I am trying to make an oauth2 access_token in a server-to-server JSON API scenario. But it failed with invalid_grant error, please help.
from oauth2client.client import SignedJwtAssertionCredentials
KEY_FILE = 'xxxxxxxxxxxx-privatekey.p12'
with open(KEY_FILE, 'r') as fd:
key = fd.read()
SERVICE_ACCOUNT_EMAIL = 'xxxxxx.apps.googleusercontent.com'
credentials = SignedJwtAssertionCredentials(SERVICE_ACCOUNT_EMAIL, key,
scope="https://www.googleapis.com/auth/datastore https://www.googleapis.com/auth/userinfo.email",
token_uri='https://accounts.google.com/o/oauth2/token')
assertion = credentials._generate_assertion()
h = httplib2.Http()
credentials._do_refresh_request(h.request)
and I got
Traceback (most recent call last):
File "/Users/pahud/Projects/oauth2client/x.py", line 24, in <module>
credentials._do_refresh_request(h.request)
File "/Users/pahud/Projects/oauth2client/oauth2client/client.py", line 710, in _do_refresh_request
raise AccessTokenRefreshError(error_msg)
oauth2client.client.AccessTokenRefreshError: invalid_grant
[Finished in 0.7s with exit code 1]
I fixed it.
SERVICE_ACCOUNT_EMAIL = 'xxxxxx.apps.googleusercontent.com'
the above is client ID not Email, I fixed this and it's working now.
I have the same problem.
To solve the problem, you need to notice the following elements:
Did you use client_secrets.json in your program? If yes, check whether the name is the same as that in your current directory.
The "
client_email
" or the "SERVICE_ACCOUNT_EMAIL
" is not your personal email or the client id. It is "client id's email". You can check that email in https://console.developers.google.com/project/==>credentials==>Service account==>email address
.Basically, if your client id is:
<clientid>.apps.googleusercontent.com
You client email here would be:
<clientid>@developer.gserviceaccount.com
In my case the problem was with the .boto file. Try to configure it again with the credentials from the Service account.
For the ones using fallback: gcs_oauth2_boto_plugin.SetFallbackClientIdAndSecret(CLIENT_ID, CLIENT_SECRET)
use for the fallback any "Client ID for native application". This is not necessary as its said in: https://cloud.google.com/storage/docs/gspythonlibrary
but i couldn't find other way, it was throwing errors without it.
来源:https://stackoverflow.com/questions/23918443/got-invalid-grant-in-oauth2-signedjwtassertioncredentials