DocuSign “invalid_grant” on posting jwtToken

1
votes

I'm trying to achieve "Service Integration Authentication" following the steps here docusign docs and it's doing fine until Requesting the Access Token, where you send the jwt token (which is well formed)

I'm always getting "invalid_grant", and according to that doc, is because some of the claims are invalid. Is there another cause for that error? All the claims looks good

C#:

//request access token
        var client3 = new RestClient("https://" + _host);
        var request3 = new RestRequest("/oauth/token", Method.POST);
        request3.AddHeader("Content-Type", "application/x-www-form-urlencoded");
        request3.AddParameter("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");

        var headers = new[]
        {
            new Claim("alg", "RS256"),
            new Claim("typ", "JWT"),
        }.ToList();

        var claims = new[] {
            new Claim("iss", _integrationKey), //<-- integration key
            new Claim("sub", OAuthGrant.Sub), //<-- returned from /oauth/userinfo (OK)
            new Claim("iat", ToUnixTime(DateTime.Now).ToString(), ClaimValueTypes.Integer64),
            new Claim("exp", ToUnixTime(DateTime.Now.AddHours(1)).ToString(), ClaimValueTypes.Integer64),
            new Claim("aud", _host), //<-- "account-d.docusign.com"
            new Claim("scope", "signature"),
        }.ToList();

        //build jwt from private key. token decodes just fine from https://jwt.io/
        var jwtToken = CreateToken(claims, headers, "private-key.pem", Server.MapPath("/"));
        request3.AddParameter("assertion", jwtToken);

        System.Diagnostics.Debug.WriteLine("jwtToken:" + jwtToken);

        var response = client3.Execute<OAuthToken>(request3);

        System.Diagnostics.Debug.WriteLine("response content:" + response.Content); //<-- getting "invalid_grant"

        return response.Data;

The jwt token was validated using https://jwt.io/ and decodes just fine. Is docusign demo sandbox

Thanks in advance daniel

1
oauthjwtdocusignapi
Are you using User Consent or Admin Consent? If Admin Consent then you need to claim email domain first in DocuSign. If User Consent, then you need to get consent from the user via Authorization Code Grant URL. - Amit K Bist
Hi Amit, yes I'm using User Consent, from the callback I get the access token and with it, I call the /oauth/userinfo to get the "Sub". I believe I'm missing something in the admin console - Daniel Carlozzi
will request3.AddParameter() method add "grant_type" and "assertion" in the body of the request while generating access token? - Amit K Bist
Yes Sir, POST data travels in the body and is URI encoded. Just in case I've tried POSTing as querystring with no luck either. I've checked this behaviour with Fiddler - Daniel Carlozzi
It should not go in URL, it should be in Body only. Can you create assertion in jwt.io website, then use Postman to generate "AccessToken", just to see if everything is correctly configure in DS Admin' Integrator Key and you correctly got the User consent. - Amit K Bist

1 Answers

0
votes

My assumption is the library which you are using is generating wrong assertion for you. You can check DS SDK as well - ConfigureJwtAuthorizationFlow method in DS SDK, it will help you in generating the Assertion in correct way as expected by DS APIs.