'invalid_grant' error while getting OAuth token with Service Account in Google Cloud Storage

I've written a small Qt/С++ app that uses Google Cloud Storage to save image files. I created a service account client ID in my Google API console and try to interact with Google REST API. But before all I need to get an OAuth authorization token.

I've been trying to get the token for three days but everytime I get the same annoying error: { "error" : "invalid_grant" }

I tried to adjust the time as it was suggested here: invalid_grant Returned using Service Account and Google Drive API. It didn't help.

I created another Client ID in Google API Console as this topic suggests: Invalid_grant in Google Analytics. No result.

Here is a code of my tiny small class which requests the token. Please could anyone say what I'm doing wrong?

#include "googlestorageuploader.h"
#include "openssl/evp.h"
#include "openssl/pem.h"
#include "openssl/bio.h"
#include "openssl/err.h"
#include "openssl/pkcs12.h"
#include <QFile>
#include <QDateTime>
#include <QNetworkAccessManager>
#include <QNetworkRequest>
#include <QSslConfiguration>
#include <QDebug>

// Just a wrapper that takes OpenSsl function 'a' and calls it.
// If 'a' returns zero the wrapper throws a string containg description
// of error occured
if (!a) \
{ \
    char buffer[120]; \
    ERR_error_string(ERR_get_error(), buffer); \
    char s[256]; \
    sprintf(s, ""#a" function call failed.\n%s", buffer); \
    throw s; \
} \

// String template for standard JWT Header
const QString kJwtHeader = "{\"alg\":\"RS256\",\"typ\":\"JWT\"}";

// String template for JWT claim set
// Contains two placeholders for "exp" and "iat" keys
const QString kJwtClaimSet = "{"

// This function computes JWT signature
// 'input' is an array of bytes passed as an input
// 'privateKey' is an array of bytes that contains a private key in PKCS12 format
//      (as it is in the file received from 'Google APIs Console->API Access')
// Uses OpenSSL API to create a signature using SHA256withRSA
QByteArray signWithRsaSha256(const QByteArray &input, const QByteArray &privateKey)
    EVP_PKEY *pkey = 0;
    BIO *bp = 0;
    EVP_MD_CTX *ctx = 0;
    const EVP_MD *sha256Md = 0;
    unsigned char sig[256];
    unsigned int s(0);
    QByteArray out;
    PKCS12 *p12 = 0;
    X509 *cert= 0;


    ctx = EVP_MD_CTX_create();
    sha256Md = EVP_sha256(); // TODO: need to free
    bp = BIO_new_mem_buf((void*), privateKey.size());

    try {
        OPENSSL_FUNCTION_CALL(EVP_SignInit(ctx, sha256Md));
        OPENSSL_FUNCTION_CALL(EVP_SignUpdate(ctx, input.constData(), input.size()));
        OPENSSL_FUNCTION_CALL(d2i_PKCS12_bio(bp, &p12));
        OPENSSL_FUNCTION_CALL(PKCS12_parse(p12, "notasecret", &pkey, &cert, NULL));

        s = EVP_PKEY_size(pkey);
        OPENSSL_FUNCTION_CALL(EVP_SignFinal(ctx, sig, &s, pkey));

        out.setRawData((const char *)sig, s);
    catch (const char *s)
        qCritical() << s;

    return out;

CGoogleStorageUploader::CGoogleStorageUploader(QObject *parent) :
    nam_ = new QNetworkAccessManager(this);

// Creates and sends HTTP POST request to get an authorization token
void CGoogleStorageUploader::requestToken()
    QNetworkRequest req(QUrl(""));

    req.setRawHeader("Host", "");
    req.setRawHeader("Content-Type", "application/x-www-form-urlencoded");

    QByteArray assertion = formJWT();
    QByteArray data;
    data = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + assertion;

    QNetworkReply *reply = nam_->post(req, data);
    connect(reply, SIGNAL(finished()), SLOT(onNetworkReplyFinished()));
    connect(reply, SIGNAL(sslErrors(QList<QSslError>)), SLOT(onNetworkReplySslErrors(QList<QSslError>)));
    connect(reply, SIGNAL(error(QNetworkReply::NetworkError)), SLOT(onNetworkReplyError(QNetworkReply::NetworkError)));

// Constructs JWT
QByteArray CGoogleStorageUploader::formJWT()
    QDateTime now = QDateTime::currentDateTime();
    QDateTime utcNow = now.toUTC();
    quint32 secs = utcNow.toTime_t() - 300; // adjust to Google Server time
    QString claimSet = kJwtClaimSet.arg(secs + 3600).arg(secs); // fill "exp" and "iat" fields

    QByteArray signature, privateKey, jwt;
    QFile file (":res/pk.p12"); // copy of file received from Google API Console
    if (
        privateKey = file.readAll();
        QByteArray encodedHeader = kJwtHeader.toUtf8().toBase64(); // serialize to UTF8 and Base64url safe encode (
        QByteArray encodedClaimSet = claimSet.toUtf8().toBase64(); // serialize to UTF8 and Base64url safe encode (

        // "Sign the UTF-8 representation of the input" (
        signature = signWithRsaSha256(QString(encodedHeader + "." + encodedClaimSet).toUtf8(), privateKey);
        QByteArray encodedSignature = signature.toBase64();

        jwt = encodedHeader + "." + encodedClaimSet + "." + encodedSignature;


    qDebug() << jwt;

    return jwt;

void CGoogleStorageUploader::onNetworkReplyFinished()
    QNetworkReply *r = static_cast<QNetworkReply*>(sender());
    qDebug() << "finished: " << r->readAll();

void CGoogleStorageUploader::onNetworkReplySslErrors(const QList<QSslError> &errs)
    QNetworkReply *r = static_cast<QNetworkReply*>(sender());
    qDebug() << "ssl errors: " << r->readAll();

void CGoogleStorageUploader::onNetworkReplyError(QNetworkReply::NetworkError err)
    qDebug() << "network error:  " << err;

Answers (1)


Don't you have to first make a call to get the code? After you have the code, you can make the call to get the token...

