JWT: issuer_not_found and/or unsupported grant type

Question

PHP 7.4, Windows Server 2012, IIS 8.

I've been all over stackOverflow and docusign's own documentation, but I can't get past the JWT token request. I've tried:

the instructions using jwt.io
the instructions for building the JWT request manually
using the SDK method requestJWTApplicationToken
every variation of the aud tag I can think of
I've verified account-d.docusign.com, the app id, and the user id
The app has been granted consent
I even started from scratch, created a second application, granted consent, etc...

When I use the SDK, I get "issuer_not_found". The other methods, "unsupported_grant_type."

I've been poking at this thing all week and I haven't yet found a combination of circumstances that doesn't throw an error. The boss is rattling my cage every day.

Can someone get me past this hurdle?

issuer_not_found:

// bring in the docusign SDK
require_once("./docusign/vendor/autoload.php");
// bring in the config file provided by the QuickStart on Docusign
require_once("$admin/esign/ds_config.php");

// use the docusign client namespace
use DocuSign\eSign\Client\ApiClient;

// create the SDK client object
$client = new ApiClient();

// get the private key, saved in a file after being copy/pasted from the application 
$rsa_private_key = file_get_contents("$admin/esign/private.key");
// get the client_id a.k.a. app id from the config file provided by the QuickStart on Docusign
$client_id = $GLOBALS['JWT_CONFIG']['ds_client_id'];

// $user_id = $GLOBALS['JWT_CONFIG']['ds_impersonated_user_id'];

// call the SDK api for the application JWT token, lifted from the SDK sample code
$test = $client->requestJWTApplicationToken($client_id, $rsa_private_key);
// $test = $client->requestJWTUserToken($client_id, $user_id, $rsa_private_key);

// display the inevitable error message
echo('[97616] $test:'  . print_r($test, 1)) . '';

unsupported_grant_type

use Firebase\JWT\JWT;
use GuzzleHttp\Client;

$header = ["alg"=>"RS256","typ"=>"JWT"];
        
$privateKey = file_get_contents($this->path_admin . "/esign/private.key");

// $publicKey = file_get_contents($this->path_admin . "/esign/public.key");

$expiration = strtotime(date("Y-m-d H:i:s", time()) . " +1 hours"); // subtract 12 hours

$payload = json_encode(array(
    "iss" => $GLOBALS['JWT_CONFIG']['ds_client_id'],
    "aud" => "account-d.docusign.net",
    "iat" => time(),
    "sub" => $GLOBALS['JWT_CONFIG']['ds_impersonated_user_id'],
    "exp" => $expiration,
    "scope" => "signature"
));

$jwt = JWT::encode($payload, $privateKey, 'RS256');

$client = new Client();

$response = $client->request('POST', 'https://account-d.docusign.com/oauth/token', [
    'body' => json_encode([
        'grant_type' => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
        'assertion'  => $jwt
    ])
]);

hakre · Accepted Answer

Looks like a "simple" configuration problem, check you're using the correct values (perhaps easier said than done).

And first of all troubleshooting 101: If the simplest and first try already give you an error, concentrate on this one and only this one until it works. Just in case this was not obvious.

For issuer_not_found:

Issuer_not_found: The integration key in the iss (issuer) parameter is unavailable in the current environment. This can also mean a mismatch in the aud (audience) value and the environment being hit: for example, using an aud value of account.docusign.com while requesting a token from https://account-d.docusign.com/oauth/token.

For unsupported_grant_type: You can solve it when you solved the first error - Joke aside:

Adhere as much as possible to the official docs, e.g. When using JWT authentication, how do I troubleshoot an invalid_grant or other errors? until it clicks.

JWT: issuer_not_found and/or unsupported grant type

Answers (2)

Related Questions