Signature verification error attempting JWT Oauth

Answered
New post

Comments

14 comments

  • mwiller

     First, be careful when posting JWTs online — the encoded JWT can be trivially reversed to the input JSON parts, including your client ID.  If you don't want people to see that information, you should redact the JWT assertion from your request code snippet.

     

    If I can ask, how did you generate your keypair — did you do it yourself with openssl or have it generated in the Box Developer Console?

    0
    Comment actions Permalink
  • Box Product Support

    Originally, I generated the pair myself using the instructions provided.

    I have now also tried using a pair generated by the Box Console with the same result.

     

    Thanks for the warning on the JWT.

    0
    Comment actions Permalink
  • Jason62

    Hey ,

     

    Thanks for your messages! That script doesn't appear to work for us, either. You're eventually going to be implementing this in an app, right? Do you know what language you want to work with? Maybe we have a few examples from our SDK or other community projects that would work better.

     

    Thanks,

    Jason

    0
    Comment actions Permalink
  • Box Product Support

     after some experimenting, I believe that it is not finding the 'kid' that I include in the JWT header.

    My header looks like: {"kid":"q9li187k","alg":"RS256","typ":"JWT"}

    and that seems to me to be the correct kid (see screencap below):

    Screen Shot 2018-02-28 at 2.26.43 PM.png

    0
    Comment actions Permalink
  • Box Product Support

     I am going to be working in (plain old) C, so I don't think you have a SDK for me.

     

    I have tested the JWT produced by the script at jwt.io and it decodes properly there as near as I can tell.

    As I mentioned in my previous reply it appears that maybe the problem is with the 'kid' in the header.

     

    Thanks,

    John

    0
    Comment actions Permalink
  • Box Product Support

     

    OK, now this is REALLY weird.  Just goofing around, I UPPERCASED my CLIENT_ID and all of a sudden it worked!.

     

    {"access_token":"UPOIVm8siMbeIryNPbsORzmMfNw9n2wh","expires_in":3707,"restricted_to":[],"token_type":"bearer"}

     

    Now, I am super confused.

    0
    Comment actions Permalink
  • Box Product Support

    OK, it worked exactly once. 

    Now back to failing.

     

     

    0
    Comment actions Permalink
  • Box Product Support

    I think that at last, I have lurched uncontrollably to the actual problem with the script.

    It works when the signature doesn't contain the last two base64 characters

    (which is dependent on what time it is which affects the value of 'exp').

    So, I think it's the base64 encoding.  Which base64 encoding are you expecting?

    A-Za-z0-9+/

    A-Za-z0-9-_

    A-Za-z0-9._

    ...?...

     

     

     

    0
    Comment actions Permalink
  • mwiller

     Fascinating — thanks for all the work investigating!  I just tested with the official Box Node.js SDK, and it appears to use the A-Za-z0-9-_ alphabet for Base 64 encoding.  If you use that, does it fix the issue?

    0
    Comment actions Permalink
  • Box Product Support

      There still appears to be some wonkiness with the number of trailing '='s.

    Anyway, the script has served its purpose of helping me understand the process, so

    I'm going to quit faffing around with it and start coding for real in C.

     

    Thanks,

    John

    0
    Comment actions Permalink
  • Box Product Support

       My C library is done and a test program is consistently returning a correct result.  I'm still not sure what exactly the final wonkiness of that script is.  Thanks again for your help.

    0
    Comment actions Permalink
  • mwiller

     Glad you got everything working!

    0
    Comment actions Permalink
  • PaulB32

    Problem: I have 2 identical apps, I have shared the apps with my Box.com folders.  I use the exact same code except I change the folder and the config.json (JWT) files that the dev console generates.  The same code works for one of the config.json files but not the other.  I get the: Error Message: invalid_grant
    Stact Trace: Signature verification error. The public key identified by "kid" must correspond to the private key used for signing.

    Initial Hypothesis:  I have checked the code logic and variables multiple times and the code is picking up the correct configuration.  I believe the configuration of the apps is identical.  I have exhausted all my ideas.

     

    Any ideas, thoughts are very welcome!

      

    0
    Comment actions Permalink
  • PaulB32

    Resolution for me: The JWT generated for me from my clients enterprise Box.com has been revoked.  I was sent the config.json file, and programmatic access started working  

    0
    Comment actions Permalink

Please sign in to leave a comment.