OAuth2 Authentication for Google Service Account - jwt improperly generated

[natoinet]

Hello,

I've had no problem connecting to Google APIs following your tutorial with web app credentials https://requests-oauthlib.readthedocs.io/en/latest/examples/google.html

However, I don't want to have to authorize everytime through the browser so I actually need service credentials https://developers.google.com/api-client-library/python/auth/service-accounts

I've been following #152, but when I do google.fetch_token(token_url), I always get an InvalidGrant Error:

oauthlib.oauth2.rfc6749.errors.InvalidGrantError: (invalid_grant) Invalid JWT: Failed audience check. The right audience is https://accounts.google.com/o/oauth2/token

But the value of aud is actually 'https://accounts.google.com/o/oauth2/token'

Any idea?

Thanks!

[natoinet]

Here is exactly what I do:

>>> import json
>>> from oauthlib.oauth2 import ServiceApplicationClient
>>> from requests_oauthlib import OAuth2Session
>>> json_file = json.load(open("google_service_privatekey.json"))
>>> client_id = json_file['client_id']
>>> issuer = json_file['client_email']
# aud values are based on: 
# https://github.com/google/oauth2client/blob/master/oauth2client/service_account.py 
# https://github.com/google/oauth2client/blob/master/oauth2client/__init__.py
>>> aud = 'https://www.googleapis.com/oauth2/v4/token'
>>> scope = 'https://www.googleapis.com/auth/tasks'
>>> private_key_id = json_file['private_key_id']
>>> private_key_pkcs8_pem = json_file['private_key']
>>> client = ServiceApplicationClient(client_id, issuer=issuer, audience=aud, private_key=private_key_pkcs8_pem)
>>> google = OAuth2Session(client_id, client=client)
>>> google.fetch_token(token_url)

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/antoinet/.virtualenvs/scraper/lib/python3.4/site-packages/requests_oauthlib/oauth2_session.py", line 244, in fetch_token
    self._client.parse_request_body_response(r.text, scope=self.scope)
  File "/Users/antoinet/.virtualenvs/scraper/lib/python3.4/site-packages/oauthlib/oauth2/rfc6749/clients/base.py", line 409, in parse_request_body_response
    self.token = parse_token_response(body, scope=scope)
  File "/Users/antoinet/.virtualenvs/scraper/lib/python3.4/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 376, in parse_token_response
    validate_token_parameters(params)
  File "/Users/antoinet/.virtualenvs/scraper/lib/python3.4/site-packages/oauthlib/oauth2/rfc6749/parameters.py", line 383, in validate_token_parameters
    raise_from_error(params.get('error'), params)
  File "/Users/antoinet/.virtualenvs/scraper/lib/python3.4/site-packages/oauthlib/oauth2/rfc6749/errors.py", line 271, in raise_from_error
    raise cls(**kwargs)
oauthlib.oauth2.rfc6749.errors.InvalidGrantError: (invalid_grant) Invalid JWT: Failed audience check. The right audience is https://www.googleapis.com/oauth2/v4/token

Also, when I do in Python:

>>> client.prepare_request_body()

Then with the result:

curl -d 'grant_type=urn........' https://www.googleapis.com/oauth2/v4/token

I also receive the same error:

oauthlib.oauth2.rfc6749.errors.InvalidGrantError: (invalid_grant) Invalid JWT: Failed audience check. The right audience is https://www.googleapis.com/oauth2/v4/token

So it seems the jwt is not correctly generating

[tolsac]

👍

[TahirJanjua]

I am also going through a similar error? Have you resolved the issue?