OAuth 2.0使用Bearer Token作為認證後的Access token,大大簡化 ... Basic和Digest token是由username、password等等資訊來構成,而JWT也相似。 ... <看更多>
「bearer token是什麼」的推薦目錄:
- 關於bearer token是什麼 在 [Day-35] 使用JWT來存取API內容(總結) 的評價
- 關於bearer token是什麼 在 開發者必備知識- HTTP認證(HTTP Authentication) 的評價
- 關於bearer token是什麼 在 ASP.NET Core Web API 整合測試中使用Bearer Token | 程式前沿 的評價
- 關於bearer token是什麼 在 Access Token和Bearer Token有什么区别呢? #1 - GitHub 的評價
- 關於bearer token是什麼 在 Using OAuth 2.0 for Server to Server Applications - Google ... 的評價
bearer token是什麼 在 ASP.NET Core Web API 整合測試中使用Bearer Token | 程式前沿 的解答
整合測試中使用Bearer Token. 我這個專案裡生產時使用的是Identity Server 4, 而進行整合測試時使用Identity Server 4可能會不太方便, 所以我決定簡化 ... ... <看更多>
bearer token是什麼 在 Access Token和Bearer Token有什么区别呢? #1 - GitHub 的解答
@fengqiangboy Bearer Token是Access Token的一种格式,这种格式一般是随机字符串无特殊意义,也就是不能从Bearer Token的字面推断出这个Token是谁 ... ... <看更多>
bearer token是什麼 在 Using OAuth 2.0 for Server to Server Applications - Google ... 的解答
Important: If you are working with Google Cloud Platform, unless you plan
to build your own client library, use service accounts and a Cloud Client Library instead of
performing authorization explicitly as described in this document. For more information, see
Authentication Overview
in the Google Cloud Platform documentation.
The Google OAuth 2.0 system supports server-to-server interactions such as those between a web
application and a Google service. For this scenario you need a service account, which
is an account that belongs to your application instead of to an individual end user. Your
application calls Google APIs on behalf of the service account, so users aren't directly
involved. This scenario is sometimes called "two-legged OAuth," or "2LO." (The related term
"three-legged OAuth" refers to scenarios in which your application calls Google APIs on behalf
of end users, and in which user consent is sometimes required.)
Typically, an application uses a service account when the application uses Google APIs to work
with its own data rather than a user's data. For example, an application that uses Google Cloud
Datastore for data persistence would use a service account to authenticate its calls to the
Google Cloud Datastore API.
Google Workspace domain administrators can also
grant service accounts domain-wide authority to access user
data on behalf of users in the domain.
This document describes how an application can complete the server-to-server OAuth 2.0 flow by
using either a Google APIs client library (recommended) or HTTP.
using OAuth 2.0, which can save you a network request. See
Addendum: Service account authorization without OAuth. Overview
To support server-to-server interactions, first create a service account for your project in
the API Console. If you want to access user data for users in
your Google Workspace account, then delegate domain-wide access to the service account.
Then, your application prepares to make authorized API calls by using the service account's
credentials to request an access token from the OAuth 2.0 auth server.
Finally, your application can use the access token to call Google APIs.
Recommendation: Your application can complete these tasks either by
using the Google APIs client library for your language, or by directly interacting with the
OAuth 2.0 system using HTTP. However, the mechanics of server-to-server authentication
interactions require applications to create and cryptographically sign JSON Web Tokens (JWTs),
and it's easy to make serious errors that can have a severe impact on the security of your
application.
For this reason, we strongly encourage you to use libraries, such as the Google APIs client
libraries, that abstract the cryptography away from your application code.
A service account's credentials include a generated email address that is unique and at least
one public/private key pair. If domain-wide delegation is enabled, then a client ID is also part
of the service account's credentials.
If your application runs on Google App Engine, a service account is set up automatically when
you create your project.
If your application runs on Google Compute Engine, a service account is also set up
automatically when you create your project, but you must specify the scopes that your
application needs access to when you create a Google Compute Engine instance. For more
information, see
Preparing an instance to use service accounts.
