Skip to main content
To homepage To homepage
Solved

oau-250 Error with JWT authentication flow

local728

I am getting the OAU-250 error when attempting the JWT Authentication Flow. I am basically using CURL to attempt this. The curl options are:

"–X POST -D \"\" --header \"Accept: application/json\" --header \"Content-Type: application/x-www-form-urlencoded\" --header \"Authorization: Basic " & $basic  & "\" --data " & $data

 

$basic is a base64 encoded combo of clientID:clientSecret

$data is "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=" & $jwt

$jwt is the jwt value we received in the rc_credentials.json file for the application.

 

The app is private and is configured for JWT auth flow and issue refresh tokens is set to Yes. The application scope is set to read accounts and ringout.

What am I missing?

Best answer by local728

It worked on the Mac, so I researched the differences of curl on a Mac and Windows and found the solution. On a Mac/Linux machine. you enclose the parameters with ‘. On a Windows machine, you enclose the parameters with “. Also of note on Windows, if you run from PowerShell, curl is now aliased to Invoke-WebRequest, so if you want to use curl, you need to call curl.exe. Hope this post helps save someone else a lot of time :-)

So in the end, the command, on Windows needs to be:

curl -request POST 
--header "Accept: application/json" 
--header "Content-Type: application/x-www-form-urlencoded" 
--header "Authorization: Basic XYZABC=="
--data "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eXYZABZQ" 
--url "https://platform.ringcentral.com/restapi/oauth/token"

I am now working :-)

View original

PhongVu
Community Manager
Forum|alt.badge.img
  • PhongVu
  • Community Manager
  • April 15, 2025

Replace the based64 encoded and the JWT token and try this form of curl

curl --request POST \
--url 'https://platform.ringcentral.com/restapi/oauth/token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic [based64 encoded clientId:clientSecret]' \
--data 'grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=[YourJWTToken]'

 

local728
  • local728
  • Inspiring
  • April 15, 2025

Same result.

{  "error" : "invalid_request",  "error_description" : "Unsupported grant type",  "errors" : [ {    "errorCode" : "OAU-250",    "message" : "Unsupported grant type"  } ]}

PhongVu
Community Manager
Forum|alt.badge.img
  • PhongVu
  • Community Manager
  • April 16, 2025
local728 wrote:

Same result.

{  "error" : "invalid_request",  "error_description" : "Unsupported grant type",  "errors" : [ {    "errorCode" : "OAU-250",    "message" : "Unsupported grant type"  } ]}

Then probably your app is not a JWT flow. What is the app client id?

local728
  • local728
  • Inspiring
  • April 16, 2025

3bE6qFKZ8PYejkchRxkiWD

JWT is clearly selected in the portal.

PhongVu
Community Manager
Forum|alt.badge.img
  • PhongVu
  • Community Manager
  • April 16, 2025
local728 wrote:

3bE6qFKZ8PYejkchRxkiWD

JWT is clearly selected in the portal.

I use your app credentials and the JWT token and it works well

{
  "access_token" : "U0pDMDFQMDZQQVM....",
  "token_type" : "bearer",
  "expires_in" : 3600,
  "refresh_token" : "U0pDMDFQMDZQQVMwMHx....",
  "refresh_token_expires_in" : 604800,
  "scope" : "ReadAccounts RingOut",
  "owner_id" : "319508XXXX",
  "endpoint_id" : "X21JJSrFTaS47XRTUY...",
  "session_id" : "875400b4-7db1-4b47-ad65-25785b04...",
  "session_idle_timeout" : 3600
}

I see that you have 2 JWT tokens, one for a specific app and one for all apps under the account. Use the one for all apps to make sure that it allows you to authenticate any app, otherwise, use the right JWT token and the right app credentials.

If that does not help, double check your code, the based64 encoded etc.

local728
  • local728
  • Inspiring
  • April 16, 2025

Using the JWT ending in toQ

Using the client ID ending in WD

Using the secret ending in v4

Is the basic authentication literally Base64(xxxxxxxv4:XXXXXXXWD)? Do we keep the == in from the end of the command?

