Google 服务器到服务器应用程序的带有 pyjwt 的 JWT 无效
Invalid JWT with pyjwt for Google Server to Server Applications
After failing to authenticate for Google Server to Server Applications using Python Oauthlib, I am now trying to generate directly the jwt with pyjwt then test it with curl as stated in Google documentation,但它也不起作用,因为我现在收到:无效的 JWT:令牌必须是短期令牌并且在合理的时间范围内。
安装pyjwt后Python3中的代码:
>>> from datetime import datetime, timedelta
>>> import json
>>> import jwt
>>> json_file = json.load(open("google-project-credentials.json"))
>>> dt_now = datetime.datetime.utcnow()
>>> payload = { 'iss' : json_file['client_email'], 'scope' : 'https://www.googleapis.com/auth/tasks', 'aud' : 'https://www.googleapis.com/oauth2/v4/token', 'exp' : int((dt_now + datetime.timedelta(hours=1)).timestamp()), 'iat': int(dt_now.timestamp()) }
>>> jwt.encode(payload, json_file['private_key'], algorithm='RS256')
b'PYJWT_RESULT_HERE'
然后,如 Google 文档中所述,我 运行 curl in bash 并粘贴之前的结果:
$ curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=PYJWT_RESULT_HERE' https://www.googleapis.com/oauth2/v4/token
然后我收到以下错误:
{
"error": "invalid_grant",
"error_description": "Invalid JWT: Token must be a short-lived token and in a reasonable timeframe"
}
我做错了什么?
谢谢!
其实如错误信息中所述,问题出在错误生成的epoch(我还没有完全理解为什么):
>>> from datetime import datetime
>>> from calendar import timegm
>>> import json
>>> import jwt
>>> json_file = json.load(open("google-project-credentials.json"))
>>> payload = { 'iss' : json_file['client_email'], 'scope' : 'https://www.googleapis.com/auth/tasks', 'aud' : 'https://www.googleapis.com/oauth2/v4/token', 'exp' : timegm(datetime.utcnow().utctimetuple()) + 600, 'iat' : timegm(datetime.utcnow().utctimetuple()) }
>>> jwt.encode(payload, json_file['private_key'], algorithm='RS256')
b'PYJWT_RESULT_HERE'
然后在 Bash 控制台中:
$ curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=PYJWT_RESULT_HERE' https://www.googleapis.com/oauth2/v4/token
{
"access_token": "GOOGLE_ACCESS_TOKEN_YEAH",
"token_type": "Bearer",
"expires_in": 3600
}
实际上我很惊讶在这件事上没有得到更多的帮助,因为我认为 Google 会参与 ;-( 在开源项目上,支持实际上更好!
After failing to authenticate for Google Server to Server Applications using Python Oauthlib, I am now trying to generate directly the jwt with pyjwt then test it with curl as stated in Google documentation,但它也不起作用,因为我现在收到:无效的 JWT:令牌必须是短期令牌并且在合理的时间范围内。
安装pyjwt后Python3中的代码:
>>> from datetime import datetime, timedelta
>>> import json
>>> import jwt
>>> json_file = json.load(open("google-project-credentials.json"))
>>> dt_now = datetime.datetime.utcnow()
>>> payload = { 'iss' : json_file['client_email'], 'scope' : 'https://www.googleapis.com/auth/tasks', 'aud' : 'https://www.googleapis.com/oauth2/v4/token', 'exp' : int((dt_now + datetime.timedelta(hours=1)).timestamp()), 'iat': int(dt_now.timestamp()) }
>>> jwt.encode(payload, json_file['private_key'], algorithm='RS256')
b'PYJWT_RESULT_HERE'
然后,如 Google 文档中所述,我 运行 curl in bash 并粘贴之前的结果:
$ curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=PYJWT_RESULT_HERE' https://www.googleapis.com/oauth2/v4/token
然后我收到以下错误:
{
"error": "invalid_grant",
"error_description": "Invalid JWT: Token must be a short-lived token and in a reasonable timeframe"
}
我做错了什么?
谢谢!
其实如错误信息中所述,问题出在错误生成的epoch(我还没有完全理解为什么):
>>> from datetime import datetime
>>> from calendar import timegm
>>> import json
>>> import jwt
>>> json_file = json.load(open("google-project-credentials.json"))
>>> payload = { 'iss' : json_file['client_email'], 'scope' : 'https://www.googleapis.com/auth/tasks', 'aud' : 'https://www.googleapis.com/oauth2/v4/token', 'exp' : timegm(datetime.utcnow().utctimetuple()) + 600, 'iat' : timegm(datetime.utcnow().utctimetuple()) }
>>> jwt.encode(payload, json_file['private_key'], algorithm='RS256')
b'PYJWT_RESULT_HERE'
然后在 Bash 控制台中:
$ curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=PYJWT_RESULT_HERE' https://www.googleapis.com/oauth2/v4/token
{
"access_token": "GOOGLE_ACCESS_TOKEN_YEAH",
"token_type": "Bearer",
"expires_in": 3600
}
实际上我很惊讶在这件事上没有得到更多的帮助,因为我认为 Google 会参与 ;-( 在开源项目上,支持实际上更好!