jwt1=`echo -n '{"alg":"RS256","typ":"JWT"}' | openssl base64 -e`
jwt2=`echo -n '{\
"iss":"...@developer.gserviceaccount.com",\
"scope":"https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore",\
"aud":"https://accounts.google.com/o/oauth2/token",\
"exp":'$(($(date +%s)+3600))',\
"iat":'$(date +%s)'}' | openssl base64 -e`
jwt3=`echo -n "$jwt1.$jwt2" | tr -d '\n' | tr -d '=' | tr '/+' '_-'`
jwt4=`echo -n "$jwt3" | openssl sha -sha256 -sign google.p12 | openssl base64 -e`
jwt5=`echo -n "$jwt4" | tr -d '\n' | tr -d '=' | tr '/+' '_-'`
curl -H "Content-type: application/x-www-form-urlencoded" -X POST "https://accounts.google.com/o/oauth2/token" -d \
"grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=$jwt3.$jwt5"
I receive a token successfully but when I use it I get permission denied?
When I copy the oauth2 token from https://developers.google.com/datastore/docs/apis/v1beta1/datasets/blindWrite#try-it it works?
curl -X GET "https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=$1"
curl -X GET "https://www.googleapis.com/oauth2/v2/userinfo?access_token=$1"
curl -H "Content-type: application/json" -H "Authorization: Bearer $1" -X POST "https://www.googleapis.com/datastore/v1beta1/datasets/.../blindWrite" -d \
'{
"mutation": {
"upsert": [
{
"key": {
"path": [
{
"kind": "person",
"name": "gert"
}
]
}
}
]
}
}'
difference between the 2 tokens:
1) from jwt (permission denied)
{
"issued_to": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg.apps.googleusercontent.com",
"audience": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg.apps.googleusercontent.com",
"scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore",
"expires_in": 3588,
"email": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg@developer.gserviceaccount.com",
"verified_email": true,
"access_type": "offline"
}
{
"email": "522156758812-u8hj8dhnk5br3vnpqqvuscievhbnl0gg@developer.gserviceaccount.com",
"verified_email": true
}
2) from https://developers.google.com/datastore/docs/apis/v1beta1/datasets/blindWrite#try-it (works)
{
"issued_to": "292824132082.apps.googleusercontent.com",
"audience": "292824132082.apps.googleusercontent.com",
"user_id": "116469479527388802962",
"scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/plus.me",
"expires_in": 3568,
"email": "gert.cuykens@gmail.com",
"verified_email": true,
"access_type": "online"
}
{
"id": "116469479527388802962",
"email": "gert.cuykens@gmail.com",
"verified_email": true
}
What is wrong with my jwt received token? How do I make jwt work also?
In order for service account to be properly configured with your Cloud Datastore instance you have to create them using the Cloud Console as described in the documentation.
Alternatively if you really want to use the service account you created using the [Google APIs console][3], you can do the following:
- Go to cloud.google.com/console
- Click on your project id
- Click on APIs
- Make sure Google Cloud Datastore API is ON
- Click on the gear symbol (⚙) on the top right
- Click on Teams
- Click Add member
- Add your service account as a Viewer
来源:https://stackoverflow.com/questions/17094641/google-datastore-token-not-authorized