If your application doesn't run on Google App Engine or Google Compute Engine, you must obtain
these credentials in the Google API Console. To generate service-account
credentials, or to view the public credentials that you've already generated, do the following:
First, create a service account:
Open the Service accounts page.
If prompted, select a project, or create a new one.
Click Create service
account.
Under Service account details, type a name, ID, and description for the service
account, then click Create and continue.
Optional: Under Grant this service account access to project, select the IAM roles to
grant to the service account.
Click Continue.
Optional: Under Grant users access to this service account, add the users or groups
that are allowed to use and manage the service account.
Click Done.
Next, create a service account key:
Click the email address for the service account you created.
Click the Keys tab.
In the Add key drop-down list, select Create new key.
Click Create.
Your new public/private key pair is generated and downloaded to your machine; it serves as the
only copy of the private key. You are responsible for storing it securely. If you lose this key
pair, you will need to generate a new one.
You can return to the
API Console at any time to view the email address, public
key fingerprints, and other information, or to generate additional public/private key pairs. For
more details about service account credentials in the
API Console, see
Service accounts in the API Console
help file.
Take note of the service account's email address and store the service account's private key
file in a location accessible to your application. Your application needs them to make
authorized API calls.
development and production environments. Google does not keep a copy of your private keys, only
your public keys. See the
Handle client credentials securely section of OAuth 2.0 Policies for more information.
Delegating domain-wide authority to the service account
Using a Google Workspace account, a Workspace administrator of the organization can authorize an
application to access Workspace user data on behalf of users in the Google Workspace domain. For example,
an application that uses the Google Calendar API to add events to the calendars of all users in
a Google Workspace domain would use a service account to access the Google Calendar API on
behalf of users. Authorizing a service account to access data on behalf of users in a domain is
sometimes referred to as "delegating domain-wide authority" to a service account.
application for your domain, the required permissions are automatically granted to the
application during installation. You do not need to manually authorize the service accounts that
the application uses. Note: Although you can use service accounts in applications that run
from a Google Workspace domain, service accounts are not members of your Google Workspace
account and aren't subject to domain policies set by Google Workspace administrators. For
example, a policy set in the Google Workspace Admin console to restrict the ability of
Google Workspace end users to share documents outside of the domain would not apply to service
accounts.
To delegate domain-wide authority to a service account, a super administrator of the Google
Workspace domain must complete the following steps:
From your Google Workspace domain's
Admin console, go to Main menu
> Security >
Access and data control > API Controls.
In the Domain wide delegation pane, select Manage Domain Wide Delegation.
Click Add new.
In the Client ID field, enter the service account's Client ID. You can find
your service account's client ID in the
Service accounts page.
In the OAuth scopes (comma-delimited) field, enter the list of scopes that your
application should be granted access to. For example, if your application needs domain-wide
full access to the Google Drive API and the Google Calendar API, enter:
https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.
Click Authorize.
Your application now has the authority to make API calls as users in your Workspace domain (to
"impersonate" users). When you prepare to make these delegated API calls, you will explicitly specify the user to
impersonate.
granted after the client ID was added, but in some cases, it might take up to 24 hours to
propagate to all users of your Google Account. Preparing to make a delegated API call
Java
After you obtain the client email address and private key from the
API Console, use the
Google APIs Client Library for Java
to create a GoogleCredential
object from the service account's credentials and
the scopes your application needs access to. For example:
import com.google.api.client.googleapis.auth.oauth2.GoogleCredential;
import com.google.api.services.sqladmin.SQLAdminScopes;// ...GoogleCredential credential = GoogleCredential.fromStream(new FileInputStream("MyProject-1234.json"))
.createScoped(Collections.singleton(SQLAdminScopes.SQLSERVICE_ADMIN));
If you are developing an app on Google Cloud Platform, you can use the
application default credentials
instead, which can simplify the process.
