After you obtain the client ID and private key from the
API Console, your application needs to complete the
following steps:
If the response includes an access token, you can use the access token to
call a Google API
. (If the response does not include an access
token, your JWT and token request might not be properly formed, or the service account might
not have permission to access the requested scopes.)
The rest of this section describes the specifics of creating a JWT, signing the JWT,
forming the access token request, and handling the response.
Creating a JWT
A JWT is composed of three parts: a header, a claim set, and a
signature. The header and claim set are JSON objects. These JSON objects are serialized to
UTF-8 bytes, then encoded using the Base64url encoding. This encoding provides resilience
against encoding changes due to repeated encoding operations. The header, claim set, and
signature are concatenated together with a period (
.
) character.
A JWT is composed as follows:
{Base64url encoded header}.{Base64url encoded claim set}.{Base64url encoded signature}
The base string for the signature is as follows:
{Base64url encoded header}.{Base64url encoded claim set}
The header consists of three fields that indicate the signing algorithm, the format of
the assertion, and the [key ID of the service account
key](https://cloud.google.com/iam/docs/reference/rest/v1/projects.serviceAccounts.keys)
that was used to sign the JWT. Algorithm and format are mandatory, and each field has only
one value. As additional algorithms and formats are introduced, this header will change
accordingly. The key ID is optional and if an incorrect Key ID is specified GCP will try
all keys associated with the service account to verify the token and reject the token if
no valid key is found. Google reserves the right to reject tokens with incorrect key IDs
in the future.
Service accounts rely on the RSA SHA-256 algorithm and the JWT token format. As a result,
the JSON representation of the header is as follows:
{"alg":"RS256","typ":"JWT", "kid":"370ab79b4513eb9bad7c9bd16a95cb76b5b2a56a"}
The Base64url representation of this is as follows:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsICJraWQiOiIzNzBhYjc5YjQ1MTNlYjliYWQ3YzliZDE2YTk1Y2I3NmI1YjJhNTZhIn0=
The JWT claim set contains information about the JWT, including the permissions being
requested (scopes), the target of the token, the issuer, the time the token was issued,
and the lifetime of the token. Most of the fields are mandatory. Like the JWT header, the
JWT claim set is a JSON object and is used in the calculation of the signature.
Required claims
The required claims in the JWT claim set are shown below. They may appear in any order in
the claim set.
Name
|
Description
|
iss
|
The email address of the service account.
|
scope
|
A space-delimited list of the permissions that the application requests.
|
aud
|
A descriptor of the intended target of the assertion. When making an access token
request this value is always
https://oauth2.googleapis.com/token
.
|
exp
|
The expiration time of the assertion, specified as seconds since 00:00:00 UTC,
January 1, 1970. This value has a maximum of 1 hour after the issued time.
|
iat
|
The time the assertion was issued, specified as seconds since 00:00:00 UTC,
January 1, 1970.
|
The JSON representation of the required fields in a JWT claim set is shown below:
{
"iss": "761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/devstorage.read_only",
"aud": "https://oauth2.googleapis.com/token",
"exp": 1328554385,
"iat": 1328550785
}
Additional claims
In some enterprise cases, an application can use domain-wide delegation to act on behalf
of a particular user in an organization. Permission to perform this type of impersonation
must be granted before an application can impersonate a user, and is usually handled by a
super administrator. For more information, see
Control API access with domain-wide delegation
.
To obtain an access token that grants an application delegated access to a resource,
include the email address of the user in the JWT claim set as the value of the
sub
field.
Name
|
Description
|
sub
|
The email address of the user for which the application is requesting delegated
access.
|
If an application does not have permission to impersonate a user, the response to an
access token request that includes the
sub
field will be an
error
.
An example of a JWT claim set that includes the
sub
field is shown
below:
{
"iss": "761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
"sub": "some.user@example.com",
"scope": "https://www.googleapis.com/auth/prediction",
"aud": "https://oauth2.googleapis.com/token",
"exp": 1328554385,
"iat": 1328550785
}
Encoding the JWT claim set
Like the JWT header, the JWT claim set should be serialized to UTF-8 and Base64url-safe
encoded. Below is an example of a JSON representation of a JWT Claim set:
{
"iss": "761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
"scope": "https://www.googleapis.com/auth/prediction",
"aud": "https://oauth2.googleapis.com/token",
"exp": 1328554385,
"iat": 1328550785
}
Computing the signature
JSON Web Signature
(JWS) is the specification that guides the mechanics of generating the signature for the
JWT. The input for the signature is the byte array of the following content:
{Base64url encoded header}.{Base64url encoded claim set}
The signing algorithm in the JWT header must be used when computing the signature. The
only signing algorithm supported by the Google OAuth 2.0 Authorization Server is RSA using
SHA-256 hashing algorithm. This is expressed as
RS256
in the
alg
field in the JWT header.
Sign the UTF-8 representation of the input using SHA256withRSA (also known as
RSASSA-PKCS1-V1_5-SIGN with the SHA-256 hash function) with the private key obtained from
the
Google API Console
. The output will be a byte array.
The signature must then be Base64url encoded. The header, claim set, and signature are
concatenated together with a period (
.
) character. The result is the JWT. It
should be the following (line breaks added for clarity):
{Base64url encoded header}.
{Base64url encoded claim set}.
{Base64url encoded signature}
Below is an example of a JWT before Base64url encoding:
{"alg":"RS256","typ":"JWT"}.
{
"iss":"761326798069-r5mljlln1rd4lrbhg75efgigp36m78j5@developer.gserviceaccount.com",
"scope":"https://www.googleapis.com/auth/prediction",
"aud":"https://oauth2.googleapis.com/token",
"exp":1328554385,
"iat":1328550785
}.
[signature bytes]
Below is an example of a JWT that has been signed and is ready for transmission:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiI3NjEzMjY3OTgwNjktcjVtbGpsbG4xcmQ0bHJiaGc3NWVmZ2lncDM2bTc4ajVAZGV2ZWxvcGVyLmdzZXJ2aWNlYWNjb3VudC5jb20iLCJzY29wZSI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL2F1dGgvcHJlZGljdGlvbiIsImF1ZCI6Imh0dHBzOi8vd3d3Lmdvb2dsZWFwaXMuY29tL29hdXRoMi92NC90b2tlbiIsImV4cCI6MTMyODU1NDM4NSwiaWF0IjoxMzI4NTUwNzg1fQ.UFUt59SUM2_AW4cRU8Y0BYVQsNTo4n7AFsNrqOpYiICDu37vVt-tw38UKzjmUKtcRsLLjrR3gFW3dNDMx_pL9DVjgVHDdYirtrCekUHOYoa1CMR66nxep5q5cBQ4y4u2kIgSvChCTc9pmLLNoIem-ruCecAJYgI9Ks7pTnW1gkOKs0x3YpiLpzplVHAkkHztaXiJdtpBcY1OXyo6jTQCa3Lk2Q3va1dPkh_d--GU2M5flgd8xNBPYw4vxyt0mP59XZlHMpztZt0soSgObf7G3GXArreF_6tpbFsS3z2t5zkEiHuWJXpzcYr5zWTRPDEHsejeBSG8EgpLDce2380ROQ