I ran the curl command from the command line and got the same error.

PhongVu
Community Manager
Forum|alt.badge.img
  • PhongVu
  • Community Manager
  • April 17, 2025
local728 wrote:

Using the JWT ending in toQ

Using the client ID ending in WD

Using the secret ending in v4

Is the basic authentication literally Base64(xxxxxxxv4:XXXXXXXWD)? Do we keep the == in from the end of the command?

I ran the curl command from the command line and got the same error.

Every single char from the based60 encoded. So including the ==

local728
  • local728
  • Inspiring
  • April 17, 2025

That’s what I’m doing and still get the error.

PhongVu
Community Manager
Forum|alt.badge.img
  • PhongVu
  • Community Manager
  • April 17, 2025
local728 wrote:

That’s what I’m doing and still get the error.

If it does not work with the

PhongVu wrote:
local728 wrote:

Using the JWT ending in toQ

Using the client ID ending in WD

Using the secret ending in v4

Is the basic authentication literally Base64(xxxxxxxv4:XXXXXXXWD)? Do we keep the == in from the end of the command?

I ran the curl command from the command line and got the same error.

Every single char from the based60 encoded. So including the ==

 

Reading carefully, as you wrote

Using the client ID ending in WD

Using the secret ending in v4

Base64(xxxxxxxv4:XXXXXXXWD)

Why did you put the string to be based64 encoded “clientSecret:clientId”?

It must be clientID:clientSecret. So it must be Base64(xxxxxxxWD:XXXXXXXv4)

local728
  • local728
  • Inspiring
  • April 17, 2025

Sorry, that was a typo. Checking the code it is (xxxxxxxWD:XXXXXXXXv4). That results in an encoded string staring with M2 and ending with NA==. I have done the conversion using multiple tools and get the same result.

PhongVu
Community Manager
Forum|alt.badge.img
  • PhongVu
  • Community Manager
  • April 18, 2025
local728 wrote:

Sorry, that was a typo. Checking the code it is (xxxxxxxWD:XXXXXXXXv4). That results in an encoded string staring with M2 and ending with NA==. I have done the conversion using multiple tools and get the same result.

If all the credentials are correct and you still cannot get authenticated. I can only think that something is not correct in your curl or environment.

Clone this PHP project and try with the code. Or download any RingCentral SDK to try.

local728
  • local728
  • Inspiring
  • April 18, 2025

I’m doing it on Windows - I have a Mac I can try it on and see if I get different results. I’ll report back.

local728
  • local728
  • Inspiring
  • April 18, 2025

It worked on the Mac, so I researched the differences of curl on a Mac and Windows and found the solution. On a Mac/Linux machine. you enclose the parameters with ‘. On a Windows machine, you enclose the parameters with “. Also of note on Windows, if you run from PowerShell, curl is now aliased to Invoke-WebRequest, so if you want to use curl, you need to call curl.exe. Hope this post helps save someone else a lot of time :-)

So in the end, the command, on Windows needs to be:

curl -request POST 
--header "Accept: application/json" 
--header "Content-Type: application/x-www-form-urlencoded" 
--header "Authorization: Basic XYZABC=="
--data "grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&assertion=eXYZABZQ" 
--url "https://platform.ringcentral.com/restapi/oauth/token"

I am now working :-)

Reply


Most helpful members this week

Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings
PRODUCTS
RingEX
Message
Video
Phone
OPEN ECOSYSTEM
Developer Platform
APIs
Integrated Apps
App Gallery
Developer support
Games and rewards

RESOURCES
Resource center
Blog
Product Releases
Accessibility
QUICK LINKS
App Download
RingCentral App login
Admin Portal Login
Contact Sales
© 1999-2024 RingCentral, Inc. All rights reserved. Privacy Notice