.885 Found 1 RPC request(s) without matching response (presumably due to timeouts or other errors)
likely means there was an RPC to verify the token that failed. The main pieces to verify a Bearer Token are a call to
oauth.get_current_user(EMAIL_SCOPE)
and a request to
https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=ya29.AHE...
to verify the Client ID and Audience on the token.
ID Token In Depth:
The first segment is a base64url encoded description of the encryption used. For example.
>>> import base64, json
>>> segments = id_token.split('.')
>>> first_segment = segments[0] + '=' * ((4 - len(segments[0])) % 4)
>>> json.loads(base64.urlsafe_b64decode(first_segment))
{u'alg': u'RS256', u'kid': u'21eae15d817c1b4a8f6ff4501930512d07cbe684'}
the second segment is a base64url encoded decription of the token's contents:
>>> second_segment = segments[1] + '=' * ((4 - len(segments[0])) % 4)
>>> base64.urlsafe_b64decode(second_segment)
{u'at_hash': u'xxxyyyzzz', # Fake Data
u'aud': u'someclient_id.apps.googleusercontent.com',
u'azp': u'someclient_id.apps.googleusercontent.com',
u'cid': u'someclient_id.apps.googleusercontent.com',
u'email': u'joe@mail.com',
u'email_verified': u'true',
u'exp': 1363289943,
u'hd': u'google.com',
u'iat': 1363286043,
u'id': u'123456789', # Fake Data
u'iss': u'accounts.google.com',
u'sub': u'123456789', # Fake Data
u'token_hash': u'xxxyyyzzz', # Fake Data
u'verified_email': u'true'}
and the third segment is a combination of the first two signed with Google's private key.
这篇关于云端点 oauth2 错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
