Question

jwt1=`echo -n '{"alg":"RS256","typ":"JWT"}' | openssl base64 -e`

jwt2=`echo -n '{\
"iss":"...@developer.gserviceaccount.com",\
"scope":"https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore",\
"aud":"https://accounts.google.com/o/oauth2/token",\
"exp":'$(($(date +%s)+3600))',\
"iat":'$(date +%s)'}' | openssl base64 -e`

jwt3=`echo -n "$jwt1.$jwt2" | tr -d '\n' | tr -d '=' | tr '/+' '_-'`

jwt4=`echo -n "$jwt3" | openssl sha -sha256 -sign google.p12 | openssl base64 -e`

jwt5=`echo -n "$jwt4" | tr -d '\n' | tr -d '=' | tr '/+' '_-'`

curl -H "Content-type: application/x-www-form-urlencoded" -X POST "https://accounts.google.com/o/oauth2/token" -d \
"grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=$jwt3.$jwt5"

我成功收到了一个令牌，但是当我使用它时，我被拒绝了吗？

当我从https://developers.google.com/datastore/docs/apis/v1beta1/datasets/blindWrite#try-it复制oauth2令牌时它有效吗？

curl -X GET "https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=$1"
curl -X GET "https://www.googleapis.com/oauth2/v2/userinfo?access_token=$1"
curl -H "Content-type: application/json" -H "Authorization:  Bearer $1" -X POST "https://www.googleapis.com/datastore/v1beta1/datasets/.../blindWrite" -d \
'{
 "mutation": {
  "upsert": [
   {
    "key": {
     "path": [
      {
       "kind": "person",
       "name": "gert"
      }
     ]
    }
   }
  ]
 }
}'

2个令牌之间的区别：

1）来自jwt（许可被拒绝）

{
 "issued_to": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg.apps.googleusercontent.com",
 "audience": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg.apps.googleusercontent.com",
 "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore",
 "expires_in": 3588,
 "email": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg@developer.gserviceaccount.com",
 "verified_email": true,
 "access_type": "offline"
}
{
 "email": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg@developer.gserviceaccount.com",
 "verified_email": true
}

2）来自https://developers.google.com/datastore/docs/apis/v1beta1/datasets/blindWrite#try-it（作品）

{
 "issued_to": "292824132082.apps.googleusercontent.com",
 "audience": "292824132082.apps.googleusercontent.com",
 "user_id": "116469479527388802962",
 "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/plus.me",
 "expires_in": 3568,
 "email": "gert.cuykens@gmail.com",
 "verified_email": true,
 "access_type": "online"
}
{
 "id": "116469479527388802962",
 "email": "gert.cuykens@gmail.com",
 "verified_email": true
}

我的jwt收到令牌有什么问题？我如何让jwt工作？

enter image description here

Answer 1

为了使用您的Cloud Datastore实例正确配置服务帐户，您必须使用Cloud Console中所述的documentation创建服务帐户。

或者，如果您确实想要使用[Google API控制台] [3]创建的服务帐户，则可以执行以下操作：

转到cloud.google.com/console
点击项目ID
点击API
确保 Google Cloud Datastore API ON
单击右上角的齿轮符号（⚙）
点击团队
点击添加会员
将您的服务帐户添加为查看器

谷歌数据存储令牌未经授权？

1 个答案: