1

This walk through/demonstration and instruction for requesting a token does not work. When I execute my code exactly as you have it and run it, I receive a 400 error every time, and this json response:

{
    error: "invalid_grant"
}

https://developers.google.com/accounts/docs/OAuth2ServiceAccount#makingrequest

I have been trying now to get this to work for almost a week, and am not getting any useful help here, and I see lot of similar questions here unanswered.

Thanks, any help would be amazing!

Karl..

Here is the code I am using (which I've wrapped up a bit and I may need to reveal internal code). Note: I left in the strange \/ slashes ins the scope and aud props of the claim as I am trying another guys fix from Stack http://goo.gl/bt9lPj (that doesn't seem to be working either and I'm getting the exact same error)

var claimbuilder = new Stub.Jwt.ClaimsBuilder();
claimbuilder.Add("iss", "...@developer.gserviceaccount.com");
claimbuilder.Add("scope", "https:\\/\\/picasaweb.google.com\\/data\\/");
claimbuilder.Add("aud", "https:\\/\\/accounts.google.com\\/o\\/oauth2\\/token");
claimbuilder.Add("exp", (Stub.Jwt.Utility.UnixTime + (60 * 5)).ToString());
claimbuilder.Add("iat", Stub.Jwt.Utility.UnixTime.ToString());

string head = "{\"alg\":\"RS256\",\"typ\":\"JWT\"}";

var jwt = String.Format("{0}.{1}", head, claimbuilder.ClaimSet);
Console.WriteLine(jwt);

var certificate = new X509Certificate2(@"....-privatekey.p12", "notasecret", X509KeyStorageFlags.Exportable);

var token = new Stub.Jwt.JsonWebToken();
var jwtresult = token.Generate(head, claimbuilder.ClaimSet, certificate);

Console.WriteLine("jwt: {0}", jwtresult);

OAuth.Response resp = new OAuth.Response();
OAuth.Request auth = new OAuth.Request("https://accounts.google.com/o/oauth2/token");
        auth.AddPostVar("grant_type", HttpUtility.UrlEncode("urn:ietf:params:oauth:grant-type:jwt-bearer")); // "authorization_code");
auth.AddPostVar("assertion", jwt);
auth.Go(resp);

Console.WriteLine(resp.OAuthTokenValue);
kstubs
  • 808
  • 4
  • 18
  • Google states here: https://groups.google.com/forum/#!forum/oauth2-dev that they support and will be monitoring Stack. Is this not the case then? From that page "We support the Google OAuth2 on Stack Overflow. Google engineers monitor and answer against the tag google-oauth. You should use this tag when asking questions." – kstubs May 05 '14 at 06:28
  • maybe they do. Fact remains we're not google support, and you're addressing your question as if we were. – jwenting May 05 '14 at 06:31
  • Yah, ok. I'll make an edit. – kstubs May 05 '14 at 06:33
  • Could you post a bit of the code you are using. What language are you doing this in. @jwenting Google-Oauth questions are valid here hence the tag and 1.2k questions asked here regarding using Google-Oauth. – Linda Lawton - DaImTo May 05 '14 at 06:41
  • @DaImTo not saying it's off topic here, but the way it was worded made it a support request to google, not an SO question. – jwenting May 05 '14 at 06:42
  • BTW The question is a bit confusing you are asking for help with Oauth2 but you are using the tutorial for a ServiceAccount. what are you trying to do exactly? – Linda Lawton - DaImTo May 05 '14 at 06:44
  • Yes, I am trying to obtain a Token so that I can call Google Api directly. So maybe the subject matter is 2 part: 1) OAUTH2 implementation and testing and verifying the signed payload 2) Proper use of the Service Account Api. (I've made an edit and showing code now) – kstubs May 05 '14 at 06:50
  • In this tutorial, there is no mention of headers to include in the post when requesting a token. So just verifying, that no special headers are needed for the token request. That is a rhetorical. – kstubs May 05 '14 at 15:54
  • Have I not supplied sufficient details to support the question and is there anyone from Google looking into this perhaps? – kstubs May 06 '14 at 16:14
  • I've carried on with another question here where I demonstrate three signing tests. I'm starting to believe that maybe the issue is with the certificate I'm receiving from Google. Please see this Stack thread: http://stackoverflow.com/questions/23501320/signing-data-with-google-service-account-private-key-fails – kstubs May 06 '14 at 18:14

1 Answers1

1

The code is only valid for a few minutes and after expired you will receive invalid_grant as response.

Could you paste here the JSON payload your code constructs? That'd make spotting issues easier.

breno
  • 3,226
  • 1
  • 22
  • 13