交换访问令牌的jwt会返回invalid_grant错误

Question

我正在尝试为我的应用程序实施服务集成身份验证 - 管理员同意。以下是我创建jwt的方法：

class Program
{
    static void Main(string[] args)
    {
        #region Test

        string integratorKey = "integratorKey ";
        string userId = "userId ";
        string serverAddress = "serverAddress";
        string scope = "signature";
        string key = @"C:\Users\Tester\Desktop\privatekey.txt";

        // JWT Header
        // The header specfies the token type and the signature algorithm
        var jwtHeader = new JwtHeader
        {
            { "typ ", "JWT "},
            { "alg", "RS256"},
        };

        // JWT Body
        // The body specfies the account and user id granting consen
        var jwtPayload = new JwtPayload
        {
           { "iss ", integratorKey},
           { "sub", userId},
           { "iat", DateTimeOffset.UtcNow.ToUnixTimeSeconds()},
           { "exp", DateTimeOffset.UtcNow.AddHours(1).ToUnixTimeSeconds()},
           { "aud", serverAddress},
           { "scope", scope}
        };

        // JWT Signature
        // The body contains the result of signing the base64url-encoded header and body
        string pemKey = File.ReadAllText(key);
        var rsa = CreateRSAKeyFromPem(pemKey);
        RsaSecurityKey rsaKey = new RsaSecurityKey(rsa);

        var jwtSecurityToken = new JwtSecurityToken(jwtHeader, jwtPayload);
        jwtSecurityToken.SigningKey = rsaKey;

        // Token to String so you can use it in your client
        var jwtHandler = new JwtSecurityTokenHandler();
        var tokenString = jwtHandler.WriteToken(jwtSecurityToken);
        #endregion
    }

    public static RSA CreateRSAKeyFromPem(string key)
    {
        TextReader reader = new StringReader(key);
        PemReader pemReader = new PemReader(reader);

        object result = pemReader.ReadObject();

        if (result is AsymmetricCipherKeyPair)
        {
            AsymmetricCipherKeyPair keyPair = (AsymmetricCipherKeyPair)result;
            return DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters)keyPair.Private);
        }
        else if (result is RsaKeyParameters)
        {
            RsaKeyParameters keyParameters = (RsaKeyParameters)result;
            return DotNetUtilities.ToRSA(keyParameters);
        }

        throw new Exception("Unepxected PEM type");
    }
}

我已经验证了此代码在jwt.io上生成的令牌，并且看起来都很好。然而，当我尝试使用Postman交换生成的jwt作为访问代码时，我将始终得到＆＃34; invalid_grant＆＃34;，这里是我在postman中提出请求的方式：

POST https://account-d.docusign.com/oauth/token
-Headers: Content-Type application/x-www-form-urlencoded

-Body: grant_type urn:ietf:params:oauth:grant-type:jwt-bearer assertion [Generated jwt]

我甚至试过把

Headers: Authorization Basic b64encoded(integratorKey:secretKey) 

同样但仍然没有运气。

请你指出我在这里做错了什么？谢谢:)）

Answer 1

好的，我已经设法弄清楚自己出了什么问题，现在我可以在Postman中收到访问令牌了。为了使这项工作，我已经改变了3件事：

1. 当我从组织门户授权应用程序时，我已将应用程序分配给错误的Integrator Key，因此我需要将其更改为指向正确的。

2. 我在C＃SDK中找到了生成jwt的代码，所以我用它来确保创​​建的jwt被DocuSign接受：

   static void Main(string[] args)
   {
       string integratorKey = "integratorKey ";
       string userId = "userId ";
       string serverAddress = "account-d.docusign.com";
       string scope = "signature impersonation";
       string privateKeyFilename = @"C:\Users\Tester\Desktop\privatekey.txt";
   
       JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler();
   
       SecurityTokenDescriptor descriptor = new SecurityTokenDescriptor()
       {
           IssuedAt = DateTime.UtcNow,
           Expires = DateTime.UtcNow.AddHours(1)
       };
   
       descriptor.Subject = new ClaimsIdentity();
       descriptor.Subject.AddClaim(new Claim("scope", scope));
       descriptor.Subject.AddClaim(new Claim("aud", serverAddress));
       descriptor.Subject.AddClaim(new Claim("iss", integratorKey));
   
       if (userId != null)
       {
           descriptor.Subject.AddClaim(new Claim("sub", userId));
       }
   
       if (privateKeyFilename != null)
       {
           string pemKey = File.ReadAllText(privateKeyFilename);
           var rsa = CreateRSAKeyFromPem(pemKey);
           RsaSecurityKey rsaKey = new RsaSecurityKey(rsa);
           descriptor.SigningCredentials = new SigningCredentials(rsaKey, SecurityAlgorithms.RsaSha256Signature, SecurityAlgorithms.HmacSha256Signature);
       }
   
       var token = handler.CreateToken(descriptor);
       string jwtToken = handler.WriteToken(token);
   }
   
   public static RSA CreateRSAKeyFromPem(string key)
   {
       TextReader reader = new StringReader(key);
       PemReader pemReader = new PemReader(reader);
   
       object result = pemReader.ReadObject();
   
       if (result is AsymmetricCipherKeyPair)
       {
           AsymmetricCipherKeyPair keyPair = (AsymmetricCipherKeyPair)result;
           return DotNetUtilities.ToRSA((RsaPrivateCrtKeyParameters)keyPair.Private);
       }
       else if (result is RsaKeyParameters)
       {
           RsaKeyParameters keyParameters = (RsaKeyParameters)result;
           return DotNetUtilities.ToRSA(keyParameters);
       }
   
       throw new Exception("Unepxected PEM type");
   }
   

3. 在我做出更改1和2之后，我仍然在Postman中出错：＆＃34; consent_required＆＃34;。事实证明我必须在我的集成商密钥中添加重定向uri，然后导航到此网址：

   SERVER/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=CLIENT_ID&redirect_uri=https://docusign.com
   

然后点击＆＃34;授予＆＃34;。

希望这有帮助。