question

Leigh M avatar image
Leigh M asked Leigh M commented

OAU-153 Invalid Client ID when attempting JWT auth

I'm trying to get an access token for a new sandbox application using JWT, however the REST API keeps responding with OAU-153 Invalid Client ID. The client ID and client secret are definitely correct, as is my JWT token. Not sure what I'm missing here.

$RC_SERVER_URL="https://platform.devtest.ringcentral.com"
$RC_CLIENT_ID="T2V..." # Copied from the app I created
$RC_CLIENT_SECRET="v8dN..." # Copied from the app I created
$RC_JWT_TOKEN = "eyJraW..." # Created under My Account > Credentials 

# as per https://developers.ringcentral.com/guide/authentication/jwt-flow#technical-discussion
$splat = @{
    Method  = "POST"
    Uri     = $RC_SERVER_URL + "/restapi/oauth/token"
    
    headers = @{
        ContentType = 'application/x-www-form-urlencoded; charset=UTF-8'
        Accept = 'application/json'
        Authorization = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes("${RC_CLIENT_ID}:${RC_CLIENT_SECRET}"))
    }
    body    = @{
            grant_type = 'urn:ietf:params:oauth:grant-type:jwt-bearer'
            assertion = $RC_JWT_TOKEN
    }
}

$Response = Invoke-RestMethod @splat
PS C:\scripts\Get-RingCentralData> $Response = Invoke-RestMethod @splat
Invoke-RestMethod : {
  "error" : "invalid_client",
  "errors" : [ {
    "errorCode" : "OAU-153",
    "message" : "Invalid client: T2VHgSXZQ92J0lu_htr0yQ",
    "parameters" : [ {
      "parameterName" : "client_id",
      "parameterValue" : "T2VHgSXZQ92J0lu_htr0yQ"
    } ]
  } ],
  "error_description" : "Invalid client: T2VHgSXZQ92J0lu_htr0yQ"
}
At line:1 char:13
+ $Response = Invoke-RestMethod @splat
+             ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand


The one thing I find very confusing is when I go to Console > Apps > My New App > Credentials, the "User Credentials" section contains the dev environment's admin account with extension 101, and the info box says "use these credentials to test your app!"... well, I don't have access to that account, I want to use my own JWT to test the app. Is this what's causing me issues? Or is this just RingCentral trying to be "convenient" by showing me some credentials I could test with?

Any assistance would be greatly appreciated!

rest apierrorsauthenticationoauth
1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Phong Vu avatar image
Phong Vu answered Leigh M commented

It looks like you created a new JWT token. Make sure you copy the new JWT token and also double check the app client id and client secret as it works for you earlier.

The section describes the dev environment contains the instruction for using username and password authentication. Since you are using the JWT token, you. can just ignore it.

1 comment
1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Leigh M avatar image Leigh M commented ·

Appreciate the quick responses, Phong.

I just double checked and the JWT, client ID and client secret are all correct for my app. My JWT is authorized for all apps in the environment and has no expiry date. The app is currently set to Public, but I've tried it as Private as well and got the same result.

FYI I never fully got this working - the OAU-153 error is what I started getting once I resolved that 502 bad gateway issue :)

0 Likes 0 ·
Phong Vu avatar image
Phong Vu answered Leigh M commented

As I said, I don't work on Powershell so I cannot really test your code. However, I wrote this PHP lib for authenticating with JWT token and I just test the code with your app credentials and the JWT token and it works well. So I am not sure what is wrong in your environment.

https://github.com/PacoVu/authentication-jwt-flow-php

If you want to verify the app credentials and JWT token, you can clone the project and run the PHP code to test. And compare the authenticate params with your Powershell code.

1 comment
1 |3000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Leigh M avatar image Leigh M commented ·

Thanks for the github repo - it looks like I am doing everything the same. I just changed the app from Public to Private, and without changing anything else, it suddenly started working. Not sure what the root cause was, unfortunately.

As always, thanks for the assistance!

0 Likes 0 ·

Developer sandbox tools

Using the RingCentral Phone for Desktop, you can dial or receive test calls, send and receive test SMS or Fax messages in your sandbox environment.

Download RingCentral Phone for Desktop:

Tip: switch to the "sandbox mode" before logging in the app:

  • On MacOS: press "fn + command + f2" keys
  • On Windows: press "Ctrl + F2" keys