带有pyjwt的JWT对于Google服务器到服务器应用程序无效 [英] Invalid JWT with pyjwt for Google Server to Server Applications

问题描述

在无法从Google Server到Server进行身份验证之后使用Python Oauthlib 的应用程序，我现在尝试直接用pyjwt生成jwt，然后按照 Google文档，但由于我现在收到以下消息而无法使用:无效的JWT:令牌必须是短期令牌，并且必须在合理的时间范围内.

After failing to authenticate for Google Server to Server Applications using Python Oauthlib, I am now trying to generate directly the jwt with pyjwt then test it with curl as stated in Google documentation, but it does not work either since I now receive: Invalid JWT: Token must be a short-lived token and in a reasonable timeframe.

安装pyjwt之后，Python 3中的代码:

The code in Python 3 after installing pyjwt:

>>> from datetime import datetime, timedelta

>>> import json
>>> import jwt

>>> json_file = json.load(open("google-project-credentials.json"))
>>> dt_now = datetime.datetime.utcnow()
>>> payload = { 'iss' : json_file['client_email'], 'scope' : 'https://www.googleapis.com/auth/tasks', 'aud' : 'https://www.googleapis.com/oauth2/v4/token', 'exp' : int((dt_now + datetime.timedelta(hours=1)).timestamp()), 'iat': int(dt_now.timestamp()) }
>>> jwt.encode(payload, json_file['private_key'], algorithm='RS256')
b'PYJWT_RESULT_HERE'

然后，如Google文档所述，我在bash中运行curl并粘贴先前的结果:

Then, as stated in Google documentation, I run curl in bash and paste the previous result:

$ curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=PYJWT_RESULT_HERE' https://www.googleapis.com/oauth2/v4/token

然后我收到以下错误:

{
  "error": "invalid_grant",
  "error_description": "Invalid JWT: Token must be a short-lived token and in a reasonable timeframe"
}

我在做什么错了?

谢谢！

推荐答案

实际上，如错误消息中所述，问题出在错误生成的时代(我不完全理解为什么):

Actually, as stated in the error message, the problem was in the epoch that was incorrectly generated (I don't completely understand why yet):

>>> from datetime import datetime
>>> from calendar import timegm
>>> import json
>>> import jwt

>>> json_file = json.load(open("google-project-credentials.json"))
>>> payload = { 'iss' : json_file['client_email'], 'scope' : 'https://www.googleapis.com/auth/tasks', 'aud' : 'https://www.googleapis.com/oauth2/v4/token', 'exp' : timegm(datetime.utcnow().utctimetuple()) + 600, 'iat' : timegm(datetime.utcnow().utctimetuple()) }
>>> jwt.encode(payload, json_file['private_key'], algorithm='RS256')
b'PYJWT_RESULT_HERE'

然后在Bash控制台中:

Then in a Bash console:

$ curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=PYJWT_RESULT_HERE' https://www.googleapis.com/oauth2/v4/token
{
  "access_token": "GOOGLE_ACCESS_TOKEN_YEAH",
   "token_type": "Bearer",
   "expires_in": 3600
}

实际上我很惊讶没有得到更多帮助，因为我以为Google会参与其中；-(在开源项目上，支持实际上更好！

I was actually surprised not to receive more help on that matter since I thought Google would be involved ;-( On open-source project, the support is actually better!

这篇关于带有pyjwt的JWT对于Google服务器到服务器应用程序无效的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！