"JWT token is incorrectly formatted" error when trying to get an AdobeIO API access token

Avatar

Avatar

lorisg52723730

Avatar

lorisg52723730

lorisg52723730

07-03-2017

I am having an issue obtaining an access token using JWT too. I am getting "JWT token is incorrectly formatted, and can not be decoded" error whatever JWT token I use.
Here is an example request I am doing

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d 'client_id=***&client_secret=***&jwt_token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.EkN-DOsnsuRjRO6BxXemmJDm3HbxrbRzXglbN2S4sOkopdU4IsDxTI8jO19W_A4K8ZPJijNLis4EZsHeY559a4DFOd50_OqgHGuERTqYZyuhtF39yxJPAjUESwxk2J5k_4zM3O-vtd1Ghyo4IbqKKSy6J9mTniYJPenn5-HIirE' "https://ims-na1.adobelogin.com/ims/exchange/jwt"

client_id and client_secret are obfuscated here, but they are correct when I'm getting the error since omitting or tampering one of them will result in a "client_id/client_secret are incorrect" error instead.
Concerning the jwt_token, I tried various token, I tried base64 encoding the all token, etc. It is always returning the same "JWT token is incorrectly formatted" error. In the example, I used a JWT example from https://jwt.io/#debugger, so it is correctly formatted and can be decoded.
I am not sure how is supposed to be formatted the jwt_token parameter value.

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar

ddphotoFr

Employee

Avatar

ddphotoFr

Employee

ddphotoFr
Employee

09-03-2017

Hello,

I was able to reproduce your issue and solve it. For me, the issue comes from the optional jti parameter. If your organization doesn't need this, just remove it. Otherwise you may have to handle it properly (increase it at each request).

Regards,

Damien 

Answers (5)

Answers (5)

Avatar

Avatar

ddphotoFr

Employee

Avatar

ddphotoFr

Employee

ddphotoFr
Employee

15-03-2017

Hi,

tenant is your organization name.

You may find it your marking cloud URL: https://<tenant_id>.marketing.adobe.com

So, if your Marketing Cloud URL is https://ac-sample.marketing.adobe.com, you should use 

https://mc.adobe.io/ac-sample/campaign/{rest-of-url}

Damien

Avatar

Avatar

lorisg52723730

Avatar

lorisg52723730

lorisg52723730

09-03-2017

Hi Damien,

you were right, thanks a lot for helping ! That's a shame the error message and the documentation are both so misleading about this... I was able to get an access token and i'm now trying to do a simple query as documented here: https://docs.campaign.adobe.com/doc/standard/en/adobeio.html. I went through all the available documentation, and our adobe campaign instance, and I have no idea how to build a proper endpoint URL. What is supposed to be the "tenant"? Can't find this information. I tried various URLs, and i'm getting various errors such as:

  • Oops. Something went wrong. Check your URI and try again.
  • Bearer token of a technical account must be accompanied with a valid service token
  • Invalid Api Key

Avatar

Avatar

ddphotoFr

Employee

Avatar

ddphotoFr

Employee

ddphotoFr
Employee

08-03-2017

The format is correct:

<base64(header)>.<base64(payload)>.<base64(sign)>

Did you check the expiration time?

Avatar

Avatar

lorisg52723730

Avatar

lorisg52723730

lorisg52723730

08-03-2017

Hi Damien, thanks for helping. The JWT in my post was an example, but of course I tried with a proper JWT first. The error returned is not saying there is an issue with the content of the JWT, but that it is malformed and can't be decoded. That's why I also tried with a JWT from jwt.io which is known to be properly formed. So, either the error message is misleading, either my problem has nothing to do with the content of the JWT but its form.

Do you have an example of how the jwt_token parameter is supposed to look like? Should it be re-encoded with base64? Should I only pass the part after the "." ? I tried various JWT librairies, and they all properly encode / then decode the payload with my private key using RS256 algo. The only system complaining about not being able to decode the JWTs is the IMS adobelogin endpoint.

Avatar

Avatar

ddphotoFr

Employee

Avatar

ddphotoFr

Employee

ddphotoFr
Employee

08-03-2017

Hello,

you can follow process explain here https://docs.campaign.adobe.com/doc/standard/en/adobeio.html

But your payload (the part after the ".") is in your example

{ "sub": "1234567890", "name": "John Doe", "admin": true }

but to work, it must look like:

{ "exp" : <expiry_time>, "iss" : "<your_org_id@AdobeOrg>", "sub" : "<your_tech_account_id>@techacct.adobe.com", "aud" : "https://ims-na1.adobelogin.com/c/<your_api_key>", "https://ims-na1.adobelogin.com/s/ent_campaign_sdk" : True }

As explained in the documentation, you can also see common authentication page: https://www.adobe.io/products/target/docs/reference/authentication/StepstogainAPIaccess 

Regards,

Damien