在使用Python Oauthlib未能使用Python Oauthlib对服务器应用程序进行身份验证之后 ,我现在尝试使用pyjwt直接生成jwt,然后按照Google文档中的说明使用curl对其进行测试,但由于我现在收到: 无效的JWT:令牌必须是一个短期令牌,并且在合理的时间范围内 。
安装pyjwt后Python 3中的代码:
>>> from datetime import datetime, timedelta >>> import json >>> import jwt >>> json_file = json.load(open("google-project-credentials.json")) >>> dt_now = datetime.datetime.utcnow() >>> payload = { 'iss' : json_file['client_email'], 'scope' : 'https://www.googleapis.com/auth/tasks', 'aud' : 'https://www.googleapis.com/oauth2/v4/token', 'exp' : int((dt_now + datetime.timedelta(hours=1)).timestamp()), 'iat': int(dt_now.timestamp()) } >>> jwt.encode(payload, json_file['private_key'], algorithm='RS256') b'PYJWT_RESULT_HERE'然后,如Google文档中所述,我在bash中运行curl并粘贴上一个结果:
$ curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=PYJWT_RESULT_HERE' https://www.googleapis.com/oauth2/v4/token然后我收到以下错误:
{ "error": "invalid_grant", "error_description": "Invalid JWT: Token must be a short-lived token and in a reasonable timeframe" }我究竟做错了什么?
谢谢!
After failing to authenticate for Google Server to Server Applications using Python Oauthlib, I am now trying to generate directly the jwt with pyjwt then test it with curl as stated in Google documentation, but it does not work either since I now receive: Invalid JWT: Token must be a short-lived token and in a reasonable timeframe.
The code in Python 3 after installing pyjwt:
>>> from datetime import datetime, timedelta >>> import json >>> import jwt >>> json_file = json.load(open("google-project-credentials.json")) >>> dt_now = datetime.datetime.utcnow() >>> payload = { 'iss' : json_file['client_email'], 'scope' : 'https://www.googleapis.com/auth/tasks', 'aud' : 'https://www.googleapis.com/oauth2/v4/token', 'exp' : int((dt_now + datetime.timedelta(hours=1)).timestamp()), 'iat': int(dt_now.timestamp()) } >>> jwt.encode(payload, json_file['private_key'], algorithm='RS256') b'PYJWT_RESULT_HERE'Then, as stated in Google documentation, I run curl in bash and paste the previous result:
$ curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=PYJWT_RESULT_HERE' https://www.googleapis.com/oauth2/v4/tokenThen I receive the following error:
{ "error": "invalid_grant", "error_description": "Invalid JWT: Token must be a short-lived token and in a reasonable timeframe" }What am I doing wrong?
Thanks!
最满意答案
实际上,如错误消息中所述,问题出现在错误生成的时代(我还不完全理解为什么):
>>> from datetime import datetime >>> from calendar import timegm >>> import json >>> import jwt >>> json_file = json.load(open("google-project-credentials.json")) >>> payload = { 'iss' : json_file['client_email'], 'scope' : 'https://www.googleapis.com/auth/tasks', 'aud' : 'https://www.googleapis.com/oauth2/v4/token', 'exp' : timegm(datetime.utcnow().utctimetuple()) + 600, 'iat' : timegm(datetime.utcnow().utctimetuple()) } >>> jwt.encode(payload, json_file['private_key'], algorithm='RS256') b'PYJWT_RESULT_HERE'然后在Bash控制台中:
$ curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=PYJWT_RESULT_HERE' https://www.googleapis.com/oauth2/v4/token { "access_token": "GOOGLE_ACCESS_TOKEN_YEAH", "token_type": "Bearer", "expires_in": 3600 }我真的很惊讶没有得到更多的帮助,因为我认为Google会参与其中;-(在开源项目中,支持实际上更好!
Actually, as stated in the error message, the problem was in the epoch that was incorrectly generated (I don't completely understand why yet):
>>> from datetime import datetime >>> from calendar import timegm >>> import json >>> import jwt >>> json_file = json.load(open("google-project-credentials.json")) >>> payload = { 'iss' : json_file['client_email'], 'scope' : 'https://www.googleapis.com/auth/tasks', 'aud' : 'https://www.googleapis.com/oauth2/v4/token', 'exp' : timegm(datetime.utcnow().utctimetuple()) + 600, 'iat' : timegm(datetime.utcnow().utctimetuple()) } >>> jwt.encode(payload, json_file['private_key'], algorithm='RS256') b'PYJWT_RESULT_HERE'Then in a Bash console:
$ curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=PYJWT_RESULT_HERE' https://www.googleapis.com/oauth2/v4/token { "access_token": "GOOGLE_ACCESS_TOKEN_YEAH", "token_type": "Bearer", "expires_in": 3600 }I was actually surprised not to receive more help on that matter since I thought Google would be involved ;-( On open-source project, the support is actually better!
更多推荐
发布评论