Freebase oAuth2 错误请求(400).Net

【问题标题】:Freebase oAuth2 Bad Request(400) .NetFreebase oAuth2 错误请求(400).Net
【发布时间】:2015-02-25 17:47:22
【问题描述】:

我阅读了教程 https://developers.google.com/accounts/docs/OAuth2ServiceAccount

并尝试使用他们的示例,但不断收到 400 个错误请求。 这是我的代码:

 ClaimSet cs = new ClaimSet()
        {
            aud = "https://www.googleapis.com/oauth2/v3/token",
            iss = "1070248278615-hoq0meaunarl9hj8t9klg4gqkohlme9u@developer.gserviceaccount.com",
            exp = GetTime(DateTime.UtcNow.AddHours(1)).ToString(),
            iat = GetTime(DateTime.UtcNow).ToString(),
            scope = "https://www.googleapis.com/auth/freebase"
        };

        //get the signed JWT
        var signedJwt = JsonWebToken.Encode(cs);           


public static string Encode(object payload, JwtHashAlgorithm algorithm = JwtHashAlgorithm.RS256)
        {
            return Encode(payload, Encoding.UTF8.GetBytes(PrivateKey), algorithm);
        }

    public static string Encode(object payload, byte[] keyBytes, JwtHashAlgorithm algorithm)
    {
        var segments = new List<string>();
        var header = new { alg = algorithm.ToString(), typ = "JWT" };

        byte[] headerBytes = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(header, Formatting.None));
        byte[] payloadBytes = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(payload, Formatting.None));

        segments.Add(Base64UrlEncode(headerBytes));
        segments.Add(Base64UrlEncode(payloadBytes));

        var stringToSign = string.Join(".", segments);

        var bytesToSign = Encoding.UTF8.GetBytes(stringToSign);

        byte[] signature = HashAlgorithms[algorithm](keyBytes, bytesToSign);
        segments.Add(Base64UrlEncode(signature));

        return string.Join(".", segments.ToArray());
    }
        using (var wb = new WebClient())
        {
            var url = "https://www.googleapis.com/oauth2/v3/token/";
            wb.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
            var data2 = new NameValueCollection();
            data2["grant_type"] = "urn:ietf:params:oauth:grant-type:jwt-bearer";
            data2["assertion"] = signedJwt;
            var response2 = wb.UploadValues(url, "POST", data2);
        }

现在在获得访问令牌后,我尝试写入 freebase: 使用以下教程,我看到我应该 Get 动词: https://developers.google.com/accounts/docs/OAuth2ServiceAccount#creatinganaccount

    var url = "https://www.googleapis.com/freebase/v1/mqlwrite";
                wb.QueryString.Add("lang", "/lang/en");
                wb.QueryString.Add("query", "%5B%7B%0A%20%20%22mid%22%3A%20%22%2Fm%2F011840dm%22%2C%0A%20%20%22%2Fcommon%2Ftopic%2Ftopic_equivalent_webpage%22%3A%20%7B%0A%20%20%20%20%22connect%22%3A%20%22insert%22%2C%0A%20%20%20%20%22value%22%3A%20%22http%3A%2F%2Fwww.imdb.com%2Fname%2Fnm4963898%2F%22%0A%20%20%7D%0A%7D%5D");
                wb.Headers.Add("Authorization", "Bearer " + accesstoken);
                var ResponseBytes = wb.DownloadString(url);

感谢帮助:)

【问题讨论】:

    标签: .net oauth-2.0 freebase bad-request


    【解决方案1】:

    您在 POST 数据中包含 Content-Type,但它应该作为 HTTP 标头的一部分显示,如下所示:

    wb.Headers.Add("Content-Type","application/x-www-form-urlencoded");

    然而,使用 UploadValues 这将是默认设置,除非被覆盖。

    除此之外,UploadValues 会自动对您的值进行 URL 编码,因此您应该以原始形式呈现它们;所以对于授权类型,这意味着:

    data2["grant_type"] = "urn:ietf:params:oauth:grant-type:jwt-bearer";

    编辑1:
    此外,您的 JWT 使用了错误的 aud 声明,因为它设置为 https://accounts.google.com/o/oauth2/token 而不是 https://www.googleapis.com/oauth2/v3/token,并且自 2012 年 7 月 2 日起过期。