If you have delegated domain-wide access to the service account and you want to impersonate
a user account, specify the email address of the user account with the
createDelegated
method of the GoogleCredential
object. For
example:
GoogleCredential credential = GoogleCredential.fromStream(new FileInputStream("MyProject-1234.json"))
.createScoped(Collections.singleton(SQLAdminScopes.SQLSERVICE_ADMIN))
.createDelegated("workspace-user@example.com");
The code above uses the GoogleCredential
object to call its createDelegated()
method. The argument for the createDelegated()
method must be a user which belongs to your
Workspace account. Your code making the request will use this credential to call Google
APIs using your service account.
Python
After you obtain the client email address and private key from the
API Console, use the
Google APIs Client Library for Python
to complete the following steps:
Create a
Credentials
object from the service account's credentials and thescopes your application needs access to. For example:
from google.oauth2 import service_accountSCOPES = ['https://www.googleapis.com/auth/sqlservice.admin']
SERVICE_ACCOUNT_FILE = '/path/to/service.json'credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
If you are developing an app on Google Cloud Platform, you can use the
application default credentials
instead, which can simplify the process.
Delegate domain-wide authority
If you have delegated domain-wide access to the service account and you want to
impersonate a user account, use the with_subject
method of an existing
ServiceAccountCredentials
object. For example:
delegated_credentials = credentials.with_subject('user@example.org')
Use the Credentials object to call Google APIs in your application.
HTTP/REST
Recommendation: Although your application can complete
these tasks by directly interacting with the OAuth 2.0 system using HTTP, the mechanics of
server-to-server authentication interactions require applications to create and
cryptographically sign JSON Web Tokens (JWTs), and it's easy to make serious errors that can
have a severe impact on the security of your application.
For this reason, we strongly encourage you to use libraries, such as the Google APIs
client libraries, that abstract the cryptography away from your application
code.
After you obtain the client ID and private key from the
API Console, your application needs to complete the
following steps:
Create a JSON Web Token (JWT, pronounced, "jot") which includes a header, a claim set,
and a signature.
Request an access token from the Google OAuth 2.0 Authorization Server.
Handle the JSON response that the Authorization Server returns.
The sections that follow describe how to complete these steps.
If the response includes an access token, you can use the access token to
call a Google API. (If the response does not include an access
token, your JWT and token request might not be properly formed, or the service account might
not have permission to access the requested scopes.)
When the access token expires, your application generates another
JWT, signs it, and requests another access token.
The rest of this section describes the specifics of creating a JWT, signing the JWT,
forming the access token request, and handling the response.
A JWT is composed of three parts: a header, a claim set, and a
signature. The header and claim set are JSON objects. These JSON objects are serialized to
UTF-8 bytes, then encoded using the Base64url encoding. This encoding provides resilience
against encoding changes due to repeated encoding operations. The header, claim set, and
signature are concatenated together with a period (.
) character.
A JWT is composed as follows:
{Base64url encoded header}.{Base64url encoded claim set}.{Base64url encoded signature}
The base string for the signature is as follows:
Forming the JWT header
{Base64url encoded header}.{Base64url encoded claim set}
The header consists of three fields that indicate the signing algorithm, the format of
the assertion, and the [key ID of the service account
key](https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys)
that was used to sign the JWT. Algorithm and format are mandatory, and each field has only
one value. As additional algorithms and formats are introduced, this header will change
accordingly. The key ID is optional and if an incorrect Key ID is specified GCP will try
all keys associated with the service account to verify the token and reject the token if
no valid key is found. Google reserves the right to reject tokens with incorrect key IDs
in the future.
Service accounts rely on the RSA SHA-256 algorithm and the JWT token format. As a result,
the JSON representation of the header is as follows:
{"alg":"RS256","typ":"JWT", "kid":"370ab79b4513eb9bad7c9bd16a95cb76b5b2a56a"}
The Base64url representation of this is as follows:
Forming the JWT claim set
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsICJraWQiOiIzNzBhYjc5YjQ1MTNlYjliYWQ3YzliZDE2YTk1Y2I3NmI1YjJhNTZhIn0=
The JWT claim set contains information about the JWT, including the permissions being
requested (scopes), the target of the token, the issuer, the time the token was issued,
and the lifetime of the token. Most of the fields are mandatory. Like the JWT header, the
JWT claim set is a JSON object and is used in the calculation of the signature.
