Search code examples
javaoauth-2.0docusignapi

"no_valid_keys_or_signatures" Error Calling DocuSign API through Java SDK for OAuth 2.0 Authentication

I am upgrading our application's authentication method into the DocuSign API from the DocuSign Legacy Authentication to the JWT Grant OAuth 2.0 Authentication.

I am receiving the following error when making the Java SDK API call:

Caused by: com.docusign.esign.client.ApiException: Error while requesting server, received a non successful HTTP code 400 with response Body: '{"error":"invalid_grant","error_description":"no_valid_keys_or_signatures"}' at com.docusign.esign.client.ApiClient.requestJWTUserToken(ApiClient.java:866)

I am performing this from the DocuSign Demo Environment and am using the docusign-esign-java jar - version 3.12.0. Here is the salient code snippet:

    private OAuthToken getOAuthToken(final String integratorKey, final String userId, final String rsaPrivateKey) {

    final ApiClient apiClient = new ApiClient();
    OAuthToken oAuthToken = new OAuthToken();

    final List<String> scopes = Arrays.asList(Scope_SIGNATURE, Scope_IMPERSONATION);

    try {
        // call failing here on apiClient.requestJWTUserToken(...)
        oAuthToken = apiClient.requestJWTUserToken(integratorKey, userId, scopes, rsaPrivateKey.getBytes(), 10000);
    }
    catch (IllegalArgumentException | IOException e) {
        this.exceptionService.handleApiException("requestJWTUserToken", new ApiException(null, e, 500, null, null));
    }
    catch (final ApiException e) {
        this.exceptionService.handleApiException("requestJWTUserToken", e);
    }

    return oAuthToken;
}

Now as far as the parameters go, I am using the Integration Key for my specific app from the Apps and Keys page:

DocuSign Demo Apps & Keys

As far as the userId is concerned, I am using the API Username from the Admin screen below related to the user that is deemed as the application user:

DocuSign Demo User

Note that I have followed the instructions found here to request for application consent for this particular user above. This process was successful.

Concerning the scopes parameters, I am passing the Signature and Impersonation scopes as evidenced in the code snippet.

As for the rsaPrivateKey parameter I am using the generated one that I copied during the creation on the following page:

DocuSign Demo Specific App

Note that my User Application Authentication method on that screen is Authorization Code Grant and I set up the redirect URI as shown.

Finally, the last parameter is for the JWT assertion time and is set at 10000 seconds currently.

Now when I pause at a breakpoint just before the failing line is called I see that all of my parameters are defined as expected from the explanation above.

Could someone shed some light on what I may be doing wrong?

Any help is greatly appreciated!

Solution

  • After a bit more discussion with a colleague and examining the Quickstart Application, the problem was rather trivial. If you look in the code snippet I have above you will see this:

    final ApiClient apiClient = new ApiClient();

    As mentioned, I'm attempting this in the demo environment. Well, apparently the default constructor populates the basePath in the ApiClient object with the Prod basePath...hence the ApiClient was set up with the wrong basePath property. If I change the line above to instantiate the ApiClient with the basePath from the Demo Environment (pulled from a java property) then all is well:

    final ApiClient apiClient = new ApiClient(this.docusignProperties.getRestApiUrl());

    Onward!