“Bad Request” message in JWT OAuth authentication

2020-05-04 16:17发布

i've followed all the instructions at the doc for generate JWT Token, but only receive "Bad Request" as response...

when i try to run eg-01-php-jwt the same occurs. i'm using DocuSign demo environment and simulating requests using Postman and curl

the steps i'm doing are:

  1. generating authorization uri as https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=c0c3e3b4-87ec-46e6-afad-9f8cf9dda84c&redirect_uri=http://example.com/api/docusign/obtain-consent/callback
  2. fill login and password for different docusign sandbox account
  3. at the redirected uri i get the code parameter and decode at jwt.io, getting kid value from header
  4. use kid value at sub to generate a new jwt token
  5. sign jwt token with my private key
  6. try to obtain access token and receive "Bad Request" as response message

my (updated) generated token is

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJjMGMzZTNiNC04N2VjLTQ2ZTYtYWZhZC05ZjhjZjlkZGE4NGMiLCJzdWIiOiI2ODE4NWZmMS00ZTUxLTRjZTktYWYxYy02ODk4MTIyMDMzMTciLCJpYXQiOjE1NTExMDA0MDksImV4cCI6MTU1MjEwMDQwOSwiYXVkIjoiYWNjb3VudC1kLmRvY3VzaWduLmNvbSIsInNjb3BlIjoic2lnbmF0dXJlIGltcGVyc29uYXRpb24ifQ.I1LhY77Rd0-op6UE3zUQvA5UxXIBzHUMyhhrwSN_TBv9ghiNAOr2aVz8Glf16bulkqSrE6A67h3DvL_VDm5NpNzcDQttjlf-CtlnBrjyt2w1niZkYnlmrUXW3SofDJkNHEj9-zQOa2XBrzTOLIhD6g2V0adBe45mwwGpMpOu0oPameUseDVEBeQ50mCZcyiMGYazEA0qeE9Ws9Rb7GxZxmOIZXaWirohmJhNfic5wHprJvA6tTwxai5-4xAwnhrjpsOWKoQRxXRkCKKcIIrKf8SEz4KOH2RCUBqMZRGys81CIDtowtLoDUeMCRKTaxnbrCFax4blJSZ8X3ptyneVpw

UPDATE @ 2019-02-26:

to achieve what i want i needed to complete the authorization code flow, get the user account id from step 4 (retrieve user data) and finally generate the jwt token with that info as sub at payload!

标签: docusignapi
1条回答
闹够了就滚
2楼-- · 2020-05-04 17:15

That assertion previously only included the signature scope. JWT Authentication requires signature impersonation.

Now that that has been updated, there are a couple of other possible issues:

  • Invalid user ID. The JWT assertion requires an active User ID in the sub field. If the user is closed or the ID is incorrect this will fail.

  • Invalid signature. The JWT assertion must be signed with an RSA private key associated with the iss / Client ID in use. If there are any invalid/encoding characters or trailing spaces, the signature may not be valid.

I'd recommend opening a case with DocuSign Support. On your side, you'll only receive the error invalid_grant. Support-side logging will have a more specific error. To assist with resolution, when opening a case please provide the following:

  • Integrator key
  • Demo account ID
  • JWT Assertion
  • x-DocuSign-TraceToken header value
查看更多
登录 后发表回答