got 'invalid_grant' in oauth2 SignedJwtAssertionCredentials
Asked Answered
A

3

14

I am trying to make an oauth2 access_token in a server-to-server JSON API scenario. But it failed with invalid_grant error, please help.

from oauth2client.client import SignedJwtAssertionCredentials

KEY_FILE = 'xxxxxxxxxxxx-privatekey.p12'

with open(KEY_FILE, 'r') as fd:
    key = fd.read()

SERVICE_ACCOUNT_EMAIL = 'xxxxxx.apps.googleusercontent.com'

credentials = SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL, key,
      scope="https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/userinfo.email",
      token_uri='https://accounts.google.com/o/oauth2/token')


assertion = credentials._generate_assertion()

h = httplib2.Http()
credentials._do_refresh_request(h.request)

and I got

Traceback (most recent call last):
  File "/Users/pahud/Projects/oauth2client/x.py", line 24, in <module>
    credentials._do_refresh_request(h.request)
  File "/Users/pahud/Projects/oauth2client/oauth2client/client.py", line 710, in _do_refresh_request
    raise AccessTokenRefreshError(error_msg)
oauth2client.client.AccessTokenRefreshError: invalid_grant
[Finished in 0.7s with exit code 1]

https://i.sstatic.net/iGGYx.png

Angilaangina answered 28/5, 2014 at 17:43 Comment(3)
The email scope needs to start with "https" (not "http"). Does that resolve the issue?Bohunk
@EdDavisson no, still got invalid_grant :(Angilaangina
Also unsynch. time on machine can give similar error.Froh
A
12

I fixed it.

SERVICE_ACCOUNT_EMAIL = 'xxxxxx.apps.googleusercontent.com'

the above is client ID not Email, I fixed this and it's working now.

Angilaangina answered 29/5, 2014 at 10:42 Comment(1)
In my case I was using my account login email rather than the service account email address you get when you create a new client Id from the credentials sections in the Google Developers ConsoleGrande
M
2

I have the same problem.

To solve the problem, you need to notice the following elements:

  1. Did you use client_secrets.json in your program? If yes, check whether the name is the same as that in your current directory.

  2. The "client_email " or the "SERVICE_ACCOUNT_EMAIL" is not your personal email or the client id. It is "client id's email". You can check that email in https://console.developers.google.com/project/ ==>credentials==>Service account==>email address.

    Basically, if your client id is:<clientid>.apps.googleusercontent.com

    You client email here would be:<clientid>@developer.gserviceaccount.com

Monometallic answered 28/7, 2015 at 17:4 Comment(0)
A
0

In my case the problem was with the .boto file. Try to configure it again with the credentials from the Service account.

For the ones using fallback: gcs_oauth2_boto_plugin.SetFallbackClientIdAndSecret(CLIENT_ID, CLIENT_SECRET)

use for the fallback any "Client ID for native application". This is not necessary as its said in: https://cloud.google.com/storage/docs/gspythonlibrary

but i couldn't find other way, it was throwing errors without it.

Activism answered 29/6, 2015 at 0:12 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.