Signature verification error attempting JWT Oauth

 First, be careful when posting JWTs online — the encoded JWT can be trivially reversed to the input JSON parts, including your client ID.  If you don't want people to see that information, you should redact the JWT assertion from your request code snippet.

If I can ask, how did you generate your keypair — did you do it yourself with openssl or have it generated in the Box Developer Console?

Originally, I generated the pair myself using the instructions provided.

I have now also tried using a pair generated by the Box Console with the same result.

Thanks for the warning on the JWT.

Hey ,

Thanks for your messages! That script doesn't appear to work for us, either. You're eventually going to be implementing this in an app, right? Do you know what language you want to work with? Maybe we have a few examples from our SDK or other community projects that would work better.

Thanks,

Jason

 after some experimenting, I believe that it is not finding the 'kid' that I include in the JWT header.

My header looks like: {"kid":"q9li187k","alg":"RS256","typ":"JWT"}

and that seems to me to be the correct kid (see screencap below):

 I am going to be working in (plain old) C, so I don't think you have a SDK for me.

I have tested the JWT produced by the script at jwt.io and it decodes properly there as near as I can tell.

As I mentioned in my previous reply it appears that maybe the problem is with the 'kid' in the header.

Thanks,

John

OK, now this is REALLY weird.  Just goofing around, I UPPERCASED my CLIENT_ID and all of a sudden it worked!.

{"access_token":"UPOIVm8siMbeIryNPbsORzmMfNw9n2wh","expires_in":3707,"restricted_to":[],"token_type":"bearer"}

Now, I am super confused.

OK, it worked exactly once. 

Now back to failing.

I think that at last, I have lurched uncontrollably to the actual problem with the script.

It works when the signature doesn't contain the last two base64 characters

(which is dependent on what time it is which affects the value of 'exp').

So, I think it's the base64 encoding.  Which base64 encoding are you expecting?

A-Za-z0-9+/

A-Za-z0-9-_

A-Za-z0-9._

...?...

 Fascinating — thanks for all the work investigating!  I just tested with the official Box Node.js SDK, and it appears to use the A-Za-z0-9-_ alphabet for Base 64 encoding.  If you use that, does it fix the issue?

  There still appears to be some wonkiness with the number of trailing '='s.

Anyway, the script has served its purpose of helping me understand the process, so

I'm going to quit faffing around with it and start coding for real in C.

Thanks,

John

   My C library is done and a test program is consistently returning a correct result.  I'm still not sure what exactly the final wonkiness of that script is.  Thanks again for your help.

 Glad you got everything working!

Problem: I have 2 identical apps, I have shared the apps with my Box.com folders.  I use the exact same code except I change the folder and the config.json (JWT) files that the dev console generates.  The same code works for one of the config.json files but not the other.  I get the: Error Message: invalid_grant
Stact Trace: Signature verification error. The public key identified by "kid" must correspond to the private key used for signing.

Initial Hypothesis:  I have checked the code logic and variables multiple times and the code is picking up the correct configuration.  I believe the configuration of the apps is identical.  I have exhausted all my ideas.

Any ideas, thoughts are very welcome!

Resolution for me: The JWT generated for me from my clients enterprise Box.com has been revoked.  I was sent the config.json file, and programmatic access started working