Invalid Grant: Please check the 'jti' claim.
Answered
Hello all,
I am currently using the OAuth2 with JWT auth mechanism for calling the Box API. Most requests are working exactly as expected. However, the "Create Metadata on File" endpoint always returns the following error:
{"error":"invalid_grant","error_description":"Please check the 'jti' claim."}
I am passing the same JWT format with a unique sha-1 hash as the jti claim for all requests. Also, the "Create Metadata Template" endpoint works just fine as I have successfully created a template within the same enterprise scope.
Has anyone else experienced this issue? Does anyone have any suggestions? Thanks in advance.
Best regards,
Paul
-
IIRC, the error message was misleading because it wasn't actually the jti claim that was causing the issue. I can't remember the exact fix, but I believe it was the exp claim, which must be set to no more than 1 minute in the future, and must be formatted as number of seconds since Unix Epoch, e.g. in PHP it would be "time() + 60". Also, make sure that the aud claim matches the token URI exactly.
-
Thanks, the error did seem to be like a misnomer on my end. I've gotten it a few time when there were other Box outages so I'm guessing it could mean there's something down. It seems like the error appeared somewhat less after I removed the iat and nbf claims and increased the exp claim to time() + 60 instead of time() + 10, however this could be purely coincidence.
-
This issue was getting worse over time and I finally coordinated with Box to figure out my issue. I wasn't making my jti claim unique between my JWTs, I was just using the same value for each JWT generated. I didn't notice any problems for a while however I started seeing it at different times and eventually after a few months I was only getting this error. I fixed this by just generating a jti based on the timestamp (I use PHP so I just used md5 on the current time stamp).
Please sign in to leave a comment.
Comments
4 comments