Generating and signing a JWT for authentication with Google APIs

Loan_J · January 20, 2023, 4:47pm

Hello,
I am trying to generate and sign a JWT for authentication with Google APIs in n8n. So far, everything in my workflow seems to work, except for the signing part. When I send my token to the Google API URI, it returns an invalid_signature error.

Any clues on how I could solve this issue?

NOTA: Generating a JWT using this website works, but I want to be able to automate the generation.

Jon · January 20, 2023, 5:09pm

Hey @Loan_J,

This is one of those things where it is going to be a case of comparing the JWT payload you generate with the payload that you get from the site just to make sure there are no odd differences.

Once thing I would say though is does the OAuth2 credential type not work for you? I feel like it should take care of most of this for you.

Loan_J · January 20, 2023, 5:13pm

To be honest, my use case is to automatically update a domain users email signature using a workflow. To do that, I need to impersonate these users, and I can’t seem to do that with an OAuth credential nor with the HTTP request node.

See Method: users.settings.sendAs.patch | Gmail | Google Developers to understand what I want to do

Loan_J · January 20, 2023, 5:17pm

If I simply use OAuth, I will get an error specifying that the access is restricted to service accounts that have been delegated domain-wide authority.

My service account indeed has been delegated domain-wide authority, thus why I am trying to generate a JWT to impersonate a user, then generate an OAuth access token using this JWT and finally be authorized to use the resource.
It’s a frustrating hassle and I can’t really seem to be able to sort it out.

Jon · January 20, 2023, 5:20pm

Hey @Loan_J,

That is strange, That error about being restricted is coming back from Google. I had it once and it took 24 hours for the Google Workplace change to go through.

I guess then it is going to be a case of carefully checking the input data to make sure there is nothing odd, This is one of those tricky flows that is going to take some time and a google account or 2 to play with.

Loan_J · January 20, 2023, 6:35pm

Okay, so after double-checking again and again, I fixed the encoding of the header and claim set. Now the only issue I have is with the signature. Google provides private keys for its service accounts.

When trying to sign my token using the Crypto node, I get the following error:

I managed to fix this error by doing exactly this;

privateKey = $json.privateKey.split(String.raw`\n`).join('\n');

THOUGH

This does return the signed string but it’s an invalid signature:

All I can seem to understand right now is that the crypto node does not sign correctly the payload I send to it.

NOTA

I made tests, like you said, using this website, use it as a reference if you need

system · April 20, 2023, 6:35pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.