Signature verification error attempting JWT Oauth
AnsweredI am using a shell script https://gist.github.com/floudet/5f5870d0551fcdb663969df6fcf7bfce to attempt to create a JWT Bearer Token. I have slightly modified the script to use "box_sub_type": "enterprise" rather than "user". I have uploaded the public key part of a key pair and I have double and triple checked that I am specifying the correct CLIENT_ID, CLIENT_SECRET, KEY_ID, ENTERPRISE_ID(USER_ID) and private-key file. The JWT the script constructs looks OK to me:
[Header] { "alg": "RS256", "typ": "JWT", "kid": "q...KEY_ID...k" } [Claim] { "iss": "v...CLIENT_ID...2", "sub": "4...ENTERPRISE_ID...8", "box_sub_type": "enterprise", "aud": "https://api.box.com/oauth2/token", "jti": "AHcq1oZ7E1jwqOuv", "exp": ***number removed for privacy***5 }
0000: POST /oauth2/token HTTP/1.1 001d: User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 005d: NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 008f: Host: api.box.com 00a2: Accept: */* 00af: Content-Length: 789 00c4: Content-Type: application/x-www-form-urlencoded 00f5: => Send data, 789 bytes (0x315) 0000: grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_id 0040: =v...CLIENT_ID...2&client_secret=H...CLIENT_SECRET 0080: ...T&assertion=eyJraWQiOiJxOWxpMTg3ayIsInR5cCI6IkpXV 00c0: CIsImFsZyI6IlJTMjU2In0=.eyJleHAiOjE1MTk3MjQyMzUsImp0aSI6IkFIY3Ex 0100: b1o3RTFqd3FPdXYiLCJhdWQiOiJodHRwczovL2FwaS5ib3guY29tL29hdXRoMi90 0140: b2tlbiIsImJveF9zdWJfdHlwZSI6ImVudGVycHJpc2UiLCJzdWIiOiI0MTM0NDEy 0180: OCIsImlzcyI6InY5dnBobXQ0enQweHR3bWY0dmt3cHAwYm4yMXIzY28yIn0=.W63 01c0: DeBarurSe8RZSKwQh0tBLuOaysBkIfLPkp4wK4mD2fUIR7Oc5SVW3Gv0NuRKuiCk 0200: 2Ec0q9mBnrHJx7fSJlcCeZUdOA7arurec712N5CdZoxSJFEoCkMhTwUvm74gIWM/ 0240: a0axN960ptRLWcN18puMKDvXd8b5YZxdy1VXQDLHbN4Nzj8JNDEaF8It2UfA9UQV 0280: bydDF/4GzHOdRr/NQGGDddz2/gi67K6sO1SZ5gAgdJ7Gu+LJ5A4p3J6yRg8Fqudj 02c0: 6YhmlXQUcdoeFJ5CC2aqR6YFOaEynwbLRwMhBe5RKawkxQWUk3Odf0ZnOqVA3kan 0300: emvKn2TukFhPF3jIfwg==
but I keep getting this error:
{"error":"invalid_grant","error_description":"Signature verification error. The public key identified by \"kid\" must correspond to the private key used for signing."}
I've only ever created/uploaded one key.
Any ideas what I could be doing wrong?
-
First, be careful when posting JWTs online — the encoded JWT can be trivially reversed to the input JSON parts, including your client ID. If you don't want people to see that information, you should redact the JWT assertion from your request code snippet.
If I can ask, how did you generate your keypair — did you do it yourself with openssl or have it generated in the Box Developer Console?
-
Hey ,
Thanks for your messages! That script doesn't appear to work for us, either. You're eventually going to be implementing this in an app, right? Do you know what language you want to work with? Maybe we have a few examples from our SDK or other community projects that would work better.
Thanks,
Jason
-
I am going to be working in (plain old) C, so I don't think you have a SDK for me.
I have tested the JWT produced by the script at jwt.io and it decodes properly there as near as I can tell.
As I mentioned in my previous reply it appears that maybe the problem is with the 'kid' in the header.
Thanks,
John
-
I think that at last, I have lurched uncontrollably to the actual problem with the script.
It works when the signature doesn't contain the last two base64 characters
(which is dependent on what time it is which affects the value of 'exp').
So, I think it's the base64 encoding. Which base64 encoding are you expecting?
A-Za-z0-9+/
A-Za-z0-9-_
A-Za-z0-9._
...?...
-
Problem: I have 2 identical apps, I have shared the apps with my Box.com folders. I use the exact same code except I change the folder and the config.json (JWT) files that the dev console generates. The same code works for one of the config.json files but not the other. I get the: Error Message: invalid_grant
Stact Trace: Signature verification error. The public key identified by "kid" must correspond to the private key used for signing.Initial Hypothesis: I have checked the code logic and variables multiple times and the code is picking up the correct configuration. I believe the configuration of the apps is identical. I have exhausted all my ideas.
Any ideas, thoughts are very welcome!
Please sign in to leave a comment.
Comments
14 comments