Invalid JWT token. Could not resolve issuer token.

[ghost]

Hello! I'm trying to make SharePoint REST API call inside Gulp task (SharePoint Foundation 2013). I followed the manual https://github.com/s-KaiNet/node-sp-auth/wiki/SharePoint%20on-premise%20addin%20only%20authentication and tried the code inside the task:

var spauth = require('node-sp-auth');
var request = require('request-promise');
    var siteUrl = "https://portal.domain.local/site/subsite/";
    spauth.getAuth(siteUrl, {
        clientId: 'bc194aac-cbf3-494a-bc86-b8f3949508b7',
        issuerId: '6d810524-c62c-4fa1-affb-4bb9e4184a8b',
        realm: '24b2cf21-fc6b-4064-b72b-a62600563a09',
        rsaPrivateKeyPath: 'C:\\Certificates\\s2strust.key',
        shaThumbprint: 'gjnXJkW0nBXP3tGOOr3JNtOeoA'
    })
    .then(data => {
        let headers = data.headers;
        headers['Accept'] = 'application/json;odata=verbose';
        console.log(data);      
        request.get({
          url: siteUrl + '_api/web',
          headers: headers,
          json: true,
          rejectUnauthorized: false
        }).then(function (response) {
          console.log(response.d.Title);
        });
      });

Unfortunately I receive error in the console:

{"error_description":"Invalid JWT token. Could not resolve issuer token."}
    at new StatusCodeError (node_modules\request-promise-core\lib\errors.js:32:15)
    at Request.plumbing.callback (node_modules\request-promise-core\lib\plumbing.js:104:33)
    at Request.RP$callback [as _callback] (node_modules\request-promise-core\lib\plumbing.js:46:31)
    at Request.self.callback (node_modules\request\request.js:186:22)
    at emitTwo (events.js:106:13)
    at Request.emit (events.js:191:7)
    at Request.<anonymous> (node_modules\request\request.js:1163:10)
    at emitOne (events.js:96:13)
    at Request.emit (events.js:188:7)
    at IncomingMessage.<anonymous> (node_modules\request\request.js:1085:12)
    at IncomingMessage.g (events.js:291:16)
    at emitNone (events.js:91:20)
    at IncomingMessage.emit (events.js:185:7)
    at endReadableNT (_stream_readable.js:974:12)
    at _combinedTickCallback (internal/process/next_tick.js:74:11)
    at process._tickCallback (internal/process/next_tick.js:98:9)

Could you help me to troubleshoot the issue please?

[s-KaiNet]

Hi,
wow, that's something difficult to investigate. Tomorrow I'll have a time, I'll go through the whole process of creating certificates, etc. to make sure it's ok. Meanwhile, could you try to test your SP apps configuration by creating a new SharePoint provider hosted app in visual studio? If the app works, then the configuration of SharePoint is correct.

[ghost]

Thank you for quick reply. Actually it is not a SharePoint app. It is just gulpfile.js file running as gulp task in Visual Studio code. Ideally the task should update JSLink properties for List Views but currently I'm unable even to get Web properties.

[s-KaiNet]

Yep, I know that. I'm just curious if you setup apps for SharePoint correctly. The first step in the instruction is to setup apps environment. You might receive this error because you missed some essentials things or maybe something misconfigured. The best (and fastest) way to check it is through the visual studio and new SharePoint provider hosted app project.

[s-KaiNet]

Another way to test it is using console application and SharePointPnPCore2016 (or 2013 depending on the version of your SharePoint). Add below code to test your certificate and app registration:

var mngr = new AuthenticationManager();
var ctx = mngr.GetHighTrustCertificateAppOnlyAuthenticatedContext(....);

If it works, then your configuration is OK.
Just thinking... do you really need node.js for your task? Something you want to do can be done with .net much easier...

[s-KaiNet]

So I've checked this approach and it works, I think that's an issue with your farm apps configuration. I noticed you use SharePoint Foundation... TBH I've never tested it with foundation, but anyway it should work. The first thing for you to check is your farm configuration.

[ghost]

Thank you for suggestion. I was able to create High Trust app that gets Title of a Web using VS 2017 project template. The request through .NET CSOM works well. Then I tried the node-sp-auth on the same Web for the same Client Id and it fails with the Invalid JWT token error. Then I tried to use sp-request:

gulp.task('default', function(){

    var sprequest = require('sp-request');
    let credentials = {
        clientId: 'a960c9a1-c495-4ea0-8f69-570745ac7828',
    issuerId: '6d810524-c62c-4fa1-affb-4bb9e4184a8b',
    realm: '24b2cf21-fc6b-4064-b72b-a62600563a09',
    rsaPrivateKeyPath: 'C:\\Certificates\\s2strust.key',
    shaThumbprint: 'gjnXJkW0nBXP3tGOOr3JNtOeoA'
}
let spr = sprequest.create(
    credentials
);
spr.get(siteUrl + "/_api/web")
.then(response => {
    console.log(response.body.d.Title)
  }, err => {
    console.log(err);
});

The response body was 'Invalid JWT token. Could not resolve issuer token.'. In the response I observe some other errors (not sure if they are related to the problem but it seems they are):

...
headers:
      { server: 'Microsoft-IIS/7.5',
        'x-ms-diagnostics': '3000006;reason="Token contains invalid signature.";category="invalid_client"',
        sprequestguid: '0851559e-93ca-90a0-7002-cba550533721',
        'request-id': '0851559e-93ca-90a0-7002-cba550533721',
        'x-frame-options': 'SAMEORIGIN',
        sprequestduration: '5',
        spiislatency: '2',
        'www-authenticate': 'Bearer realm="24b2cf21-fc6b-4064-b72b-a62600563a09",client_id="00000003-0000-0ff1-ce00-000000000000",trusted_issuers="6d810524-c62c-4fa1-affb-4bb9e4184a8b@24b2cf21-fc6b-4064-b72b-a62600563a09,00000003-0000-0ff1-ce00-000000000000@24b2cf21-fc6b-4064-b72b-a62600563a09", NTLM',
...
statusCode: 401,
     statusMessage: 'Unauthorized',
     client:
      TLSSocket {
...
authorized: false,
        authorizationError: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY',
...

[s-KaiNet]

Do you have proxy setup or firewall?

[ghost]

Firewall

On Tue, Mar 20, 2018 at 8:23 PM, Sergei Sergeev notifications@github.com wrote:

Do you have proxy setup or firewall?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/s-KaiNet/node-sp-auth/issues/42#issuecomment-374705851, or mute the thread https://github.com/notifications/unsubscribe-auth/AK030OpI22s7-jGrvJAh01XiW8UK3q0Uks5tgUk1gaJpZM4Stvmv .

[s-KaiNet]

Probably your firewall is the cause, however, TBH I'm not sure. Have you tried any other authentication methods (ADFS, NTLM)?

[ghost]

I tried with NTLM and it works fine.

On Wed, Mar 21, 2018 at 1:36 PM, Sergei Sergeev notifications@github.com wrote:

Probably your firewall is the cause, however, TBH I'm not sure. Have you tried any other authentication methods (ADFS, NTLM)?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/s-KaiNet/node-sp-auth/issues/42#issuecomment-374908714, or mute the thread https://github.com/notifications/unsubscribe-auth/AK030F0oaXLnhrWNEHmHCCAaugqq07cZks5tgjtYgaJpZM4Stvmv .

[ghost]

So I've checked firewall logs and there are no dropped packets

[xsolon]

I'm getting the same error. In my case openssl doesnt print the ShaThumbprint when executing the rsa command (I have installed and run several versions and none print the thumbprint)

The certificate and app work fine if using it in a c# application. It looks like i'm missing the thumbprint in the correct format. Could you tell me how to generate it with openssl? The thumprint on the windows certificate console doesn't seem to work.

[s-KaiNet]

Have you tried steps from this wiki page? (Starting from step #11)

[xsolon]

I did. My issue is that the openssl step doesn't print the shathumbprint. These commands don't seem to generate a short thumbprint like the ones in your example: https://knowledge.digicert.com/solution/SO28771.html

[xsolon]

nevermind I see that you are doing that in the powershell script Thanks, this api is great!