    编辑2: 您还必须发布到不带斜杠的 URL 并正确获取 iatexp 时间戳。使用Newtonsoft.Json成功测试代码:

    public class GoogleServiceAccountBearerJWTSample
{
    private static string Base64UrlEncode(byte[] input)
    {
        var output = Convert.ToBase64String(input);
        output = output.Split('=')[0]; // Remove any trailing '='s
        output = output.Replace('+', '-'); // 62nd char of encoding
        output = output.Replace('/', '_'); // 63rd char of encoding
        return output;
    }

    public static string Encode(object payload, AsymmetricAlgorithm rsa) {
        var segments = new List<string>();
        var header = new { alg = "RS256", typ = "JWT" };
        byte[] headerBytes = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(header, Formatting.None));
        byte[] payloadBytes = Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(payload, Formatting.None));
        segments.Add(Base64UrlEncode(headerBytes));
        segments.Add(Base64UrlEncode(payloadBytes));
        var stringToSign = string.Join(".", segments.ToArray());
        var bytesToSign = Encoding.UTF8.GetBytes(stringToSign);

        // VARIANT A - should work on non-SHA256 enabled systems
        var rs = rsa as RSACryptoServiceProvider;
        var cspParam = new CspParameters
        {
            KeyContainerName = rs.CspKeyContainerInfo.KeyContainerName,
            KeyNumber = rs.CspKeyContainerInfo.KeyNumber == KeyNumber.Exchange ? 1 : 2
        };
        var aescsp = new RSACryptoServiceProvider(cspParam) { PersistKeyInCsp = false };
        var signature = aescsp.SignData(bytesToSign, "SHA256");
        // END OF VARIANT A

        // VARIANT B - works on FIPS SHA256 enabled systems
        // var pkcs1 = new RSAPKCS1SignatureFormatter(rsa);
        // pkcs1.SetHashAlgorithm("SHA256");
        // var signature = pkcs1.CreateSignature(new SHA256Managed().ComputeHash(bytesToSign));
        // END OF VARIANT B

        segments.Add(Base64UrlEncode(signature));
        return string.Join(".", segments.ToArray());
   }

   public static void Main()
   {    
        var utc0 = new DateTime(1970,1,1,0,0,0,0, DateTimeKind.Utc);
        var issueTime = DateTime.UtcNow;

        var iat = (int)issueTime.Subtract(utc0).TotalSeconds;
        var exp = (int)issueTime.AddMinutes(55).Subtract(utc0).TotalSeconds; // Expiration time is up to 1 hour, but lets play on safe side

        var payload = new {
            iss = "xxxxxxxxxxxxxxxxxx@developer.gserviceaccount.com",
            aud = "https://www.googleapis.com/oauth2/v3/token",
            scope = "https://www.googleapis.com/auth/freebase",
            exp = exp,
            iat = iat
        };

        var certificate = new X509Certificate2("google-client.p12", "notasecret");
        var signedJwt = Encode(payload, certificate.PrivateKey);

        //System.Console.WriteLine(signedJwt);

        using (var wb = new WebClient())
        {
            var url = "https://www.googleapis.com/oauth2/v3/token";
            var data2 = new NameValueCollection();
            data2["grant_type"] = "urn:ietf:params:oauth:grant-type:jwt-bearer";
            data2["assertion"] = signedJwt;
            var response2 = wb.UploadValues(url, "POST", data2);
            System.Console.WriteLine(Encoding.UTF8.GetString(response2));
        }
    }
}

    【讨论】:

    • 感谢您的回复。我按照您的建议更改了我的代码(如您在上面看到的),但不幸的是仍然收到相同的“400 Bad Request”错误。我做错了什么?
    • 见附录回答
    • @Hans Z. 你确定吗? JWT 取自 [link]developers.google.com/accounts/docs/OAuth2ServiceAccount 中的示例,我看到他们确实使用 [link] googleapis.com/oauth2/v3/token 你看到其他了吗?
    • 好的,这就是您问题的根本原因:您不能采用 a JWT(如 Google 示例中的 JWT)并展示它...您需要在 Google API 控制台中生成您的自己的客户端和关联的私钥,并使用该信息(电子邮件 + 私钥)创建和签署 您自己的 JWT。创建您自己的客户端的过程在developers.google.com/accounts/docs/… 中有很好的描述。 @mashtagidi:您可以为您的问题创建一个单独的问题
    • @HansZ。我在 Google API 控制台中生成了我自己的客户端和关联的私钥,并使用这些信息(电子邮件 + 私钥)来创建和签署我自己的 JWT。但不断收到相同的错误“400 Bad Request”。我在我的问题中添加了我的代码。
    猜你喜欢
    • 1970-01-01
    • 2023-01-14
    • 2016-12-03
    • 1970-01-01
    • 1970-01-01
    • 2018-07-04
    • 1970-01-01
    • 1970-01-01
    • 2012-03-18
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode