JWT access token
Answered
I keep receiving a 400 Bad Request ("error": "invalid_grant") from the API when attempting to get an access token.
I'm posting to https://app.iformbuilder.com/exzact/api/oauth/token with assertion and grant_type parameters.
My JWT token looks like this:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NjUzNDgzMjcsImlhdCI6IjE0NjUzNDQ3MjciLCJpc3MiOiIzMzA2M2YwY2QzMWM2MjM4NjdiNTc1NDNjM2Q1MjdiYzRlODI4NDJmIiwiYXVkIjoiaHR0cHM6Ly9jb21wYW55Lmlmb3JtYnVpbGRlci5jb20vZXh6YWN0L2FwaS9vYXV0aC90b2tlbiIsIm5iZiI6MTQ2NTM0NDcyN30.3Jf0GK_8iBfPoO2Aksl0DTdmQY28sQSPXzmggGHEwxQ
And that parses fine on the jwt.io site.
Should I be replacing 'company.iformbuilder.com' with something else in the AUD? I've tried 'app.iformbuilder.com'.
I've also tried many variations of base64, base64 + URL encoding the assertion parameter, using x-www-form-urlencoded as well as form-data but just can't seem to get anything other than 'invalid_grant'.
What are some common mistakes for generating the JWT? I'm using C#:
public static string GenerateJwt(string plainTextSecurityKey, string plainTextSecuritySecret, string appliesToAddress)
{
var signingKey = new InMemorySymmetricSecurityKey(Encoding.UTF8.GetBytes(plainTextSecuritySecret));
var signingCredentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256Signature, SecurityAlgorithms.Sha256Digest);
var startDate = new DateTime(1970, 01, 01);
var generatedOnSeconds = (DateTime.Now.ToUniversalTime() - startDate).TotalSeconds;
var endDate = DateTime.Now.AddMinutes(9).ToUniversalTime();
var expiresSeconds = (endDate - startDate).TotalSeconds;
var claimsIdentity = new ClaimsIdentity(new List<Claim>()
{
new Claim("exp", expiresSeconds.ToString()),
new Claim("iat", ((int)generatedOnSeconds).ToString())
}, "Custom");
var securityTokenDescriptor = new SecurityTokenDescriptor()
{
AppliesToAddress = "https://app.iformbuilder.com/exzact/api/oauth/token",
TokenIssuerName = plainTextSecurityKey,
Subject = claimsIdentity,
SigningCredentials = signingCredentials,
};
var tokenHandler = new JwtSecurityTokenHandler();
var plainToken = tokenHandler.CreateToken(securityTokenDescriptor);
var signedAndEncodedToken = tokenHandler.WriteToken(plainToken);
return signedAndEncodedToken;
}
-
Official comment
Hi Andrew, your payload is actually not built correctly.
The "aud" parameter needs to be "https://app.iformbuilder.com/exzact/api/oauth/token" for the environment you are trying to work with.
Hope that helps,
Tony
Comment actions -
Hi Tony,
I have tried that already (you can see in the code sample above I've changed it to app.iformbuilder.com). Here is another JWT, still not working:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJleHAiOjE0NjU0MjU2NDYsImlhdCI6IjE0NjU0MjIwNDYiLCJpc3MiOiIzMzA2M2YwY2QzMWM2MjM4NjdiNTc1NDNjM2Q1MjdiYzRlODI4NDJmIiwiYXVkIjoiaHR0cHM6Ly9hcHAuaWZvcm1idWlsZGVyLmNvbS9leHphY3QvYXBpL29hdXRoL3Rva2VuIiwibmJmIjoxNDY1NDIyMDQ2fQ.jYjlej-RG0FyI65PfETYTli3dbWWRh33X00KZpogEc8
-
Perhaps I’m doing something wrong with the exp and iat values? I think I’m calculating them correctly from 1/1/1970 and using UTC, but I may not have it right.
Also, the .net library I'm using (System.IdentityModel.Tokens.Jwt) includes an nbf value which I can't seem to get rid of.
-
Its in the API code samples found here https://iformbuilder.zendesk.com/hc/en-us/articles/201989314--NET-Access-Token-generation-JWT-
Please sign in to leave a comment.
Comments
7 comments