问题描述
我正在尝试按照here的指示来构造适当的JWT请求,以向Google抛出以获取临时的oauth令牌,因此我可以查询Google Sheets API。我意识到我可以使用一个Java库,但是我想了解这个过程。我的签名似乎有问题,因为我收到的回复是...
{
"error": "invalid_grant","error_description": "Invalid JWT Signature."
}
这就是我要以Groovy形式编写的内容...
String JWT_HEADER = "{\"alg\":\"RS256\",\"typ\":\"JWT\"}";
String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
String jwtHeaderBase64 = Base64.getEncoder().encodetoString( JWT_HEADER.getBytes() );
Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
long secondsSinceEpoch = calendar.getTimeInMillis() / 1000L;
VeLocityEngine veLocityEngine = new VeLocityEngine();
veLocityEngine.init();
Template claimsetTemplate = veLocityEngine.getTemplate("jwt-claim-set.json");
/* looks like ...
{
"iss": "<GOOGLE_SERVICE_ACCOUNT_EMAIL>","scope": "https://www.googleapis.com/auth/spreadsheets","aud": "https://oauth2.googleapis.com/token","exp": $EXPIRATION_UNIX_TIME,"iat": $CREATION_UNIX_TIME
}
*/
VeLocityContext context = new VeLocityContext();
context.put( "EXPIRATION_UNIX_TIME",Long.toString( secondsSinceEpoch + 3600 ) );
context.put( "CREATION_UNIX_TIME",Long.toString( secondsSinceEpoch) );
StringWriter writer = new StringWriter();
claimsetTemplate.merge( context,writer );
String claimsetJson = writer.toString();
println( "jwt-claim-set:\n\n" + claimsetJson );
String claimsetJsonBase64 = Base64.getEncoder().encodetoString( claimsetJson.getBytes() );
println( "base64 claim set: " + claimsetJsonBase64 );
String baseString = jwtHeaderBase64 + "." + claimsetJsonBase64;
JsonParser jsonParser = new JsonParser();
JsonElement rootJsonElement = jsonParser.parse( new FileReader( new File( "gserviceaccount-client-secret.json" ) ) );
JsonPrimitive privateKeyJsonPrimitive = rootJsonElement.getAsJsonPrimitive( "private_key" );
String privateKey = privateKeyJsonPrimitive.getAsstring();
privateKey = privateKey.replaceAll("-----END PRIVATE KEY-----","")
.replaceAll("-----BEGIN PRIVATE KEY-----","")
.replaceAll("\n","");
byte[] decodedPrivateKeyBytes = Base64.getDecoder().decode( privateKey );
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec( decodedPrivateKeyBytes );
Signature privateSignature = Signature.getInstance( "SHA256withRSA" );
KeyFactory keyFactory = KeyFactory.getInstance( "RSA" );
privateSignature.initSign( keyFactory.generatePrivate( keySpec ) );
privateSignature.update( baseString.getBytes( "UTF-8" ) );
byte[] signatureBytes = privateSignature.sign();
String signature = new String( signatureBytes );
String signatureBase64 = Base64.getEncoder().encodetoString( signature.getBytes() );
println( "base64 signature: " + signatureBase64 );
String jwt = jwtHeaderBase64 + "." + claimsetJsonBase64 + "." + signatureBase64;
String url = "https://oauth2.googleapis.com/token";
HttpClient client = new DefaultHttpClient();
HttpPost request = new HttpPost( url );
ArrayList<NameValuePair> postParameters = new ArrayList<NameValuePair>();
postParameters.add(new BasicNameValuePair("grant_type",GRANT_TYPE));
postParameters.add(new BasicNameValuePair("assertion",jwt));
request.setEntity( new UrlEncodedFormEntity( postParameters,"UTF-8" ) );
HttpResponse response = client.execute( request );
StatusLine status = response.getStatusLine();
httpentity responseEntity = response.getEntity();
String content = "";
if (responseEntity) {
content = EntityUtils.toString(responseEntity);
}
if (status.getStatusCode() > 204 ) {
println("HTTPCODE " + status.getStatusCode() + " from " + url);
println( content );
}
JsonObject responseJsonObject = null;
if (content.length() > 0) {
JsonElement jsonElement = new JsonParser().parse(content);
// If an object,return it
if (jsonElement instanceof JsonObject) {
responseJsonObject = jsonElement.getAsJsonObject();
}
// If an array,return the first item
else if (jsonElement instanceof JsonArray) {
JsonArray array = jsonElement.getAsJsonArray()
responseJsonObject = array.get(0)
}
}
Gson gson = new GsonBuilder().setPrettyPrinting().create();
String prettyJson = gson.toJson( responseJsonObject );
println( prettyJson );
解决方法
我知道了。似乎签名的编码是错误的。我将其更改为:
byte[] signatureBytes = privateSignature.sign();
String signature = Base64.getEncoder().encodeToString(signatureBytes);
println( "signature: " + signature );
String jwt = jwtHeaderBase64 + "." + claimSetJsonBase64 + "." + signature;
现在我得到了返回的有效访问令牌