The required claims in the JWT claim set are shown below. They may appear in any order in
the claim set.
Name
Description
iss
The email address of the service account.
scope
A space-delimited list of the permissions that the application requests.
aud
A descriptor of the intended target of the assertion. When making an access token
request this value is always
https://oauth2.googleapis.com/token
.exp
The expiration time of the assertion, specified as seconds since 00:00:00 UTC,
January 1, 1970. This value has a maximum of 1 hour after the issued time.
iat
The time the assertion was issued, specified as seconds since 00:00:00 UTC,
January 1, 1970.
The JSON representation of the required fields in a JWT claim set is shown below:
Additional claims
{
"iss": "761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/devstorage.read_only",
"aud": "https://oauth2.googleapis.com/token",
"exp": 1328554385,
"iat": 1328550785
}
In some enterprise cases, an application can use domain-wide delegation to act on behalf
of a particular user in an organization. Permission to perform this type of impersonation
must be granted before an application can impersonate a user, and is usually handled by a
super administrator. For more information, see
Control API access with domain-wide delegation.
To obtain an access token that grants an application delegated access to a resource,
include the email address of the user in the JWT claim set as the value of the
sub
field.
Name
Description
sub
The email address of the user for which the application is requesting delegated
access.
If an application does not have permission to impersonate a user, the response to an
access token request that includes the sub
field will be an
error.
An example of a JWT claim set that includes the sub
field is shown
below:
Encoding the JWT claim set
{
"iss": "761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
"sub": "some.user@example.com",
"scope": "https://www.googleapis.com/auth/prediction",
"aud": "https://oauth2.googleapis.com/token",
"exp": 1328554385,
"iat": 1328550785
}
Like the JWT header, the JWT claim set should be serialized to UTF-8 and Base64url-safe
encoded. Below is an example of a JSON representation of a JWT Claim set:
Computing the signature
{
"iss": "761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/prediction",
"aud": "https://oauth2.googleapis.com/token",
"exp": 1328554385,
"iat": 1328550785
}
JSON Web Signature
(JWS) is the specification that guides the mechanics of generating the signature for the
JWT. The input for the signature is the byte array of the following content:
{Base64url encoded header}.{Base64url encoded claim set}
The signing algorithm in the JWT header must be used when computing the signature. The
only signing algorithm supported by the Google OAuth 2.0 Authorization Server is RSA using
SHA-256 hashing algorithm. This is expressed as RS256
in the alg
field in the JWT header.
Sign the UTF-8 representation of the input using SHA256withRSA (also known as
RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function) with the private key obtained from
the Google API Console. The output will be a byte array.
The signature must then be Base64url encoded. The header, claim set, and signature are
concatenated together with a period (.
) character. The result is the JWT. It
should be the following (line breaks added for clarity):
{Base64url encoded header}.
{Base64url encoded claim set}.
{Base64url encoded signature}
Below is an example of a JWT before Base64url encoding:
{"alg":"RS256","typ":"JWT"}.
{
"iss":"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
"scope":"https://www.googleapis.com/auth/prediction",
"aud":"https://oauth2.googleapis.com/token",
"exp":1328554385,
"iat":1328550785
}.
[signature bytes]
Below is an example of a JWT that has been signed and is ready for transmission:
Making the access token request
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL29hdXRoMi92NC90b2tlbiIsImV4cCI6MTMyODU1NDM4NSwiaWF0IjoxMzI4NTUwNzg1fQ.UFUt59SUM2_AW4cRU8Y0BYVQsNTo4n7AFsNrqOpYiICDu37vVt-tw38UKzjmUKtcRsLLjrR3gFW3dNDMx_pL9DVjgVHDdYirtrCekUHOYoa1CMR66nxep5q5cBQ4y4u2kIgSvChCTc9pmLLNoIem-ruCecAJYgI9Ks7pTnW1gkOKs0x3YpiLpzplVHAkkHztaXiJdtpBcY1OXyo6jTQCa3Lk2Q3va1dPkh_d--GU2M5flgd8xNBPYw4vxyt0mP59XZlHMpztZt0soSgObf7G3GXArreF_6tpbFsS3z2t5zkEiHuWJXpzcYr5zWTRPDEHsejeBSG8EgpLDce2380ROQ
After generating the signed JWT, an application can use it to request an access token.
