计算引擎OAuth令牌对App Engine无效

Question

我注意到GCE实例上的服务帐户现在拥有比以前更长的令牌，我怀疑它们导致AppEngine应用程序无法使用它们，从而导致InvalidOAuthParametersError。

我从Compute Engine实例获取一个令牌，如下所示：

# curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
{"access_token":".......","expires_in":2544,"token_type":"Bearer"}

如果我将生成的153个字符标记并将其POST到“Authorization：Bearer ...”标题中的AppEngine Python应用程序中，则会导致应用程序失败。该应用程序可以正常使用为用户帐户生成的较短（73个字符）令牌。

抛出异常的应用程序的Oauth位是：

    SCOPE = 'https://www.googleapis.com/auth/userinfo.email'
    email = oauth.get_current_user(SCOPE).email().lower()

AppEngine的错误是：

Traceback (most recent call last):
  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.3/webapp2.py", line 1511, in __call__
    rv = self.handle_exception(request, response, e)
  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.3/webapp2.py", line 1505, in __call__
    rv = self.router.dispatch(request, response)
  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.3/webapp2.py", line 1253, in default_dispatcher
    return route.handler_adapter(request, response)
  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.3/webapp2.py", line 1077, in __call__
    return handler.dispatch()
  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.3/webapp2.py", line 547, in dispatch
    return self.handle_exception(e, self.app.debug)
  File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.3/webapp2.py", line 545, in dispatch
    return method(*args, **kwargs)
  File "/...../v4.398557956806027726/oauth.py", line 13, in post
    user_name = self._get_authd_user()
  File "/...../v4.398557956806027726/oauth.py", line 36, in _get_authd_user
    email = oauth.get_current_user(SCOPE).email().lower()
  File "/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/api/oauth/oauth_api.py", line 109, in get_current_user
    _maybe_call_get_oauth_user(_scope)
  File "/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/api/oauth/oauth_api.py", line 220, in _maybe_call_get_oauth_user
    _maybe_raise_exception()
  File "/base/data/home/runtimes/python27/python27_lib/versions/1/google/appengine/api/oauth/oauth_api.py", line 237, in _maybe_raise_exception
    raise InvalidOAuthParametersError(error_detail)
InvalidOAuthParametersError

如果我将令牌截断为73个字符，我会看到InvalidOauthToken错误（正如您所期望的那样）。如果我在https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=使用完整令牌...则返回服务帐户的正确信息，包括正确的范围（userinfo.email）。

我也99％肯定上周的代币更短，而且他们在这种情况下工作正常。

我的问题是：为什么AppEngine认为这些服务帐户令牌无效？这个错误似乎表明这是导致问题的长度，或者我可能遗漏了一些东西。