Office 365 'app only' token request fails with 'invalid signature' error

Question

I am trying to do 'client credential' flow and get access token for Office 365 app.I followed the below steps.

step 1: I registered the app on azure AD by following the below documentation http://blogs.msdn.com/b/exchangedev/archive/2015/01/21/building-demon-or-service-apps-with-office-365-mail-calendar-and-contacts-apis-oauth2-client-credential-flow.aspx?CommentPosted=true#commentmessage

step2: Configured X.509 public cert for my application. Downloaded the manifest file and updated 'KeyCredentials' value and uploaded the manifest again(followed the step1 documentation).

"keyCredentials": [
    {
      "customKeyIdentifier": "BB/OLYBBivt4RXUKxQbk+c9UEmo=",
      "endDate": "2016-12-15T07:00:00Z",
      "keyId": "6837d367-660c-4d44-b0ea-9dcd538828e5",
      "startDate": "2014-12-15T07:00:00Z",
      "type": "AsymmetricX509Cert",
      "usage": "Verify",
      "value": null
    }

step3: Followed the steps in Office 365 Rest API - Daemon week authentication to generate 'client assertion' as below.

base64(header).base64(payload).base64(siganature)

header as below:

{ 
  "alg": "RS256",
  "x5t": "BB/OLYBBivt4RXUKxQbk+c9UEmo=" //same as customKeyIdentifier
}

Payload as:

{
  "aud": "https://login.windows.net/<tenantid>/oauth2/token",
  "exp": "now + 1 hour",
  "nbf": "now",
  "iss": "CLIENT ID",
  "jti": "SOME GUID",
  "sub": "CLIENT ID"
}

For signature(RSA-SHA-256 algorithm), I used openssl as shown below.

openssl dgst -sha256  -sign privatekey.pem < input.txt  > signature

note: input.txt contains base64(header).base64(payload)

step4: When I made a request to get the access token, I got 'invalid signature' error as below

{
    "error": "invalid_client",
    "error_description": "AADSTS70002: Error validating credentials. AADSTS50012: Client assertion contains an invalid signature.\r\nTrace ID: 880b11db-0935-4cbd-836e-4d4d91b2a9e2\r\nCorrelation ID: e72ae39a-9868-4efe-847e-890ef32d48ae\r\nTimestamp: 2015-03-12 18:45:54Z",
    "error_codes": [
        70002,
        50012
    ],
    "timestamp": "2015-03-12 18:45:54Z",
    "trace_id": "880b11db-0935-4cbd-836e-4d4d91b2a9e2",
    "correlation_id": "e72ae39a-9868-4efe-847e-890ef32d48ae",
    "submit_url": null,
    "context": null
}

What am I doing wrong in RSA SHA256 signing ?

Any help would be greatly appreciated.

Note: I even used 'PyJWT' in python, 'jsonwebtoken' in nodejs to generate the client assertion(JWT token) and used it the token requests,I got the same error.

Answer 1

When you download the manifest it always sends a null value for the value key. That doesn't indicate a problem. Make sure you are doing an RSA SHA-256 signature. See Could not retrieve app only tokens for office 365