【发布时间】:2019-10-15 15:11:27
【问题描述】:
如何在 JWT 中设置多个范围以获取服务帐户的访问令牌?
这是我的代码 JWT 代码。它适用于单个范围,但不适用于多个范围。我尝试了逗号分隔值,但没有运气。
private func makeSignedJWT() throws -> String {
let header = Header()
struct MyClaims: Claims {
/// The email address of the service account.
var iss:String
/// A space-delimited list of the permissions that the application requests.
var scope: String
/// A descriptor of the intended target of the assertion. When making an access token request this value is always https://oauth2.googleapis.com/token.
var aud: String
/// The expiration time of the assertion, specified as seconds since 00:00:00 UTC, January 1, 1970. This value has a maximum of 1 hour after the issued time.
var exp: Date
/// The time the assertion was issued, specified as seconds since 00:00:00 UTC, January 1, 1970.
var iat: Date
}
let now = Date()
let claims = MyClaims(
iss: "my.account@my.account.gserviceaccount.com",
// scope: "https://www.googleapis.com/auth/admin.directory.user.readonly",
scope: [
"https://www.googleapis.com/auth/admin.directory.user.alias.readonly",
"https://www.googleapis.com/auth/admin.directory.user.readonly",
].joined(separator: ","),
aud: "https://oauth2.googleapis.com/token",
exp: now.addingTimeInterval(60 * 60),
iat: now)
var jwt = JWT(header: header, claims: claims)
let jwtKeyData = "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----\n".data(using: .utf8)!
let jwtSigner = JWTSigner.rs256(privateKey: jwtKeyData)
let signedJWT = try jwt.sign(using: jwtSigner)
return signedJWT
}
因此错误而失败。
{
"error": "invalid_scope",
"error_description": "https://www.googleapis.com/auth/admin.directory.user.alias.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly is not a valid audience string."
}
- 使用逗号分隔值的多个范围是否正确?
- 还是我配置错误?
我正在使用 Xcode 11、Swift 5.x 和 IBM Swift-JWT 库。
【问题讨论】:
标签: google-cloud-platform google-workspace service-accounts google-cloud-iam