Invalid JWT when trying to connect to Google Oauth for google API
22,511
Solution 1
Not sure if you ever got it to work, but the following simple steps worked for me using the PHP function openssl_sign():
//helper function
function base64url_encode($data) {
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}
//Google's Documentation of Creating a JWT: https://developers.google.com/identity/protocols/OAuth2ServiceAccount#authorizingrequests
//{Base64url encoded JSON header}
$jwtHeader = base64url_encode(json_encode(array(
"alg" => "RS256",
"typ" => "JWT"
)));
//{Base64url encoded JSON claim set}
$now = time();
$jwtClaim = base64url_encode(json_encode(array(
"iss" => "761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
"scope" => "https://www.googleapis.com/auth/prediction",
"aud" => "https://www.googleapis.com/oauth2/v4/token",
"exp" => $now + 3600,
"iat" => $now
)));
//The base string for the signature: {Base64url encoded JSON header}.{Base64url encoded JSON claim set}
openssl_sign(
$jwtHeader.".".$jwtClaim,
$jwtSig,
$your_private_key_from_google_api_console,
"sha256WithRSAEncryption"
);
$jwtSign = base64url_encode($jwtSig);
//{Base64url encoded JSON header}.{Base64url encoded JSON claim set}.{Base64url encoded signature}
$jwtAssertion = $jwtHeader.".".$jwtClaim.".".$jwtSig;
Solution 2
I had the same issue, I solved it by syncing my VMs time to have the correct one with a public ntpserver:
ntpdate ntp.ubuntu.com
Solution 3
You have to set a correct expiration time for the token if you see this error. Example:
var currentTime = new Date().getTime() / 1000; //must be in seconds
var exp = currentTime + 60;
var auth_claimset = {
iss : "...",
scope : "...",
aud : "...",
exp : exp,
iat : currentTime
};
Author by
andy
Updated on July 05, 2022Comments
-
andy almost 2 years
I was trying to connect to Google API through OAuth through JWT, but I keep getting this error:
{ "error": "invalid_grant", "error_description": "Invalid JWT: Token must be a short-lived token and in a reasonable timeframe" }
In my JWT calim I set the iat to be current time minus 1970-01-01 in seconds and exp to iat + 3600, so I do not know why I am still getting this error. If anyone knows the answer please tell meeeeee!
-
andy about 8 yearsSo I have modified to the below code: ' $sig = hash('SHA256', $headerAndPayload, $secret); $signature = base64url_encode($sig); $jwt = $headerAndPayload . "." . $signature; ' I keep getting a signature invalid for some reason. $secret is the private key i obtained from service account key json file. Would you know what's wrong?
-
andy about 8 yearsI just found out that using hash in PHP does not use a secret key, so I should probably still use hash_hmac, and I am not getting a result :/
-
user2705223 about 8 yearsThere appear to be signing libraries that create spec compliant JWTs. For example: github.com/namshi/jose
-
andy almost 7 yearsSorry I kept forgetting to update this. This was indeed the right answer! Although I don't need to use this anymore because App Engine allows me to directly reach Cloud Storage now. But still thank you for the right answer! :)
-
Michel over 6 yearsHey @Joseph Shih I am having similar issue, my error is
Invalid JWT Signature.
. Can you share your POST request. I guess I'm having issues withgrant_type
in the request body. -
Joseph Shih over 6 years@Michel, an invalid JWT signature error means that your signature failed to authenticate your $jwtHeader and $jwtClaim. Are you using the correct ISS (email address of the service account) and are you using the private key from your API console. Also, remember you'll need to base-64 encode the signature (like the example above).
-
Michel over 6 yearsNever mind @JosephShih I was able to fix it. I posted the answer here: stackoverflow.com/questions/48106432/… Still thanks for the reply :)