用于服务应用程序的 Google oAuth 2.0(JWT 令牌请求) [英] Google oAuth 2.0 (JWT token request) for Service Application

问题描述

我正在尝试为此处描述的服务帐户实施 Google oAuth 2:https://developer.google.com/accounts/docs/OAuth2ServiceAccount 在 UnityScript(或 C# - 没关系，因为它们都使用相同的 Mono .NET 类).

I'm trying to implement Google oAuth 2 for service accounts described here: https://developers.google.com/accounts/docs/OAuth2ServiceAccount on UnityScript (or C# - that doesn't matter because they both use the same Mono .NET classes).

我在这里找到了类似的主题:Is there a JSON Web Token (JWT) example in C#?web-token-jwt-example-in-c 但我还是没有成功.

I've found similar topic here: Is there a JSON Web Token (JWT) example in C#? web-token-jwt-example-in-c but I still don't have a success.

首先，我已经生成了标题和声明集(就像在谷歌文档中一样)

Fist of all, I have generated header and claimset (that are just like in google documentation)

var header: String = GetJWTHeader();
var claimset: String = GetJWTClaimSet();

结果是(为清楚起见，用新行分隔):

The result is (separated with new lines for clarity):

{"alg":"RS256","typ":"JWT"}

{"alg":"RS256","typ":"JWT"}

{"iss":"425466719070-1dg2rebp0a8fn9l02k9ntr6u5o4a8lp2.apps.googleusercontent.com",

{"iss":"425466719070-1dg2rebp0a8fn9l02k9ntr6u5o4a8lp2.apps.googleusercontent.com",

"范围":"https://www.googleapis.com/auth/prediction",

"aud":"https://accounts.google.com/o/oauth2/令牌",

"exp":1340222315,

"exp":1340222315,

"iat":1340218715}

"iat":1340218715}

Base-64 编码方式:

Base-64 encoding methods:

public static function Base64Encode(b: byte[]): String {
    var s: String = Convert.ToBase64String(b);
    s = s.Replace("+", "-");
    s = s.Replace("/", "_");
    s = s.Split("="[0])[0]; // Remove any trailing '='s
    return s;
}

public static function Base64Encode(s: String): String {    
    return Base64Encode(Encoding.UTF8.GetBytes(s));
}

那我要签名了.

var to_sign: byte[] = 
     Encoding.UTF8.GetBytes(Base64Encode(header) + "." + Base64Encode(claimset));
var cert: X509Certificate2 = 
     new X509Certificate2(google_pvt_key.ToArray(), "notasecret");
var rsa: RSACryptoServiceProvider = cert.PrivateKey;
var sgn: String = Base64Encode(rsa.SignData(to_sign, "SHA256"));

var jwt: String = Base64Encode(header) + "." + Base64Encode(claimset) + 
                     "." + sgn;

然后形成请求:

var url: String = "https://accounts.google.com/o/oauth2/token";
var form: WWWForm = new WWWForm();
form.AddField("grant_type", "assertion");
form.AddField("assertion_type", "http://oauth.net/grant_type/jwt/1.0/bearer");
form.AddField("assertion", jwt);
var headers: Hashtable = form.headers;
headers["Content-Type"] = "application/x-www-form-urlencoded";

var www: WWW = new WWW(url, form.data, headers);

我得到的只是错误 400:错误请求".

编码后的数据看起来像(为清楚起见添加了换行符):

The encoded data looks like (line breaks added for clarity):

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.

eyJpc3MiOiI0MjU0NjY3MTkwNzAtMWRnMnJlYnAwYThmbjlsMDJrOW50cjZ1NW80YThscDIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTM0MDIyMjMxNSwiaWF0IjoxMzQwMjE4NzE1fQ.

eyJpc3MiOiI0MjU0NjY3MTkwNzAtMWRnMnJlYnAwYThmbjlsMDJrOW50cjZ1NW80YThscDIuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTM0MDIyMjMxNSwiaWF0IjoxMzQwMjE4NzE1fQ.

lIFg7-Og_BcC5qpICLt7USwGIHUOz-vV4ADNq0AWhuRtsvFrbZn5mxk4n9r5qU66q4reTVVAtuW06DeGsdcBMNgEdIMvN6VuYQybs64p9mqrfECBYxO1FWHbUG-2On1IpowybEsRRUjZfp0jFuEY7S

lIFg7-Og_BcC5qpICLt7USwGIHUOz-vV4ADNq0AWhuRtsvFrbZn5mxk4n9r5qU66q4reTVVAtuW06DeGsdcBMNgEdIMvN6VuYQybs64p9mqrfECBYxO1FWHbUG-2On1IpowybEsRRUjZfp0jFuEY7SLE3XRaXan0k5zmejcvLQo

我花了两天时间试图找出问题所在，但我看不到.

I've spent two days trying to figure out what is wrong but I can't see.

另外，我找不到任何合适的文档和示例.

Also, I couldn't find any suitable documentation and examples.

我只是想收到一个令牌.

I'm trying just to recieve a token.

1. 我是否以正确的方式签署字节?
2. 声明集中的范围"参数应该是什么样的?我试过https://www.googleapis.com/auth/devstorage.readonly"和https://www.googleapis.com/auth/prediction".
3. iss"参数应该等于什么?客户 ID 或电子邮件地址?(都试过了)
4. 有什么方法可以找出我的错误?
5. 是否有任何用于服务应用程序的 C# 库(不适用于已安装的应用程序或客户端登录)?

我快疯了......它必须工作，但它没有......:-/

I'm getting crazy... It has to work, but it doesn't... :-/

推荐答案

解决方案是在请求代码中所有斜杠都必须反斜杠

The solution was that in request code all slashes have to be backslashed

错误:

"scope":"https://www.googleapis.com/auth/prediction",
"aud":"https://accounts.google.com/o/oauth2/token",

正确:

"scope":"https:\/\/www.googleapis.com\/auth\/prediction",
"aud":"https:\/\/accounts.google.com\/o\/oauth2\/token",

这篇关于用于服务应用程序的 Google oAuth 2.0(JWT 令牌请求)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！