requests-oauthlib
requests-oauthlib copied to clipboard
requests
OAuth2 Authentication for Google Service Account - jwt improperly generated
Hello,
I've had no problem connecting to Google APIs following your tutorial with web app credentials https://requests-oauthlib.readthedocs.io/en/latest/examples/google.html
However, I don't want to have to authorize everytime through the browser so I actually need service credentials https://developers.google.com/api-client-library/python/auth/service-accounts
I've been following #152, but when I do google.fetch_token(token_url), I always get an InvalidGrant Error:
oauthlib.oauth2.rfc6749.errors.InvalidGrantError: (invalid_grant) Invalid JWT: Failed audience check. The right audience is https://accounts.google.com/o/oauth2/token
But the value of aud is actually 'https://accounts.google.com/o/oauth2/token'
Any idea?
Thanks!
Here is exactly what I do:
>>> import json
>>> from oauthlib.oauth2 import ServiceApplicationClient
>>> from requests_oauthlib import OAuth2Session
>>> json_file = json.load(open("google_service_privatekey.json"))
>>> client_id = json_file['client_id']
>>> issuer = json_file['client_email']
# aud values are based on:
# https://github.com/google/oauth2client/blob/master/oauth2client/service_account.py
# https://github.com/google/oauth2client/blob/master/oauth2client/__init__.py
>>> aud = 'https://www.googleapis.com/oauth2/v4/token'
>>> scope = 'https://www.googleapis.com/auth/tasks'
>>> private_key_id = json_file['private_key_id']
>>> private_key_pkcs8_pem = json_file['private_key']
>>> client = ServiceApplicationClient(client_id, issuer=issuer, audience=aud, private_key=private_key_pkcs8_pem)
>>> google = OAuth2Session(client_id, client=client)
>>> google.fetch_token(token_url)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/Users/antoinet/.virtualenvs/scraper/lib/python3.4/site-packages/requests_oauthlib/oauth2_session.py", line 244, in fetch_token
self._client.parse_request_body_response(r.text, scope=self.scope)
File "/Users/antoinet/.virtualenvs/scraper/lib/python3.4/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 409, in parse_request_body_response
self.token = parse_token_response(body, scope=scope)
File "/Users/antoinet/.virtualenvs/scraper/lib/python3.4/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 376, in parse_token_response
validate_token_parameters(params)
File "/Users/antoinet/.virtualenvs/scraper/lib/python3.4/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 383, in validate_token_parameters
raise_from_error(params.get('error'), params)
File "/Users/antoinet/.virtualenvs/scraper/lib/python3.4/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 271, in raise_from_error
raise cls(**kwargs)
oauthlib.oauth2.rfc6749.errors.InvalidGrantError: (invalid_grant) Invalid JWT: Failed audience check. The right audience is https://www.googleapis.com/oauth2/v4/token
Also, when I do in Python:
>>> client.prepare_request_body()
Then with the result:
curl -d 'grant_type=urn........' https://www.googleapis.com/oauth2/v4/token
I also receive the same error:
oauthlib.oauth2.rfc6749.errors.InvalidGrantError: (invalid_grant) Invalid JWT: Failed audience check. The right audience is https://www.googleapis.com/oauth2/v4/token
So it seems the jwt is not correctly generating
