谷歌数据存储令牌未经授权?

时间:2013-06-13 18:41:37

标签: google-cloud-datastore

jwt1=`echo -n '{"alg":"RS256","typ":"JWT"}' | openssl base64 -e`

jwt2=`echo -n '{\
"iss":"...@developer.gserviceaccount.com",\
"scope":"https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore",\
"aud":"https://accounts.google.com/o/oauth2/token",\
"exp":'$(($(date +%s)+3600))',\
"iat":'$(date +%s)'}' | openssl base64 -e`

jwt3=`echo -n "$jwt1.$jwt2" | tr -d '\n' | tr -d '=' | tr '/+' '_-'`

jwt4=`echo -n "$jwt3" | openssl sha -sha256 -sign google.p12 | openssl base64 -e`

jwt5=`echo -n "$jwt4" | tr -d '\n' | tr -d '=' | tr '/+' '_-'`

curl -H "Content-type: application/x-www-form-urlencoded" -X POST "https://accounts.google.com/o/oauth2/token" -d \
"grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=$jwt3.$jwt5"

我成功收到了一个令牌,但是当我使用它时,我被拒绝了吗?

当我从https://developers.google.com/datastore/docs/apis/v1beta1/datasets/blindWrite#try-it复制oauth2令牌时 它有效吗?

curl -X GET "https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=$1"
curl -X GET "https://www.googleapis.com/oauth2/v2/userinfo?access_token=$1"
curl -H "Content-type: application/json" -H "Authorization:  Bearer $1" -X POST "https://www.googleapis.com/datastore/v1beta1/datasets/.../blindWrite" -d \
'{
 "mutation": {
  "upsert": [
   {
    "key": {
     "path": [
      {
       "kind": "person",
       "name": "gert"
      }
     ]
    }
   }
  ]
 }
}'

2个令牌之间的区别:

1)来自jwt(许可被拒绝)

{
 "issued_to": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg.apps.googleusercontent.com",
 "audience": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg.apps.googleusercontent.com",
 "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore",
 "expires_in": 3588,
 "email": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg@developer.gserviceaccount.com",
 "verified_email": true,
 "access_type": "offline"
}
{
 "email": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg@developer.gserviceaccount.com",
 "verified_email": true
}

2)来自https://developers.google.com/datastore/docs/apis/v1beta1/datasets/blindWrite#try-it(作品)

{
 "issued_to": "292824132082.apps.googleusercontent.com",
 "audience": "292824132082.apps.googleusercontent.com",
 "user_id": "116469479527388802962",
 "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/plus.me",
 "expires_in": 3568,
 "email": "gert.cuykens@gmail.com",
 "verified_email": true,
 "access_type": "online"
}
{
 "id": "116469479527388802962",
 "email": "gert.cuykens@gmail.com",
 "verified_email": true
}

我的jwt收到令牌有什么问题? 我如何让jwt工作?

enter image description here

enter image description here

enter image description here

enter image description here

1 个答案:

答案 0 :(得分:1)

为了使用您的Cloud Datastore实例正确配置服务帐户,您必须使用Cloud Console中所述的documentation创建服务帐户。

或者,如果您确实想要使用[Google API控制台] [3]创建的服务帐户,则可以执行以下操作:

  • 转到cloud.google.com/console
  • 点击项目ID
  • 点击API
  • 确保 Google Cloud Datastore API ON
  • 单击右上角的齿轮符号(⚙)
  • 点击团队
  • 点击添加会员
  • 将您的服务帐户添加为查看器