Welcome to the new Box Support website. Check out all the details here on what’s changed.

Box Status

Issue constructing JWT manually

Follow
New post
Rob-79

Hi all,

 

I'm developing a solution in FileMaker which I want to connect to my box account. I've been doing this following "OAuth 2.0 with JWT (Server Authentication)" as I want the app to connect with Box, not the users. My objective is for the app to pull down tags and other information about files which have been uploaded to the Box.  As this is being done in Filemaker, I've been following the instructions here - https://developer.box.com/v2.0/docs/construct-jwt-claim-manually - to try and construct the JWT manually to authenticate with the box.

 

I'm using the public/private key generated by the box so went straight to section 3 of this page and authorised the application.  Moving on to section 4, I have created the header and claims and done the base64 encoding. However there is no guidance for creating the signature.  I have found this site - https://jwt.io/introduction/ - which explains how to do a signature as a combination of the header and payload (claims):

 

      HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

 

 

However I'm struggling to get past this point.  I've tried setting the 'secret' to be the client secret as per the App Configuration and I've also tried to set this to be the private key too. But when I try to move on to step 7 on the instructions I've set up the header options but when I try to post this nothing happens.  I've tried to post using the command line on my Mac and it comes back with an error saying "OpenSSL unable to verify data...".

 

 

At the top of the article it mentions that you have to sign the JWT with an RSA Key so I presume this error is a result of me not doing this, but unless I'm missing something obvious from this article I'm not sure how this step should be done.

 

If anyone can provide any help or assistance it would be greatly appreciated as it does not feel like the instructions for manually constructing the JWT are complete!  

 

Thanks all in advance for your time and support,

 

Rob 

0

Comments

2 comments

Date Votes
  • jcleblanc

    Hi Rob,

     

    You're correct with one of your attempts, the secret implemented in the JWT signature will be your private key in the generated public / private key pair. You'll add the public key to your application (which is done automatically when having Box do it, as you're doing), then use the private key in the signature. Here are a few steps we can go through to try to get this solved.

     

    First I'd recommend taking a look at the available SDKs (https://developer.box.com/page/sdks) to see if you can use those to abstract out the need to set up the claims manually.

     

    One of the things I would also check is that the private key you're using from the config file doesn't have any additional characters attached, as as newline characters. That could be one of the reasons for the issue. 

     

    If that doesn't work, I have a working JWT / OAuth 2 sample in Node here that might help you structure the claims and set up the calls, if it's not an issue with the private key you're using from the generated config file. The config file will contain a number of pieces of information about the app, including the private key, so just make sure you're just using the private key (without additional characters removed) from the JSON structure in the config file. 

     

    Lastly, if you can post your code we can take a look to see if there is something that pops up out of there.

     

    Thanks,

    Jon

    0
    Comment actions Permalink
  • Rob-79

    Hi ,

     

    Thanks for your reply. From a coding perspective, I'm using a plugin to FileMaker called Base Elements which handles most of the curl commands. I'm now able to post the message and I get the following response:

     

    {"type":"error","status":400,"code":"bad_request","context_info":{"errors":[{"reason":"invalid_parameter","name":"entity-body","message":"Invalid value '0\r0\r0\r0\r0'. Entity body should be a correctly nested resource attribute name\/value pair"}]},"help_url":"http:\/\/developers.box.com\/docs\/#errors","message":"Bad Request","request_id":"lgmmi5fm1o2ypd8v"}

     

    I'm able to use a trace function to show details from the call.  One line from the trace reads: 

     

    == Info:  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

     

    I'm using the keys generated by box.com and I've removed all the '\n' new line commands but this still does not work.  I tried to generate my own public/private key and have created this on my mac via the command line.  But when I try to upload the public key it says the verification fails.  Is there a different way in which this should be done if I want to use my own keys?  

     

    As a first step it might make sense to try and verify the keys work. I've been using https://jwt.io to try and validate this and it says invalid signature.

     

    Thanks,

    Rob   

     

     

    0
    Comment actions Permalink

Please sign in to leave a comment.