FAQ
Hey nuts,

I'm trying to access Google Cloud Storage via “Service Accounts” and –
among other libs – I'm using `code.google.com/p/goauth2/oauth/jwt` to
obtain the access token.
However, the `t.Assert()` call always yields something like:

     2013/06/12 19:28:57 assertion error:invalid response: 400 Bad Request

I dug a little bit into the code and also dumped the response body, which
turns out to be

     {
       "error" : "invalid_grant"
     }

According to a Google search, this can be the result of a lot of things,
most commonly clock-skew, which I don't think I have (I am synched to a NTP
server).
Then I tried the example code
(https://code.google.com/p/goauth2/source/browse/oauth/jwt/example/main.go)
which yields exactly the same error.

Does anybody have an idea what to do? Would anybody be willing to try the
example code themselves so I know whether the code is just out-of-date or
this is an environmental issue (you need to create a service account in the
API console)?

Cheers,
Surma


--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

  • Itsleeowen at Aug 22, 2014 at 11:42 pm
    +1 same issue here


    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Harik at Aug 30, 2014 at 7:11 pm
    Bump. Exact same issue. Anyone figure it out yet?
    On Saturday, August 23, 2014 5:12:24 AM UTC+5:30, itsle...@gmail.com wrote:

    +1 same issue here

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Rick Tait at Sep 5, 2014 at 11:37 pm
    since JWT authenticated transport was added to the oauth package back in
    February, using JWT with service accounts is a whole lot easier. you no
    longer have to manually Assert(). here's a code snippet from an app that i
    use to pull data down using a service account from the Analytics Core
    Reporting API:

         // read in the site-specific PEM key file
         key, err := ioutil.ReadFile("/tmp/serviceaccountkey.pem")
         if err != nil {
           // do something
         }
         // create a new JWT token to authorize server-to-server Google API
    calls, using the service account emailaddr, analytics scope and PEM key
         jsonwebtoken :=
    jwt.NewToken("0123456789-abcdef@developer.gserviceaccount.com",
    "https://www.googleapis.com/auth/analytics.readonly" key)
         // create an authenticated HTTP transport (expired tokens get refreshed
    automatically)
         transport, err := jwt.NewTransport(jsonwebtoken)
         if err != nil {
            // do something
         }
         // create the analytics service, passing in the transport (including
    token)
         analyticsService, err := analytics.New(transport.Client())
         if err != nil {
            // do something
         }
         // create the Analytics Data Service
         dataGaService := analytics.NewDataGaService(analyticsService)

    i don't think the example code has been updated to reflect this new E-Z
    goodness.

    in contrast, this is kinda what you used to have to do:

         // struct to read the service account secrets file that you downloaded
    from Google Cloud Console into
         type GoogleSecretsConfig struct {
           ClientEmail string `json:"client_email"`
           ClientId string `json:"client_id"`
           ClientSecret string `json:"client_secret"`
           RedirectURIs []string `json:"redirect_uris"`
           Scope string
           AuthURI string `json:"auth_uri"`
           TokenURI string `json:"token_uri"`
         }
         googlesecrets := new(GoogleSecretsConfig)
         data, err :=
    ioutil.ReadFile("/tmp/serviceaccountsecretsfilefromCloudConsole.json")
         if err != nil {
             // do something
         }
         err = json.Unmarshal(data, &googlesecrets)
         if err != nil {
             // do something
         }
         oauthconfig := &oauth.Config{
             ClientId: secretsconfig.ClientId,
             ClientSecret: secretsconfig.ClientSecret,
             Scope: "https://www.googleapis.com/auth/analytics.readonly",
             AuthURL: secretsconfig.AuthURI,
             TokenURL: secretsconfig.TokenURI,
         }
         // read in the site-specific PEM key file
         key, err := ioutil.ReadFile("/tmp/serviceaccountkey.pem")
         if err != nil {
           // do something
         }
         jsonwebtoken :=
    jwt.NewToken("0123456789-abcdef@developer.gserviceaccount.com",
    oauthconfig.Scope, key)
         jsonwebtoken.ClaimSet.Aud = "https://accounts.google.com/o/oauth2/token"
         // create a basic httpclient that we will use with the json web token
    assertion
         httpclient := &http.Client{}
         // encode and send the json web token, getting an *oauth.Token in return
         oauthtoken, err := jsonwebtoken.Assert(httpclient)
         if err != nil {
           // do something
         }
         // build the oauth http transport
         transport := oauth.Transport{Config: oauthconfig}
         // set the transport token to be the oauthtoken
         transport.Token = oauthtoken
         // create the analytics service, passing in the transport
         analyticsService, err := analytics.New(transport.Client())
         if err != nil {
           // do something
         }
         // create the Analytics Data Service
         dataGaService := analytics.NewDataGaService(analyticsService)

    hope this helps! let me know if you have any more questions. if you're
    still having problems, make sure you've explicitly turned on the API
    specific to the Google service you're trying to authenticate with in the
    Google Cloud Console for the service account that you're using to
    authenticate. sounds obvious but ..... :)

    -RMT
    On Saturday, August 30, 2014 11:29:41 AM UTC-7, ha...@klarsys.com wrote:

    Bump. Exact same issue. Anyone figure it out yet?