This access token request is an HTTPS POST
request, and the body is URL
encoded. The URL is shown below:
https://oauth2.googleapis.com/token
The following parameters are required in the HTTPS POST
request:
Name
Description
grant_type
Use the following string, URL-encoded as necessary:
urn:ietf:params:oauth:grant-type:jwt-bearer
assertion
The JWT, including signature.
Below is a raw dump of the HTTPS POST
request used in an access token
request:
POST /token HTTP/1.1
Host: oauth2.googleapis.com
Content-Type: application/x-www-form-urlencodedgrant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTMyODU3MzM4MSwiaWF0IjoxMzI4NTY5NzgxfQ.ixOUGehweEVX_UKXv5BbbwVEdcz6AYS-6uQV6fGorGKrHf3LIJnyREw9evE-gs2bmMaQI5_UbabvI4k-mQE4kBqtmSpTzxYBL1TCd7Kv5nTZoUC1CmwmWCFqT9RE6D7XSgPUh_jF1qskLa2w0rxMSjwruNKbysgRNctZPln7cqQ
Below is the same request, using curl
:
Handling the response
curl -d 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vYWNjb3VudHMuZ29vZ2xlLmNvbS9vL29hdXRoMi90b2tlbiIsImV4cCI6MTMyODU3MzM4MSwiaWF0IjoxMzI4NTY5NzgxfQ.RZVpzWygMLuL-n3GwjW1_yhQhrqDacyvaXkuf8HcJl8EtXYjGjMaW5oiM5cgAaIorrqgYlp4DPF_GuncFqg9uDZrx7pMmCZ_yHfxhSCXru3gbXrZvAIicNQZMFxrEEn4REVuq7DjkTMyCMGCY1dpMa8aWfTQFt3Eh7smLchaZsU
' https://oauth2.googleapis.com/token
If the JWT and access token request are properly formed and the service account has
permission to perform the operation, then the JSON response from the Authorization Server
includes an access token. The following is an example response:
{
"access_token": "1/8xbJqaOZXSUZbHLl5EOtu1pxz3fmmetKx9W8CV4t79M",
"scope": "https://www.googleapis.com/auth/prediction"
"token_type": "Bearer",
"expires_in": 3600
}
Access tokens can be reused during the duration window specified by the
expires_in
value.
Calling Google APIs
Java
Use the GoogleCredential
object to call Google APIs by completing the
following steps:
Create a service object for the API that you want to call using the
GoogleCredential
object. For example:
SQLAdmin sqladmin =
new SQLAdmin.Builder(httpTransport, JSON_FACTORY, credential).build();
Make requests to the API service using the
interface provided by the service object.
For example, to list the instances of Cloud SQL databases in the exciting-example-123
project:
SQLAdmin.Instances.List instances =
sqladmin.instances().list("exciting-example-123").execute();
Python
Use the authorized Credentials
object to call Google APIs by completing the
following steps:
Build a service object for the API that you want to call. You build a service object
by calling the
build
function with the name and version of the API and theauthorized
Credentials
object. For example, to call version 1beta3 of theCloud SQL Administration API:
import googleapiclient.discoverysqladmin = googleapiclient.discovery.build('sqladmin', 'v1beta3', credentials=credentials)
Make requests to the API service using the
interface provided by the service object.
For example, to list the instances of Cloud SQL databases in the exciting-example-123
project:
response = sqladmin.instances().list(project='exciting-example-123').execute()
HTTP/REST
After your application obtains an access token, you can use the token to make calls to a Google
API on behalf of a given service account or
user account if the scope(s) of access required by the API have been granted. To do this, include
the access token in a request to the API by including either an access_token
query
parameter or an Authorization
HTTP header Bearer
value. When possible,
the HTTP header is preferable, because query strings tend to be visible in server logs. In most
cases you can use a client library to set up your calls to Google APIs (for example, when
calling the Drive Files API).
