JWT 和 PHP 的问题

Question

我需要为我的服务帐户获取一个访问令牌，该令牌是在我的 google 控制台中创建的，以获取对 google 电子表格服务的私人访问权限！

我的测试用php文件：

<?php

function base64_url_encode($input) {
    return strtr(str_replace('=', '', base64_encode($input)), '+/', '-_');
}

header('Content-type: text/plain');

$header = '{"alg":"RS256","typ":"JWT"}';

$payload =
'{
  "iss":"[my service account]@[my project name].iam.gserviceaccount.com",
  "scope":"https://www.googleapis.com/auth/spreadsheets",
  "aud":"https://www.googleapis.com/oauth2/v4/token",
  "exp":'.(time() + 3600).',
  "iat":'.(time()).'
}';


include('Crypt/RSA.php');

$rsa = new Crypt_RSA();

$private_key = "-----BEGIN PRIVATE KEY-----[my private key from google console json file of my service account]-----END PRIVATE KEY-----\n";

//$rsa->setPassword('password');
$rsa->loadKey($private_key); // private key

$plaintext = base64_url_encode($header).'.'.base64_url_encode($payload);

$rsa->setSignatureMode(CRYPT_RSA_SIGNATURE_PKCS1);
$signature = $rsa->sign($plaintext);

//$rsa->loadKey($rsa->getPublicKey()); // public key
//echo $rsa->verify($plaintext, $signature) ? 'verified' : 'unverified';

$jwt =  base64_url_encode($header).'.'.base64_url_encode($payload).'.'.base64_url_encode($signature);



$query = http_build_query(Array('grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer', 'assertion' => $jwt));

//echo $query;

$options = array(
    'http' => array(
        'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
        'method'  => 'POST',
        'content' => $query
    )
);

$context  = stream_context_create($options);

$access_token = file_get_contents('https://www.googleapis.com/oauth2/v4/token', false, $context);

?>

php 输出：

file_get_contents(https://www.googleapis.com/oauth2/v4/token) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: HTTP request failed! HTTP/1.0 400 Bad Request

如果我在 wfetch 中运行相同的查询（来自 php 脚本的“$query”变量）：

HTTP/1.1 400 Bad Request\r\n
{\n
 "error": "invalid_grant",\n
 "error_description": "Invalid JWT Signature."\n
}\n

附：我的 php 版本是 PHP 5.2（不支持命名空间），也使用了 phpseclib1.0.3。

附言尝试将 RS256 更改为 HS256，谷歌仍然响应 400 - 无效的 JWT 签名，但如果更改为不存在的 XX256（例如）-> 谷歌响应 500 - 错误：internal_failure。所以我想可能是google也支持HS256。如果这是真的 - 我可以使用更简单的 HS256 方法。我发现了这个：https://github.com/progrium/php-jwt/blob/master/JWT.php

Answer 1

这是一个完整的 openssl/curl 示例：

<?php

$url = "https://www.googleapis.com/oauth2/v4/token";
$scope = 'https://www.googleapis.com/auth/spreadsheets';

$client_id = 'xxxxx@developer.gserviceaccount.com';
$p12 = 'google-api-xxxxx.p12';
$p12pwd = 'notasecret';

function base64_url_encode($input) {
    return str_replace('=', '', strtr(base64_encode($input), '+/', '-_'));
}

$iat = time();
$jwt_data = array(
    'iss' => $client_id,
    'aud' => $url,
    'scope' => $scope,
    'exp' => $iat + 3600,
    'iat' => $iat,
);

openssl_pkcs12_read(file_get_contents($p12), $certs, $p12pwd);
$header = array('typ' => 'JWT', 'alg' => 'RS256');
$signing_input = base64_url_encode(json_encode($header)) . '.' . base64_url_encode(json_encode($jwt_data));
openssl_sign($signing_input, $signature, $certs['pkey'], 'SHA256');
$jwt = $signing_input . '.' . base64_url_encode($signature);

$data = array(
    "grant_type" => "urn:ietf:params:oauth:grant-type:jwt-bearer",
    "assertion" => $jwt
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch) ;
echo $response;
?>