Skip to content

Instantly share code, notes, and snippets.

Last active November 26, 2024 21:35
Show Gist options
  • Save markelliot/6627143be1fc8209c9662c504d0ff205 to your computer and use it in GitHub Desktop.
Save markelliot/6627143be1fc8209c9662c504d0ff205 to your computer and use it in GitHub Desktop.
Converts Google service user OAuth2 credentials into an access token in Cloudflare-compatible JS
* Get a Google auth token given service user credentials. This function
* is a very slightly modified version of the one found at
* @param {string} user the service user identity, typically of the
* form [user]@[project]
* @param {string} key the private key corresponding to user
* @param {string} scope the scopes to request for this token, a
* listing of available scopes is provided at
* @returns a valid Google auth token for the provided service user and scope or undefined
async function getGoogleAuthToken(user, key, scope) {
function objectToBase64url(object) {
return arrayBufferToBase64Url(
new TextEncoder().encode(JSON.stringify(object)),
function arrayBufferToBase64Url(buffer) {
return btoa(String.fromCharCode( Uint8Array(buffer)))
.replace(/=/g, "")
.replace(/\+/g, "-")
.replace(/\//g, "_")
function str2ab(str) {
const buf = new ArrayBuffer(str.length);
const bufView = new Uint8Array(buf);
for (let i = 0, strLen = str.length; i < strLen; i++) {
bufView[i] = str.charCodeAt(i);
return buf;
async function sign(content, signingKey) {
const buf = str2ab(content);
const plainKey = signingKey
.replace("-----BEGIN PRIVATE KEY-----", "")
.replace("-----END PRIVATE KEY-----", "")
.replace(/(\r\n|\n|\r)/gm, "");
const binaryKey = str2ab(atob(plainKey));
const signer = await crypto.subtle.importKey(
name: "RSASSA-PKCS1-V1_5",
hash: { name: "SHA-256" }
const binarySignature = await crypto.subtle.sign({ name: "RSASSA-PKCS1-V1_5" }, signer, buf);
return arrayBufferToBase64Url(binarySignature);
const jwtHeader = objectToBase64url({ alg: "RS256", typ: "JWT" });
try {
const assertiontime = Math.round( / 1000)
const expirytime = assertiontime + 3600
const claimset = objectToBase64url({
"iss": user,
"scope": scope,
"aud": "",
"exp": expirytime,
"iat": assertiontime
const jwtUnsigned = jwtHeader + "." + claimset
const signedJwt = jwtUnsigned + "." + (await sign(jwtUnsigned, key))
const body = "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" + signedJwt;
const response = await fetch("", {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded",
"Cache-Control": "no-cache",
"Host": ""
body: body
const oauth = await response.json();
return oauth.access_token;
} catch (err) {
Copy link

KeKs0r commented Jan 25, 2023

@Moumouls I tried it with calling document ai and it works from my cloudflare worker.

Copy link

Love you all tyty

Copy link

is this still functional getting a 1042 error for some reason

Copy link

Schachte commented Oct 7, 2023

is this still functional getting a 1042 error for some reason


Try this:

Copy link

@Schachte false flag this seems to be working again, wasnt working for a brief while because of the cloudflare --remote service went down.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment