Hi @reshamchugani @Anusha_sunkadh
I am trying to obtain a token using https://esignet.collab.mosip.net/v1/esignet/oauth/token end point
After successfully authenticating using the UI, I generated the assertion token based on the requirement in the end point, but then I make the call, I am getting the invalid assertion error.
So in my jwt, which section is missing? below is the sample JWT generated with its details
Header
{
“alg”: “HS256”,
“typ”: “JWT”
}
Payload
{
“iss”: “XaOVhjFTX_H8UiZf-O1TuV4ChixshdO8RqghtA_cRUM”,
“sub”: “XaOVhjFTX_H8UiZf-O1TuV4ChixshdO8RqghtA_cRUM”,
“aud”: “https://esignet.collab.mosip.net/v1/esignet/oauth/token”,
“exp”: 1712917120,
“iat”: 1712913520
}
verify signature
HMACSHA256(
base64UrlEncode(header) + “.” +
base64UrlEncode(payload),
esignet
)
full jwt token is below.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJYYU9WaGpGVFhfSDhVaVpmLU8xVHVWNENoaXhzaGRPOFJxZ2h0QV9jUlVNIiwic3ViIjoiWGFPVmhqRlRYX0g4VWlaZi1PMVR1VjRDaGl4c2hkTzhScWdodEFfY1JVTSIsImF1ZCI6Imh0dHBzOi8vZXNpZ25ldC5jb2xsYWIubW9zaXAubmV0L3YxL2VzaWduZXQvb2F1dGgvdG9rZW4iLCJleHAiOjE3MTI5MTcxMjAsImlhdCI6MTcxMjkxMzUyMH0.RB9qnXZLLweswfVGJ_62EyRrfpnnLNl7lndN2f5hKOc
Hi @James_Simbi_Mjuweni ,
Based on the JWT shared, all the claim values seem correct. The only reason it could fail is that the private key used to sign the assertion might not be the right one.
Use the same private key corresponding to the public key shared during ODIC client onboarding.
@Anusha_sunkadh @reshamchugani. is it possible to share a sample assertion. I just wanted to see how the properties are signed and available in that token
I signed the token but I am still getting the same error
{error: ‘invalid_assertion’, error_description: ‘invalid_assertion’}
Dear James,
We have duly noted your issue and kindly request for your patience as we work to address your inquiry.
Your query is important to us, and we will provide a response shortly.
Thank you for your understanding and patience.
Best regards,
Resham
Hi James,
please find the sample client assertion below
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpYXQiOjE3MTMyNDU1MzYsIm5iZiI6MTcxMzI0NTUzNiwiZXhwIjoxNzEzMjQ1NjAxLCJqdGkiOiJfZ0tYcmxNZ1B2VE9VTjVvejR2WUoiLCJzdWIiOiJXTVg1cE82ZFlkQ0ZSM2lhVldHY2xWUE54VE5TQUREdi1rVjdWQmNuenZZIiwiaXNzIjoiV01YNXBPNmRZZENGUjNpYVZXR2NsVlBOeFROU0FERHYta1Y3VkJjbnp2WSIsImF1ZCI6Imh0dHBzOi8vZXNpZ25ldC5jb2xsYWIubW9zaXAubmV0L3YxL2VzaWduZXQvb2F1dGgvdG9rZW4ifQ.TnL8YulhCYtNA4AzIGxcAFczGhlVrcis0KAC65zJD4AisbdgHXXupB9_7YCeqC9uBLhoXu8QworFVN1hxGsxIWcuMeu-has58dZCJvM_O4UACXW9DtzFV4LIeGOV-76Jx6CNT4y5KwjmRQdPEJZho-05haCtp6cZULimbBI-P66DWuVGPT99CdBsaChcJNSXJfHtqwWaVAsfECyQg0VAZKvFeJuGef8G7CVbCrdpaNOKNRhz653iD-gDPwLqVecz8sJSQEXAzVXO7NJgqTXf1lGt6Yje9W65Uk_U0ZGvGl3Qk3h-w43b1-toHmLamdwJ7Cqn3-mmTRHmc7uUrK6Ukw
Also one more point James, registered public key is for “RS256” algorithm but why is the client assertion signed with “HS256” ?
regards,
Anusha
Thank you @Anusha_sunkadh
I will try changing the algorithm.
But I am seeing new fields on your jwt, “nbf”: 1713245536 and “jti”: “_gKXrlMgPvTOUN5oz4vYJ”
Which ones are these because the documentation doesn’t indicate them. What are they?
And maybe a question, it is possible to change the certificates after an account has already been created?
James,
only “sub”, “aud”, “iss”, “exp”, “iat” claims are required in client assertion. “nbf” and “jti” is optional.
you can raise a request to update or create a new OIDC client with the new public key.
Let me generate a new certificate so that I should remove the possibility of the certificate being the reason why the call is failing