Getting Error on /oauth2/token when asserting JWTs: current date time must be before expiration date
Often signing your first JWT on the Box Platform, you might run into a few problems. Here is one of those errors you might run into when trying to get an access token:
{"error":"invalid_grant","error_description":"Current date\/time MUST be before the expiration date\/time listed in the 'exp' claim"}
If you find yourself experiencing this error, I would remove the timestamp from the JWT. Here is what that might look like when using a node jwt library.
var jwt = require('jsonwebtoken');
var signed_token = jwt.sign({
iss: API_token,
sub: ent_id,
box_sub_type: "enterprise",
aud: "https://api.box.com/oauth2/token",
jti: sessionToken,
exp: expiringTime
}, { key: privateKey, passphrase: jwt_secret }, { algorithm: 'RS256', noTimestamp: true });
The removal of the timestamp will make sure the JWT is properly signed and will most likely remove your error assuming that your expiringTime was created right.
I would recommend checkout my little command line tool. It can be found on GitHub.
-
Could you please show a little more example code to log in with the jwt?
I'm stuck trying this both ways, with a http-request and with the node-sdk.
My attempts look like the following:
var jwt = require('jsonwebtoken');
var fs = require('fs');
var base64url = require("base64url");
var request = require('request');
var client_id = ...
var client_secret = ...
// request.debug = true;
var key = fs.readFileSync('private_key.pem');
var passphrase = ...
var exp = Math.round((Date.now()/1000))+60;
var header = {
"alg": "RS256",
"typ": "JWT",
"kid": keyID
};
var claims = {
"iss": client_id,
"sub": "removed for privacy",
"box_sub_type": "user",
"aud": "https://api.box.com/oauth2/token",
"jti": "removed for privacy10111213141517",
"exp": exp
};
var encodedHeader = base64url(new Buffer(JSON.stringify(header)));
var payload = base64url(new Buffer(JSON.stringify(claims)));
var signature = jwt.sign(encodedHeader + '.' + payload, {key: key, passphrase: passphrase}, {algorithm: 'RS256'});
var encodedsignature = base64url(new Buffer(JSON.stringify(signature)));
var jwt = encodedHeader + "." + payload + "." + encodedsignature; //hier befindet sich wahrscheinlich Fehler
console.log(jwt);
var options = {
uri: 'https://api.box.com/oauth2/token',
method: 'POST',
json: true,
headers: {'content-type': 'application/x-www-form-urlencoded'},
// body: 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id=' + client_id + '&client_secret=' + client_secret + '&assertion=' + jwt
body: 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id=' + client_id + '&client_secret=' + client_secret + '&assertion=' + jwt
};
returns:
{ error: 'invalid_grant',
error_description: 'OpenSSL unable to verify data: error:0906D06C:PEM routines:PEM_read_bio:no start line' }
var jwt = require('jsonwebtoken');
var fs = require('fs');
var base64url = require("base64url");
var BoxSDK = require('box-node-sdk');
var request = require('request');
var client_id = ...
var client_secret = ...
// request.debug = true;
var key = fs.readFileSync('private_key.pem'); //converted to windows @ notepad, neccessary??
var keyID = ...
var passphrase = ...
var sdk = new BoxSDK({
clientID: client_id,
clientSecret: client_secret,
appAuth: {
keyID: keyID,
privateKey: key,
passphrase: passphrase
}
});
// Get the enterprise client, used to create and manage app user accounts
var client = sdk.getAppAuthClient('testEnterprise', '5069122');
client.folders.getItems('0', {fields: 'id,name'}, function (err, data) {
console.log(err);
});
//returning [Error: Expired Auth: Auth code or refresh token has expired.]
statusCode: 400] and body:
{ error: 'invalid_grant',
error_description: 'Please check the \'box_sub_type\' claim.' } },
authExpired: true }It would be really great if you could provide any advise to solve this problem.
Please sign in to leave a comment.
Comments
2 comments