JWT "invalid_grant" in Signature in Google OAuth2

Question

I am writing some code to try to get a token to use from Google in OAuth2. This is for a service account, so the instructions are here:

https://developers.google.com/identity/protocols/OAuth2ServiceAccount

I keep getting this error when I post the JWT to Google:

{ "error": "invalid_grant", "error_description": "Invalid JWT Signature." }

Here is the code:

try{        
    var nowInSeconds : Number = (Date.now() / 1000);
    nowInSeconds = Math.round(nowInSeconds);
    var fiftyNineMinutesFromNowInSeconds : Number = nowInSeconds + (59 * 60);


    var claimSet : Object = {};
    claimSet.iss   = "{{RemovedForPrivacy}}";        
    claimSet.scope = "https://www.googleapis.com/auth/plus.business.manage";
    claimSet.aud   = "https://www.googleapis.com/oauth2/v4/token";
    claimSet.iat   = nowInSeconds; 
    claimSet.exp   = fiftyNineMinutesFromNowInSeconds;

    var header : Object = {};
    header.alg = "RS256";
    header.typ = "JWT";

    /* Stringify These */
    var claimSetString = JSON.stringify(claimSet);
    var headerString = JSON.stringify(header);

    /* Base64 Encode These */
    var claimSetBaseSixtyFour = StringUtils.encodeBase64(claimSetString);
    var headerBaseSixtyFour = StringUtils.encodeBase64(headerString);

    var privateKey = "{{RemovedForPrivacy}}";

    /* Create the signature */
    var signature : Signature = Signature();
    signature =  signature.sign(headerBaseSixtyFour + "." + claimSetBaseSixtyFour, privateKey , "SHA256withRSA");

    /* Concatenate the whole JWT */
    var JWT = headerBaseSixtyFour + "." + claimSetBaseSixtyFour + "." + signature;

    /* Set Grant Type */
    var grantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"

    /* Create and encode the body of the token post request */
    var assertions : String = "grant_type=" + dw.crypto.Encoding.toURI(grantType) + "&assertion=" + dw.crypto.Encoding.toURI(JWT);

    /* Connect to Google And Ask for Token */
    /* TODO Upload Certs? */
    var httpClient : HTTPClient = new HTTPClient();
    httpClient.setRequestHeader("content-type", "application/x-www-form-urlencoded; charset=utf-8");
    httpClient.timeout = 30000;
    httpClient.open('POST', "https://www.googleapis.com/oauth2/v4/token");
    httpClient.send(assertions);

    if (httpClient.statusCode == 200) {
       //nothing
    } else {
       pdict.errorMessage = httpClient.errorText;
    }  

}
catch(e){
    Logger.error("The error with the OAuth Token Generator is --> " + e);
}

Does anyone know why the JWT is failing?

Thanks so much! Brad

Answer 1

The problem might be related to the fact that your StringUtils.encodeBase64() method is likely to perform a standard base64 encoding.

According to the JWT spec, however, it's not the standard base64 encoding that needs to be used, but the the URL- and filename-safe Base64 encoding, with the = padding characters omitted.

If you don't have a utility method handy for base64URL encoding, you can verify by

• replacing all + with -;
• replacing all / with _;
• removing all =

in your base64-encoded strings.

Also, is your signature also base64-encoded? It needs to be, following the same rules as described above.

Answer 2

I had the same problem before and this is what was wrong:

• wrong application name (project ID)
• wrong service account ID (email)