Description

This article focusses on the possible troubleshooting steps involved for oAuth 2.0 JWT bearer grant Type.

Procedure

1.Enable debugger property related to oAuth

com.snc.platform.security.oauth.debug = true
glide.auth.debug.enabled = true

2.Ensure all the required parameters for oAuth Provider is configured.

a)Client ID

b)Client Secret,

c)Token URL,

d)Profile

e)Scope

f)JWT Provider

3)Validate if keystore has a valid password in it.Ensure same password is used within NOW platform.

4)Validate if signing key within keystore has a valid password in it.Ensure same password is used within NOW platform.

5)Get oAuth Token from Outbound Rest Message.

6.Logs are printed in the localhost logs if debugger property is enabled.Check log for any errors if token is not generated.

7.If there are no errors in the log verify if JWT is generated within NOW Platform.

Started to generate JWT
AuthAdding payload claims to jwt with name = box_sub_type and value = enterprise
AuthAdding payload claims to jwt with name = aud and value = https://api.box.com/oauth2/token
AuthAdding payload claims to jwt with name = sub and value = 120961449
AuthAdding payload claims to jwt with name = iss and value = o9xqbay28g97deumamwz2s0tvtsfrusb
AuthAdding claims to jwt. Header Claims = [], keyId = , issuedAt = Thu Nov 15 15:15:52 PST 2018, expiresAt = Thu Nov 15 15:16:52 PST 2018, issuer = o9xqbay28g97deumamwz2s0tvtsfrusb, notBefore = null, signingAlgorithms=RS256, jwtId=e5a988d8-23da-465f-b34c-bbecff42257c
Successfully generated JWT

8.Verify if request is sent

OAUTH - OAuthHTTPRequest : Sending http request, url:https://api.box.com/oauth2/token
OAUTH - OAuthHTTPRequest : Sending http request, body:grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOiJodHRwczovL2FwaS5ib3guY29tL29hdXRoMi90b2tlbiIsInN1YiI6IjEyMDk2MTQ0OSIsImJveF9zdWJfdHlwZSI6ImVudGVycHJpc2UiLCJpc3MiOiJvOXhxYmF5MjhnOTdkZXVtYW13ejJzMHR2dHNmcnVzYiIsImV4cCI6MTU0MjMyMzgxMiwiaWF0IjoxNTQyMzIzNzUyLCJqdGkiOiJlNWE5ODhkOC0yM2RhLTQ2NWYtYjM0Yy1iYmVjZmY0MjI1N2MifQ.O1f7vpKPKgGJWfOn_hXIu18d5AVv8wjqaxvEGlVQaNBWTQ3H4AKJ1XcE1VFrpeCXpxb0uZ2wb_O4JctZeX-qP7aH9R9QovT9tMpxEQCpmDNX5XAs3iw_X5yfT_eYszMBcrS2ZpXbEj82lVLgGixV7tRWhq0tLgIoIUAPcnbAsu2L6ec5wsCyqAv4l4XwqicYjk8Pl94WbcfmFF3Cg2eWhELB2EFG5_V48NOsvTHWBTkwp-aLS-YIH17w5uPAKht7BjtW0CBsbrCxjgVoc_VGpLqHNyl0BXMHI9wBDSCffA2sWamGTDxqferagdYXt_8jfkahqslKhmCAbCUonfnBSw&client_secret=DRcW5sBRcuy4jDqryIoPB5BhCw7h1QzL&client_id=o9xqbay28g97deumamwz2s0tvtsfrusb
SecurityUtils: Obfuscating Key : access_token and all its children!

9.use jwt.io site to decode assertion.Verify if Header and Payload are generated with all the required claims.

10.If the request is processed by oAuth Provider verify if response was returned.

OAUTH - OAuthHTTPRequest : Received http response: {"access_token":"********","token_type":"bearer","expires_in":4245,"restricted_to":[]}

11.Verify if token is returned in the response

12.If token is not returned review error messages and take appropriate action.Possible errors could be related to signing key, claims, client id or client secret.

13.Token is sent as a Authorization header for outbound rest message , ensure token matches in the request header.Enable Outbound HTTP Debugging to log http request and response

14.Review Troubleshooting Section in the Madrid TOI ( Platform_Authentication_oAuth JWT Bearer Grant ) for other known errors and solutions.

https://servicenow.sharepoint.com/:p:/r/sites/AppPlatformReleases/_layouts/15/Doc.aspx?sourcedoc=%7B80483b3f-2486-41c7-884d-567c40705815%7D&action=edit&uid=%7B80483B3F-2486-41C7-884D-567C40705815%7D&ListItemId=7152&ListId=%7B9ED468FE-F1DD-4D48-88D2-25DF2076293C%7D&odsp=1&env=prod