Service Account in perl

[hatobus]

I'm now trying to building Web appliction by OAuth2. The application
is server to server.

https://developers.google.com/accounts/docs/OAuth2ServiceAccount

But supported client libraries is java, python and php.

And I found ruby sample code in the below
url.

https://gist.github.com/2713830

But I coun'nt find perl example source.

And now trying to change ruby code to perl.
But I coun'nt find private key loading method
in perl like ruby.

If you now Please help me.

[hatobus]

I downloaded private key that format is pkcs12.

and I used openssl command below to change the format.

openssl pkcs12 -in privatekey.p12 -out test.pem

I viewd test.pem file, and that contains 

-----BEGIN ENCRYPTED PRIVATE KEY-----

That does not contain RSA key word.

 I think that format is PKCS7not PEM format??

I think "Crypt::OpenSSL::RSA" module does not process

test.pem file's format.

I have to learn how to convert key files from PKES12 to PEM format.

If you know please imform me!!

[hatobus]

I converted my downloaded pkcs12 key with -nodes option (password remove).

openssl pkcs12 -in privatekey.p12 -nodes -out test.pem

And try again.

But "invalid_grant" error occured.

Please help me..

----------------------------------source code -----------------------------------

get '/auth/:dest' => sub{

my $self = shift;

my $dest = $self->param('dest');

my $header = qq<{"alg":"RS256","typ":"JWT"}>;

    my $iat = time();

    

    my $exp = $iat + 3600;

my $claim = '{

"iss":"hogehoge\@developer.gserviceaccount.com",

"scope":"https://www.googleapis.com/auth/fusiontables",

"aud":"https://accounts.google.com/o/oauth2/token",

"exp":$exp,

"iat":$iat

}';

my $assertion = join(".", urlsafe_b64encode($header), urlsafe_b64encode($claim));

my $key_text = read_file( "/home/private/test.pem" );

print "assertion=$assertion";

my $rsa_key = Crypt::OpenSSL::RSA->new_private_key($key_text) || die "$!";

$rsa_key->use_pkcs1_padding();

my $signature = $rsa_key->sign(sha256_base64($assertion));

my $signed_signature = urlsafe_b64encode($signature);

my $signed_assertion = join(".", $assertion, $signed_signature);

print $signed_assertion;

    my $ua     = LWP::UserAgent->new;

my %args =(

Content_Type => 'application/x-www-form-urlencoded',

Content => {

'grant_type' => 'assertion',

'assertion_type' => 'http://oauth.net/grant_type/jwt/1.0/bearer',

    'assertion'  => $signed_assertion,

}

);

    my $r = $ua->post( 'https://accounts.google.com/o/oauth2/token', %args);

    

    my $result = JSON->new->utf8(0)->decode($r->content);

print $r->content;

2012年7月11日水曜日 0時58分36秒 UTC+9 hatobus:

[hatobus]

I changed source code below.

1. $claim value's setting

2. assertion_type value "http://oauth.net/grant_type/jwt/1.0/bearer"

And error code is changed from "invalid_grant" to "invalid_request".

If you know Please help me..

--------------------------------------perl source code -----------------------------

get '/auth/:dest' => sub{

my $self = shift;

my $dest = $self->param('dest');

my $header = qq<{"alg":"RS256","typ":"JWT"}>;

    my $iat = time();

    

    my $exp = $iat + 3600;

my $claim = qq<{

"iss":"hogehoge\@developer.gserviceaccount.com",

"scope":"https://www.googleapis.com/auth/fusiontables",

"aud":"https://accounts.google.com/o/oauth2/token",

"exp":$exp,

"iat":$iat

}>;

my $assertion = join(".", urlsafe_b64encode($header), urlsafe_b64encode($claim));

my $key_text = read_file( "/home/private/test.pem" );

print "claim=$claim\n";

my $rsa_key = Crypt::OpenSSL::RSA->new_private_key($key_text) || die "$!";

$rsa_key->use_pkcs1_padding();

my $signature = $rsa_key->sign(sha256_base64($assertion));

my $signed_signature = urlsafe_b64encode($signature);

my $signed_assertion = join(".", $assertion, $signed_signature);

print $signed_assertion;

    my $ua     = LWP::UserAgent->new;

my %args =(

Content_Type => 'application/x-www-form-urlencoded',

Content => {

'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',

'assertion_type' => 'http://oauth.net/grant_type/jwt/1.0/bearer',

    'assertion'  => $signed_assertion,

}

);

    my $r = $ua->post( 'https://accounts.google.com/o/oauth2/token', %args);

    

    my $result = JSON->new->utf8(0)->decode($r->content);

print $r->content;

2012年7月12日木曜日 5時13分45秒 UTC+9 hatobus:

[hatobus]

I think assertion_type parameter is not nessesary,only grant_type is
MUST.

Google document (https://developers.google.com/accounts/docs/
OAuth2ServiceAccount)
In the "Making the Access Token Request"
grant_type and assertion_type is required.

But below specification document "accertion_type" is not exist...

http://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-04#section-3.2

I'll try again later.

> >>> If you now Please help me.- Hide quoted text -
>
> - Show quoted text -

[Richard Gillette]

I am trying to do this same thing in PERL and I am also getting the invalid Grant error. One thing that I have seen work is people setting the times on their computers because the timestamp that they put in the JWT conflicts with googles. I dont know how to get this working but you could try that. If you get anything working please update so I can try too!

[Breno de Medeiros]

As a side note, please see the blog post in this forum about the preference for sending new questions to google-oauth tag on Stack Overflow (http://stackoverflow.com/search-new?q=%23google-oauth). 

--