You can try out all the Google APIs and view their scopes at the
OAuth 2.0 Playground.
A call to the
drive.files
endpoint (the Drive Files API) using the Authorization: Bearer
HTTP
header might look like the following. Note that you need to specify your own access token:
GET /drive/v2/files HTTP/1.1
Host: www.googleapis.com
Authorization: Bearer access_token
Here is a call to the same API for the authenticated user using the access_token
query string parameter:
GET https://www.googleapis.com/drive/v2/files?access_token=access_token
curl
examplesYou can test these commands with the curl
command-line application. Here's an
example that uses the HTTP header option (preferred):
curl -H "Authorization: Bearer access_token" https://www.googleapis.com/drive/v2/files
Or, alternatively, the query string parameter option:
When access tokens expire
curl https://www.googleapis.com/drive/v2/files?access_token=access_token
Access tokens issued by the Google OAuth 2.0 Authorization Server expire after the duration
provided by the expires_in
value. When an access token expires, then the
application should generate another JWT, sign it, and request another access token.
JWT error codes
error
fielderror_description
fieldMeaning
How to resolve
unauthorized_client
Unauthorized client or scope in request.
If you're trying to use domain-wide delegation, the service account is not authorized in
the Admin console of the user's domain.
Ensure that the service account is authorized in the
Domain-wide delegation page of the Admin console for the user in the
sub
claim (field).
While it usually takes a few minutes, it might take up to 24 hours for authorization to
propagate to all users in your Google Account.
unauthorized_client
Client is unauthorized to retrieve access tokens using this method, or client not
authorized for any of the scopes requested.
A service account was authorized using the client email address rather than the client ID
(numeric) in the Admin console.
In the
Domain-wide delegation page in the Admin console, remove the client, and re-add it
with the numeric ID.
access_denied
(any value)
If you're using Domain-wide delegation, one or more requested scopes aren't authorized
in the Admin console.
Ensure that the service account is authorized in the
Domain-wide delegation page of the Admin console for the user in the
sub
claim (field), and that it includes all of the scopes you're requesting
in the scope
claim of your JWT.
While it usually takes a few minutes, it might take up to 24 hours for authorization to
propagate to all users in your Google Account.
admin_policy_enforced
(any value)
The Google Account is unable to authorize one or more scopes requested due to the
policies of their Google Workspace administrator.
See the Google Workspace Admin help article
Control which third-party &
internal apps access Google Workspace data for more information about how an
administrator may restrict access to all scopes or sensitive and restricted scopes until
access is explicitly granted to your OAuth client ID.
invalid_client
(any value)
The OAuth client or JWT token is invalid or incorrectly configured.
Refer to the error description for details.
Make sure the JWT token is valid and contains correct claims.
Check that the OAuth client and service account are
configured correctly and that you are using the correct email address.
Check that the JWT token is correct and was issued for the client ID in the
request.
invalid_grant
Not a valid email.
The user doesn't exist.
Check that the email address in the
sub
claim (field) is correct.invalid_grant
Invalid JWT: Token must be a short-lived token (60 minutes) and in a reasonable
timeframe. Check your 'iat' and 'exp' values and use a clock with skew to account for
clock differences between systems.
Usually, it means that the local system time is not correct. It could also happen if the
exp
value is more than 65 mins in the future from the iat
value,or the
exp
value is lower than iat
value.Make sure that the clock on the system where the JWT is generated is correct. If
necessary, sync your time with
Google NTP.
invalid_grant
Invalid JWT Signature.
The JWT assertion is signed with a private key not associated with the service account
identified by the client email or the key that was used has been deleted, disabled, or
has expired.
Alternatively, the JWT assertion might be encoded incorrectly - it must be
Base64-encoded, without newlines or padding equal signs.
Decode the JWT claim set and verify the key that signed the assertion is associated
with the service account.
Try to use a Google-provided OAuth library to make sure the JWT is generated correctly.
invalid_scope
Invalid OAuth scope or ID token audience provided.
No scopes were requested (empty list of scopes), or one of the requested scopes doesn't
exist (i.e. is invalid).
