Signature verification error attempting JWT Oauth

回答済み
新規投稿

コメント

14件のコメント

  • mwiller

     First, be careful when posting JWTs online — the encoded JWT can be trivially reversed to the input JSON parts, including your client ID.  If you don't want people to see that information, you should redact the JWT assertion from your request code snippet.

     

    If I can ask, how did you generate your keypair — did you do it yourself with openssl or have it generated in the Box Developer Console?

    0
    コメントアクション Permalink
  • Box Product Support

    Originally, I generated the pair myself using the instructions provided.

    I have now also tried using a pair generated by the Box Console with the same result.

     

    Thanks for the warning on the JWT.

    0
    コメントアクション Permalink
  • Jason62

    Hey ,

     

    Thanks for your messages! That script doesn't appear to work for us, either. You're eventually going to be implementing this in an app, right? Do you know what language you want to work with? Maybe we have a few examples from our SDK or other community projects that would work better.

     

    Thanks,

    Jason

    0
    コメントアクション Permalink
  • Box Product Support

     after some experimenting, I believe that it is not finding the 'kid' that I include in the JWT header.

    My header looks like: {"kid":"q9li187k","alg":"RS256","typ":"JWT"}

    and that seems to me to be the correct kid (see screencap below):

    Screen Shot 2018-02-28 at 2.26.43 PM.png

    0
    コメントアクション Permalink
  • Box Product Support

     I am going to be working in (plain old) C, so I don't think you have a SDK for me.

     

    I have tested the JWT produced by the script at jwt.io and it decodes properly there as near as I can tell.

    As I mentioned in my previous reply it appears that maybe the problem is with the 'kid' in the header.

     

    Thanks,

    John

    0
    コメントアクション Permalink
  • Box Product Support

     

    OK, now this is REALLY weird.  Just goofing around, I UPPERCASED my CLIENT_ID and all of a sudden it worked!.

     

    {"access_token":"UPOIVm8siMbeIryNPbsORzmMfNw9n2wh","expires_in":3707,"restricted_to":[],"token_type":"bearer"}

     

    Now, I am super confused.

    0
    コメントアクション Permalink
  • Box Product Support

    OK, it worked exactly once. 

    Now back to failing.

     

     

    0
    コメントアクション Permalink
  • Box Product Support

    I think that at last, I have lurched uncontrollably to the actual problem with the script.

    It works when the signature doesn't contain the last two base64 characters

    (which is dependent on what time it is which affects the value of 'exp').

    So, I think it's the base64 encoding.  Which base64 encoding are you expecting?

    A-Za-z0-9+/

    A-Za-z0-9-_

    A-Za-z0-9._

    ...?...

     

     

     

    0
    コメントアクション Permalink
  • mwiller

     Fascinating — thanks for all the work investigating!  I just tested with the official Box Node.js SDK, and it appears to use the A-Za-z0-9-_ alphabet for Base 64 encoding.  If you use that, does it fix the issue?

    0
    コメントアクション Permalink
  • Box Product Support

      There still appears to be some wonkiness with the number of trailing '='s.

    Anyway, the script has served its purpose of helping me understand the process, so

    I'm going to quit faffing around with it and start coding for real in C.

     

    Thanks,

    John

    0
    コメントアクション Permalink
  • Box Product Support

       My C library is done and a test program is consistently returning a correct result.  I'm still not sure what exactly the final wonkiness of that script is.  Thanks again for your help.

    0
    コメントアクション Permalink
  • mwiller

     Glad you got everything working!

    0
    コメントアクション Permalink
  • PaulB32

    Problem: I have 2 identical apps, I have shared the apps with my Box.com folders.  I use the exact same code except I change the folder and the config.json (JWT) files that the dev console generates.  The same code works for one of the config.json files but not the other.  I get the: Error Message: invalid_grant
    Stact Trace: Signature verification error. The public key identified by "kid" must correspond to the private key used for signing.

    Initial Hypothesis:  I have checked the code logic and variables multiple times and the code is picking up the correct configuration.  I believe the configuration of the apps is identical.  I have exhausted all my ideas.

     

    Any ideas, thoughts are very welcome!

      

    0
    コメントアクション Permalink
  • PaulB32

    Resolution for me: The JWT generated for me from my clients enterprise Box.com has been revoked.  I was sent the config.json file, and programmatic access started working  

    0
    コメントアクション Permalink

サインインしてコメントを残してください。