dev-master
9999999-dev https://github.com/raffie-restGoogle oAuth2 JWT Generator
MIT
The Requires
- php >=5.5.0
by Raffie REST
Google oAuth2 JWT Generator
Google® oAuth2 JWT Generator Class, (*1)
This class is already hooked up in another proprietary Remote REST abstraction, but I aim to implement the Google oAuth2 service account auth method by virtue of this class in my Adapter project also., (*2)
For the moment, you might be able to incorporate it in your own Remote REST abstraction., (*3)
It is exactly intended for that purpose; those who find the PHP google client libraries too bloated, but have a hard time figuring out how to generate a JWT / negotiating for a token whilst dodging cryptic bad_request
/ invalid_grant
responses. Mostly this is due to the system clock being out of sync with NTP, but this class accounts for this., (*4)
Feed it a config array, like so:, (*5)
$jwtConfig = [ 'key' => [ 'pass' => 'notasecret', // Converted from the .p12 off of the Developer console 'path' => 'file://' . storage_path() . '/certs/google.pem' ], 'header' => [ 'alg' => 'RS256', 'typ' => 'JWT' ], 'claim_set' => [ 'iss' => '', // service account e-mail 'scope' => 'https://www.googleapis.com/auth/calendar https://www.googleapis.com/auth/prediction', 'aud' => 'https://www.googleapis.com/oauth2/v3/token', 'exp' => '+30 minutes', 'sub' => '' ] ]; $generator = new Generator($jwtConfig); $returnedJwt = $generator->generate();
Make sure that the relevant API's are enabled, and the user has read/write access., (*6)
The JWT can be used to negotiate an access token via the pseudocode below:, (*7)
POST https://www.googleapis.com/oauth2/v3/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded grant_type=urlencode(JWT::$grant_type)&assertion=urlencode($returnedJwt)
In the case of Google oAuth2, the grant_type
is virtually always urn:ietf:params:oauth:grant-type:jwt-bearer
., (*8)
The class is aimed at preventing the cryptic bad_request
stuff by converting your time to UTC, but always make sure your system time is in sync with NTP and that you use your service account e-mail address (not your ID)., (*9)
If everything goes well, you get something like this you can cache for further usage:, (*10)
{ "access_token" : "1/8xbJqaOZXSUZbHLl5EOtu1pxz3fmmetKx9W8CV4t79M", "token_type" : "Bearer", "expires_in" : 3600 }
After the access token is expired, you can simply rebuild the JWT and request a new access token., (*11)
Put this header on each Google API request:, (*12)
GET https://www.googleapis.com/calendar/v3/users/me/calendarlist HTTP/1.1 Authorization: Bearer 1/8xbJqaOZXSUZbHLl5EOtu1pxz3fmmetKx9W8CV4t79M
Google oAuth2 JWT Generator
MIT