Ensure that the scope
claim (field) of the JWT is populated, and compare
the scopes that it contains with the documented scopes for the APIs you want to use, to
ensure there are no errors or typos.
Note that the list of scopes in the scope
claim needs to be separated by
spaces, not commas.
disabled_client
The OAuth client was disabled.
The key used to sign the JWT assertion is disabled.
Go to the Google API Console, and under IAM & Admin
> Service Accounts, enable the service account which contains the "Key ID" used
to sign the assertion.
org_internal
This client is restricted to users within its organization.
The OAuth client ID in the request is part of a project limiting access to Google
Accounts in a specific
Google Cloud Organization.
Use a service account from the organization to authenticate. Confirm the
user type
configuration for your OAuth application.
Addendum: Service account authorization without OAuth
With some Google APIs, you can make authorized API calls using a signed JWT directly as a
bearer token, rather than an OAuth 2.0 access token. When this is possible, you can avoid having
to make a network request to Google's authorization server before making an API call.
If the API you want to call has a service definition published in the
Google APIs GitHub repository,
you can make authorized API calls using a JWT instead of an access token. To do so:
Create a service account as described above. Be sure to
keep the JSON file you get when you create the account.
Using any standard JWT library, such as one found at
jwt.io, create a JWT with a header
and payload like the following example:
{
"alg": "RS256",
"typ": "JWT",
"kid": "abcdef1234567890"
}
.
{
"iss": "123456-compute@developer.gserviceaccount.com",
"sub": "123456-compute@developer.gserviceaccount.com",
"aud": "https://firestore.googleapis.com/",
"iat": 1511900000,
"exp": 1511903600
}
For the
kid
field in the header, specify your service account's private keyID. You can find this value in the
private_key_id
field of your service accountJSON file.
For the
iss
and sub
fields, specify your service account's emailaddress. You can find this value in the
client_email
field of your serviceaccount JSON file.
For the
aud
field, specify the API endpoint. For example:https://SERVICE.googleapis.com/
.For the
iat
field, specify the current Unix time, and for theexp
field, specify the time exactly 3600 seconds later, when the JWT willexpire.
Sign the JWT with RSA-256 using the private key found in your service account JSON file.
For example:
Java
Using
google-api-java-client and
java-jwt:
GoogleCredential credential =
GoogleCredential.fromStream(new FileInputStream("MyProject-1234.json"));
PrivateKey privateKey = credential.getServiceAccountPrivateKey();
String privateKeyId = credential.getServiceAccountPrivateKeyId();long now = System.currentTimeMillis();try {
Algorithm algorithm = Algorithm.RSA256(null, privateKey);
String signedJwt = JWT.create()
.withKeyId(privateKeyId)
.withIssuer("123456-compute@developer.gserviceaccount.com")
.withSubject("123456-compute@developer.gserviceaccount.com")
.withAudience("https://firestore.googleapis.com/")
.withIssuedAt(new Date(now))
.withExpiresAt(new Date(now + 3600 * 1000L))
.sign(algorithm);
} catch ...
Python
Using PyJWT:
iat = time.time()
exp = iat + 3600
payload = {'iss': '123456-compute@developer.gserviceaccount.com',
'sub': '123456-compute@developer.gserviceaccount.com',
'aud': 'https://firestore.googleapis.com/',
'iat': iat,
'exp': exp}
additional_headers = {'kid': PRIVATE_KEY_ID_FROM_JSON}
signed_jwt = jwt.encode(payload, PRIVATE_KEY_FROM_JSON, headers=additional_headers,
algorithm='RS256')
Call the API, using the signed JWT as the bearer token:
GET /v1/projects/abc/databases/123/indexes HTTP/1.1
Authorization: Bearer SIGNED_JWT
Host: firestore.googleapis.com
... <看更多>
bearer token是什麼 在 [Day-35] 使用JWT來存取API內容(總結) 的解答
尚未提供Bearer Token ,即資源服務器(Resource server) 找無資訊。 總結. Authorization 是用戶認證是後端最重要的一環,這邊最後整理幾項後端開發者必須去注意 ... ... <看更多>