DocuSign JWT Grant flow gives an "invalid_grant" error

1
votes

Has anyone experienced the invalid_grant error mentioned in the subject here that gets an error calling ApiClient.RequestJWTUserToken ?

Here's my call. I've verified that I have values for my DSConfig fields.

private void UpdateToken()
    {
        ApiClient docusign_api = new ApiClient();
        DSConfig cfg = new DSConfig();
        const int jwtLifeSec = 10 * 60; // requested lifetime 
//for the JWT     is     10 min
        List<string> scopes = new List<string>();
            scopes.Add("signature");
 // impersonation scope is implied due to use of JWT grant

    OAuth.OAuthToken authToken = docusign_api.RequestJWTUserToken    (DSConfig.ClientID,
                    DSConfig.ImpersonatedUserGuid,
                    DSConfig.AuthServer,
                    Encoding.UTF8.GetBytes(DSConfig.PrivateKey),
                    jwtLifeSec, scopes);

        AccessToken = authToken.access_token;

        if (Account == null)
            Account = GetAccountInfo(authToken);

        docusign_api = new ApiClient(Account.BaseUri + "/restapi");

        expiresIn = DateTime.Now.Second + authToken.expires_in.Value;
    }

public OAuth.OAuthToken RequestJWTUserToken(string clientId, string userId, string oauthBasePath, byte[] privateKeyBytes, int expiresInHours, List<string> scopes = null);
1
docusignapi
what value you are passing in DSConfig.AuthServer param? - Amit K Bist
I am using account-d.docusign.com as the AuthServer - Morgs
Normally we get invalid_grant when any input parameter is invalid in the call, can you try by creating token outside code using website like JWT with payload will look like { "iss": "IntegratorKey", "sub": "UserId", "iat": 1536700971, "exp": 1536704571, "aud": "account-d.docusign.com", "scope": "impersonation signature" } - Amit K Bist
and then use PostMan to do POST call to https://account-d.docusign.com/oauth/token with req body as grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=jwtassertioncreatedfromjwt.iowebsite and Content-Type will be application/x-www-form-urlencoded - Amit K Bist
I changed my AuthServer parameter and am no longer getting the invalid_grant. I am now getting 'consent_required'. Should I be using the API Account user for the impersonatedUserGUID? - Morgs

1 Answers

0
votes

Looks like you're not using the right arguments.

The third argument is the scopes parameter, not the server.

For Node.js, try this:

const jwtLifeSec = 10 * 60, // requested lifetime for the JWT is 10 min
      scopes = "signature", // impersonation scope is implied due to use of JWT grant
      dsApi = new docusign.ApiClient();

dsApi.setOAuthBasePath(dsConfig.authServer);
const results = await dsApi.requestJWTUserToken(dsConfig.clientId,
      dsConfig.impersonatedUserGuid, scopes, dsConfig.privateKey,
      jwtLifeSec);