从开发者控制台获得服务帐户的凭据
首先,我将p12私钥转换为PEM:
openssl pkcs12 -in <private key for Service Account>.p12 -out calendar.key -nocerts -nodes
然后我跑:
use MIME::Base64;
use Crypt::OpenSSL::RSA;
use File::Slurp;
my $header = encode_base64('{"alg":"RS256","typ":"JWT"}','');
my $claim = encode_base64('{
"iss":"<mail for the Service Account>",
"scope":"https://www.googleapis.com/auth/calendar",
"aud":"https://accounts.google.com/o/oauth2/token",
"exp":'.(time()+3600).',
"iat":'.time().'
}','');
my $key = read_file('calendar.key');
my $rsa = Crypt::OpenSSL::RSA->new_private_key($key);
$rsa->use_sha256_hash;
$rsa->use_pkcs1_padding;
my $signature = encode_base64($rsa->sign($header . '.' . $claim), '');
my $token_request = $header . '.' . $claim . '.' . $signature;
print `curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=$token_request' https://accounts.google.com/o/oauth2/token`;
我得到了
{
"error" : "invalid_grant"
}
我将系统时间与NTP同步,没有帮助。
答案 0 :(得分:2)
我不知道为什么,但问题出在curl
。
我将其替换为WWW::Mechanize
:
my $mech = WWW::Mechanize->new( autocheck => 1 );
$mech->post('https://accounts.google.com/o/oauth2/token',
'Content-Type' => 'application/x-www-form-urlencoded',
'Content' => [
'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
'assertion' => $token_request,
],
);
它有效。
答案 1 :(得分:0)
尝试使用BASE64URL而不是BASE64。 JWT / JWS / JWE规范使用BASE64URL。
MIME::Base64 ---> MIME::Base64::URLSafe
encode_base64 ---> urlsafe_b64encode
答案 2 :(得分:0)
将curl命令更改为:
curl -H "Content-Type: application/x-www-form-urlencoded" \
-d grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer \
-d assertion=$token_request \
https://accounts.google.com/oauth2/token
答案 3 :(得分:0)
以防万一有人来这里寻找一种方法来从当前提供的JSON文件中的Google服务帐户凭据中获取承载令牌;这是我无法使用Crypt :: JWT或Mojo :: JWT :: Google之后对我有用的代码段。
use LWP::UserAgent;
use JSON;
use Mojo::JWT;
use Mojo::File;
my $jwt = create_jwt_from_path_and_scopes( 'path/to/credentials.json', 'email https://www.googleapis.com/auth/compute' );
my $ua = LWP::UserAgent->new();
my $response = $ua->post('https://www.googleapis.com/oauth2/v4/token',
{ 'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
'assertion' => $jwt
}
);
#######################################################################
sub create_jwt_from_path_and_scopes
{
my ( $path, $scope ) = @_;
croak("No path provided") if not defined $path;
croak("$path no available") if not -f $path;
my $json = decode_json( Mojo::File->new($path)->slurp );
croak("No Private key in $path") if not defined $json->{private_key};
croak("Not a service account") if $json->{type} ne 'service_account';
my $jwt = Mojo::JWT->new();
$jwt->algorithm('RS256');
$jwt->secret($json->{private_key});
$jwt->claims( {
iss => $json->{client_email},
scope => $scope,
aud => 'https://www.googleapis.com/oauth2/v4/token',
iat => time(),
exp => time()+3600
} );
$jwt->set_iat( 1 );
return $jwt->encode;
}
#######################################################################