    On Saturday, August 23, 2014 5:12:24 AM UTC+5:30, itsle...@gmail.com
    wrote:
    +1 same issue here

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Péter Szilágyi at Sep 6, 2014 at 12:28 pm
    Hey all,

       Just to add to the above code snippet, this was the original "demo" of
    the added JWT authenticated transport mechanism:
    https://gist.github.com/karalabe/8933476

    Cheers,
       Peter

    On Sat, Sep 6, 2014 at 2:37 AM, Rick Tait wrote:

    since JWT authenticated transport was added to the oauth package back in
    February, using JWT with service accounts is a whole lot easier. you no
    longer have to manually Assert(). here's a code snippet from an app that i
    use to pull data down using a service account from the Analytics Core
    Reporting API:

    // read in the site-specific PEM key file
    key, err := ioutil.ReadFile("/tmp/serviceaccountkey.pem")
    if err != nil {
    // do something
    }
    // create a new JWT token to authorize server-to-server Google API
    calls, using the service account emailaddr, analytics scope and PEM key
    jsonwebtoken := jwt.NewToken("
    0123456789-abcdef@developer.gserviceaccount.com", "
    https://www.googleapis.com/auth/analytics.readonly" key)
    // create an authenticated HTTP transport (expired tokens get
    refreshed automatically)
    transport, err := jwt.NewTransport(jsonwebtoken)
    if err != nil {
    // do something
    }
    // create the analytics service, passing in the transport (including
    token)
    analyticsService, err := analytics.New(transport.Client())
    if err != nil {
    // do something
    }
    // create the Analytics Data Service
    dataGaService := analytics.NewDataGaService(analyticsService)

    i don't think the example code has been updated to reflect this new E-Z
    goodness.

    in contrast, this is kinda what you used to have to do:

    // struct to read the service account secrets file that you downloaded
    from Google Cloud Console into
    type GoogleSecretsConfig struct {
    ClientEmail string `json:"client_email"`
    ClientId string `json:"client_id"`
    ClientSecret string `json:"client_secret"`
    RedirectURIs []string `json:"redirect_uris"`
    Scope string
    AuthURI string `json:"auth_uri"`
    TokenURI string `json:"token_uri"`
    }
    googlesecrets := new(GoogleSecretsConfig)
    data, err :=
    ioutil.ReadFile("/tmp/serviceaccountsecretsfilefromCloudConsole.json")
    if err != nil {
    // do something
    }
    err = json.Unmarshal(data, &googlesecrets)
    if err != nil {
    // do something
    }
    oauthconfig := &oauth.Config{
    ClientId: secretsconfig.ClientId,
    ClientSecret: secretsconfig.ClientSecret,
    Scope: "https://www.googleapis.com/auth/analytics.readonly",
    AuthURL: secretsconfig.AuthURI,
    TokenURL: secretsconfig.TokenURI,
    }
    // read in the site-specific PEM key file
    key, err := ioutil.ReadFile("/tmp/serviceaccountkey.pem")
    if err != nil {
    // do something
    }
    jsonwebtoken := jwt.NewToken("
    0123456789-abcdef@developer.gserviceaccount.com", oauthconfig.Scope, key)
    jsonwebtoken.ClaimSet.Aud = "
    https://accounts.google.com/o/oauth2/token"
    // create a basic httpclient that we will use with the json web token
    assertion
    httpclient := &http.Client{}
    // encode and send the json web token, getting an *oauth.Token in
    return
    oauthtoken, err := jsonwebtoken.Assert(httpclient)
    if err != nil {
    // do something
    }
    // build the oauth http transport
    transport := oauth.Transport{Config: oauthconfig}
    // set the transport token to be the oauthtoken
    transport.Token = oauthtoken
    // create the analytics service, passing in the transport
    analyticsService, err := analytics.New(transport.Client())
    if err != nil {
    // do something
    }
    // create the Analytics Data Service
    dataGaService := analytics.NewDataGaService(analyticsService)

    hope this helps! let me know if you have any more questions. if you're
    still having problems, make sure you've explicitly turned on the API
    specific to the Google service you're trying to authenticate with in the
    Google Cloud Console for the service account that you're using to
    authenticate. sounds obvious but ..... :)

    -RMT
    On Saturday, August 30, 2014 11:29:41 AM UTC-7, ha...@klarsys.com wrote:

    Bump. Exact same issue. Anyone figure it out yet?

    On Saturday, August 23, 2014 5:12:24 AM UTC+5:30, itsle...@gmail.com
    wrote:
    +1 same issue here


    --
    You received this message because you are subscribed to the Google Groups
    "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Ameerkhan Mohamed at Feb 11, 2015 at 3:04 pm
    I have used JWTpackage in golang
    https://code.google.com/p/goauth2/source/browse/oauth/jwt/example/main.go ,
    in that code,i have used my client_secrets and My PEM file, but i got
    Assertion error. Everything works fine, but i got Assertion error.

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedJun 13, '13 at 5:11a
activeFeb 11, '15 at 3:04p
posts6
users6
websitegolang.org

People

Translate

site design / logo © 2022 Grokbase