[goauth2] JWT example not working?

[Alexander Surma]

Hey nuts,

I'm trying to access Google Cloud Storage via “Service Accounts” and – among other libs –  I'm using `code.google.com/p/goauth2/oauth/jwt` to obtain the access token.

However, the `t.Assert()` call always yields something like:

    2013/06/12 19:28:57 assertion error:invalid response: 400 Bad Request

I dug a little bit into the code and also dumped the response body, which turns out to be

    {

      "error" : "invalid_grant"

    }

According to a Google search, this can be the result of a lot of things, most commonly clock-skew, which I don't think I have (I am synched to a NTP server).

Then I tried the example code (https://code.google.com/p/goauth2/source/browse/oauth/jwt/example/main.go) which yields exactly the same error.

Does anybody have an idea what to do? Would anybody be willing to try the example code themselves so I know whether the code is just out-of-date or this is an environmental issue (you need to create a service account in the API console)?

Cheers,

Surma

[itsle...@gmail.com]

+1  same issue here

[ha...@klarsys.com]

Bump.  Exact same issue. Anyone figure it out yet?

On Saturday, August 23, 2014 5:12:24 AM UTC+5:30, itsle...@gmail.com wrote:

+1  same issue here

[Rick Tait]

since JWT authenticated transport was added to the oauth package back in February, using JWT with service accounts is a whole lot easier. you no longer have to manually Assert(). here's a code snippet from an app that i use to pull data down using a service account from the Analytics Core Reporting API:

    // read in the site-specific PEM key file

    key, err := ioutil.ReadFile("/tmp/serviceaccountkey.pem")

    if err != nil {

      // do something

    }

    // create a new JWT token to authorize server-to-server Google API calls, using the service account emailaddr, analytics scope and PEM key

    jsonwebtoken := jwt.NewToken("01234567...@developer.gserviceaccount.com", "https://www.googleapis.com/auth/analytics.readonly" key)

    // create an authenticated HTTP transport (expired tokens get refreshed automatically)

    transport, err := jwt.NewTransport(jsonwebtoken)

    if err != nil {

       // do something

    }

    // create the analytics service, passing in the transport (including token)

    analyticsService, err := analytics.New(transport.Client())

    if err != nil {

       // do something

    } 

    // create the Analytics Data Service

    dataGaService := analytics.NewDataGaService(analyticsService)

i don't think the example code has been updated to reflect this new E-Z goodness. 

in contrast, this is kinda what you used to have to do:

    // struct to read the service account secrets file that you downloaded from Google Cloud Console into

    type GoogleSecretsConfig struct {

      ClientEmail  string   `json:"client_email"`

      ClientId     string   `json:"client_id"`

      ClientSecret string   `json:"client_secret"`

      RedirectURIs []string `json:"redirect_uris"`

      Scope        string

      AuthURI      string `json:"auth_uri"`

      TokenURI     string `json:"token_uri"`

    }

    googlesecrets := new(GoogleSecretsConfig)

    data, err := ioutil.ReadFile("/tmp/serviceaccountsecretsfilefromCloudConsole.json")

    if err != nil {

        // do something

    }

    err = json.Unmarshal(data, &googlesecrets)

    if err != nil {

        // do something

    }

    oauthconfig := &oauth.Config{

        ClientId: secretsconfig.ClientId,

        ClientSecret: secretsconfig.ClientSecret,

        Scope: "https://www.googleapis.com/auth/analytics.readonly",

        AuthURL: secretsconfig.AuthURI,

        TokenURL: secretsconfig.TokenURI,

    }   

    // read in the site-specific PEM key file

    key, err := ioutil.ReadFile("/tmp/serviceaccountkey.pem")

    if err != nil {

      // do something

    }

    jsonwebtoken := jwt.NewToken("01234567...@developer.gserviceaccount.com", oauthconfig.Scope, key)

    jsonwebtoken.ClaimSet.Aud = "https://accounts.google.com/o/oauth2/token"

    // create a basic httpclient that we will use with the json web token assertion

    httpclient := &http.Client{}

    // encode and send the json web token, getting an *oauth.Token in return

    oauthtoken, err := jsonwebtoken.Assert(httpclient)

    if err != nil {

      // do something

    }

    // build the oauth http transport

    transport := oauth.Transport{Config: oauthconfig}

    // set the transport token to be the oauthtoken

    transport.Token = oauthtoken

    // create the analytics service, passing in the transport 

    analyticsService, err := analytics.New(transport.Client())

    if err != nil {

      // do something

    }

    // create the Analytics Data Service

    dataGaService := analytics.NewDataGaService(analyticsService)

hope this helps! let me know if you have any more questions. if you're still having problems, make sure you've explicitly turned on the API specific to the Google service you're trying to authenticate with in the Google Cloud Console for the service account that you're using to authenticate. sounds obvious but ..... :)

-RMT

[Péter Szilágyi]

Hey all,

  Just to add to the above code snippet, this was the original "demo" of the added JWT authenticated transport mechanism: https://gist.github.com/karalabe/8933476

Cheers,

  Peter

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ameerkha...@vembu.com]

I have used JWTpackage in golang https://code.google.com/p/goauth2/source/browse/oauth/jwt/example/main.go , in that code,i have used my client_secrets and My PEM file, but i got Assertion error. Everything works fine, but i got Assertion error.