如何解决使用Java从Google请求OAUTH的无效JWT签名
我正在尝试按照here的指示来构造适当的JWT请求,以向Google抛出以获取临时的oauth令牌,因此我可以查询Google Sheets API。我意识到我可以使用一个Java库,但是我想了解这个过程。我的签名似乎有问题,因为我收到的回复是...
{
"error": "invalid_grant","error_description": "Invalid JWT Signature."
}
这就是我要以Groovy形式编写的内容...
String JWT_HEADER = "{\"alg\":\"RS256\",\"typ\":\"JWT\"}";
String GRANT_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";
String jwtHeaderBase64 = Base64.getEncoder().encodeToString( JWT_HEADER.getBytes() );
Calendar calendar = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
long secondsSinceEpoch = calendar.getTimeInMillis() / 1000L;
VelocityEngine velocityEngine = new VelocityEngine();
velocityEngine.init();
Template claimSetTemplate = velocityEngine.getTemplate("jwt-claim-set.json");
/* looks like ...
{
"iss": "<GOOGLE_SERVICE_ACCOUNT_EMAIL>","scope": "https://www.googleapis.com/auth/spreadsheets","aud": "https://oauth2.googleapis.com/token","exp": $EXPIRATION_UNIX_TIME,"iat": $CREATION_UNIX_TIME
}
*/
VelocityContext context = new VelocityContext();
context.put( "EXPIRATION_UNIX_TIME",Long.toString( secondsSinceEpoch + 3600 ) );
context.put( "CREATION_UNIX_TIME",Long.toString( secondsSinceEpoch) );
StringWriter writer = new StringWriter();
claimSetTemplate.merge( context,writer );
String claimSetJson = writer.toString();
println( "jwt-claim-set:\n\n" + claimSetJson );
String claimSetJsonBase64 = Base64.getEncoder().encodeToString( claimSetJson.getBytes() );
println( "base64 claim set: " + claimSetJsonBase64 );
String baseString = jwtHeaderBase64 + "." + claimSetJsonBase64;
JsonParser jsonParser = new JsonParser();
JsonElement rootJsonElement = jsonParser.parse( new FileReader( new File( "gserviceaccount-client-secret.json" ) ) );
JsonPrimitive privateKeyJsonPrimitive = rootJsonElement.getAsJsonPrimitive( "private_key" );
String privateKey = privateKeyJsonPrimitive.getAsString();
privateKey = privateKey.replaceAll("-----END PRIVATE KEY-----","")
.replaceAll("-----BEGIN PRIVATE KEY-----","")
.replaceAll("\n","");
byte[] decodedPrivateKeyBytes = Base64.getDecoder().decode( privateKey );
PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec( decodedPrivateKeyBytes );
Signature privateSignature = Signature.getInstance( "SHA256withRSA" );
KeyFactory keyFactory = KeyFactory.getInstance( "RSA" );
privateSignature.initSign( keyFactory.generatePrivate( keySpec ) );
privateSignature.update( baseString.getBytes( "UTF-8" ) );
byte[] signatureBytes = privateSignature.sign();
String signature = new String( signatureBytes );
String signatureBase64 = Base64.getEncoder().encodeToString( signature.getBytes() );
println( "base64 signature: " + signatureBase64 );
String jwt = jwtHeaderBase64 + "." + claimSetJsonBase64 + "." + signatureBase64;
String url = "https://oauth2.googleapis.com/token";
HttpClient client = new DefaultHttpClient();
HttpPost request = new HttpPost( url );
ArrayList<NameValuePair> postParameters = new ArrayList<NameValuePair>();
postParameters.add(new BasicNameValuePair("grant_type",GRANT_TYPE));
postParameters.add(new BasicNameValuePair("assertion",jwt));
request.setEntity( new UrlEncodedFormEntity( postParameters,"UTF-8" ) );
HttpResponse response = client.execute( request );
StatusLine status = response.getStatusLine();
HttpEntity responseEntity = response.getEntity();
String content = "";
if (responseEntity) {
content = EntityUtils.toString(responseEntity);
}
if (status.getStatusCode() > 204 ) {
println("HTTPCODE " + status.getStatusCode() + " from " + url);
println( content );
}
JsonObject responseJsonObject = null;
if (content.length() > 0) {
JsonElement jsonElement = new JsonParser().parse(content);
// If an object,return it
if (jsonElement instanceof JsonObject) {
responseJsonObject = jsonElement.getAsJsonObject();
}
// If an array,return the first item
else if (jsonElement instanceof JsonArray) {
JsonArray array = jsonElement.getAsJsonArray()
responseJsonObject = array.get(0)
}
}
Gson gson = new GsonBuilder().setPrettyPrinting().create();
String prettyJson = gson.toJson( responseJsonObject );
println( prettyJson );
解决方法
我知道了。似乎签名的编码是错误的。我将其更改为:
byte[] signatureBytes = privateSignature.sign();
String signature = Base64.getEncoder().encodeToString(signatureBytes);
println( "signature: " + signature );
String jwt = jwtHeaderBase64 + "." + claimSetJsonBase64 + "." + signature;
现在我得到了返回的有效访问令牌
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。