Geek Answers Handbook

JWT "invalid_grant" in Google Signature OAuth2

I am writing code to try to get a token for use by Google in OAuth2. This is for the service account, so the instructions are here:

https://developers.google.com/identity/protocols/OAuth2ServiceAccount

I keep getting this error when I submit the JWT to Google:

{"error": "invalid_grant", "error_description": "Invalid JWT signature." }

Here is the code:

try{ var nowInSeconds : Number = (Date.now() / 1000); nowInSeconds = Math.round(nowInSeconds); var fiftyNineMinutesFromNowInSeconds : Number = nowInSeconds + (59 * 60); var claimSet : Object = {}; claimSet.iss = "{{RemovedForPrivacy}}"; claimSet.scope = "https://www.googleapis.com/auth/plus.business.manage"; claimSet.aud = "https://www.googleapis.com/oauth2/v4/token"; claimSet.iat = nowInSeconds; claimSet.exp = fiftyNineMinutesFromNowInSeconds; var header : Object = {}; header.alg = "RS256"; header.typ = "JWT"; /* Stringify These */ var claimSetString = JSON.stringify(claimSet); var headerString = JSON.stringify(header); /* Base64 Encode These */ var claimSetBaseSixtyFour = StringUtils.encodeBase64(claimSetString); var headerBaseSixtyFour = StringUtils.encodeBase64(headerString); var privateKey = "{{RemovedForPrivacy}}"; /* Create the signature */ var signature : Signature = Signature(); signature = signature.sign(headerBaseSixtyFour + "." + claimSetBaseSixtyFour, privateKey , "SHA256withRSA"); /* Concatenate the whole JWT */ var JWT = headerBaseSixtyFour + "." + claimSetBaseSixtyFour + "." + signature; /* Set Grant Type */ var grantType = "urn:ietf:params:oauth:grant-type:jwt-bearer" /* Create and encode the body of the token post request */ var assertions : String = "grant_type=" + dw.crypto.Encoding.toURI(grantType) + "&assertion=" + dw.crypto.Encoding.toURI(JWT); /* Connect to Google And Ask for Token */ /* TODO Upload Certs? */ var httpClient : HTTPClient = new HTTPClient(); httpClient.setRequestHeader("content-type", "application/x-www-form-urlencoded; charset=utf-8"); httpClient.timeout = 30000; httpClient.open('POST', "https://www.googleapis.com/oauth2/v4/token"); httpClient.send(assertions); if (httpClient.statusCode == 200) { //nothing } else { pdict.errorMessage = httpClient.errorText; } } catch(e){ Logger.error("The error with the OAuth Token Generator is --> " + e); }

Does anyone know why JWT is not working?

Thank you very much! Brad

+7
source share
3 answers

The problem may be due to the fact that your StringUtils.encodeBase64() method StringUtils.encodeBase64() most likely perform standard base64 encoding.

According to the JWT specification , however, this is not the standard base64 encoding that should be used, but Base64 encoding encoded by URL and file name with missing = characters.

If you don’t have a useful method suitable for base64URL encoding, you can check

  • replacing all + with - ;
  • replacing all / with _ ;
  • delete all =

in base64 encoded strings.

Also, is your signature also encoded in base64? This should be following the same rules as described above.

+4
source

I had the same problem before, and here's what was wrong:

  • Incorrect application name (project ID)
  • Invalid service account identifier (email)
+2
source

Another reason for this error may be "Your service account is not activated." When installing gsutil from the Cloud SDK, you must authenticate with the credentials of the service account.

1- Use an existing service account or create a new one and upload the corresponding private key.

2- Use gcloud auth activit-service-account to authenticate with the service account:

 gcloud auth activate-service-account --key-file [KEY_FILE]

Where [KEY_FILE] is the name of the file that contains the credentials of your service account.

Link for more information: Activate service account

0
source

More articles:


All Articles