DocuSign JWT Authentication: Unexpected PEM type

Asked 5/7, 2018 at 21:34 Answered 4/2, 2022 at 17:29

I can't authenticate with DocuSign's OAuth JWT because of the error Unexpected PEM Type. I'm using their Nuget package 2.2.0. If I change to 2.1.10 and tweak my code slightly I get this error

Error calling Login: {
    "errorCode": "PARTNER_AUTHENTICATION_FAILED",
    "message": "The specified Integrator Key was not found or is disabled. An Integrator key was not specified."
}

I only have a Sandbox account, which I have created an Integrator Key. My redirect uri is https://docusign.com and I created an RSA Keypair which I saved the private key in a PEM file.

I'm following the instructions here https://github.com/docusign/docusign-csharp-client/blob/master/README.md but an exception is raised on the line OAuth.OAuthToken tokenInfo = apiClient.ConfigureJwtAuthorizationFlowByKey(integratorKey, userId, oauthBasePath, privateKey, expiresInHours);

I have also granted access to JWT using the url https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=<integrator-key>&redirect_uri=https://docusign.com.

string userId = "e1f43c1a-2546-4317-85a9-cea367f8f92c";
string oauthBasePath = "account-d.docusign.net";
string integratorKey = "<integrator-key>";
string privateKey = @"C:\Users\me\privateKey.pem";
int expiresInHours = 1;
string host = "https://demo.docusign.net/restapi";

Amourpropre answered 5/7, 2018 at 21:34 Comment(0)

For whatever reason sticking the userId, oauthBasePath, integratorKey, privateKey, expiresInHours and host all in a new class worked.

I also had to pass the contents of the PEM file instead of the file path.

 public class FooConfig
{
    public string Host { get; set; }

    public string IntegratorKey { get; set; }

    public string UserId { get; set; }

    public string OAuthBasePath { get; set; }

    public string PrivateKeyFilename { get; set; }

    public int ExpiresInHours { get; set; }

    public ApiClient ApiClient { get; set; }

    public FooConfig()
    {
        this.UserId = "e1f43c1a-2546-4317-85a9-cea367f8f92c";
        this.OAuthBasePath = "account-d.docusign.com";
        this.IntegratorKey = "<integrator-key>";
        this.PrivateKeyFilename = @"C:\Users\me\privateKey.pem";
        this.ExpiresInHours = 1;
        this.Host = "https://demo.docusign.net/restapi";
    }
}


///////////////////////////////////////////////////////////////////////////////////////

FooConfig testConfig = new FooConfig();
testConfig.ApiClient = new ApiClient(testConfig.Host);

// If this is the first time logging in - Get Consent from the user - this is a onetime step.
Uri oauthURI = testConfig.ApiClient.GetAuthorizationUri(testConfig.IntegratorKey, scopes, "https://docusign.com", OAuth.CODE, "testState");
Process.Start(oauthURI.ToString());

string key = File.ReadAllText(testConfig.PrivateKeyFilename);
OAuth.OAuthToken tokenInfo = testConfig.ApiClient.ConfigureJwtAuthorizationFlowByKey(testConfig.IntegratorKey, testConfig.UserId, testConfig.OAuthBasePath, key, testConfig.ExpiresInHours);

Amourpropre answered 10/7, 2018 at 22:11 Comment(2)

Note that the URL in the AuthorizationUri needs to match your redirect url in your integrator key – Amourpropre 10/7, 2018 at 22:16

+1 for GetAuthUri - didn't realize I'd need something like that and that was useful. The solution to my problem was solved with FileReadAllText instead of Encoding.Ascii/UTF/etc.GetBytes(). – Balboa 1/12, 2021 at 14:16

I was getting this message with the most current version, using this method signature:

RequestJWTUserToken(_config.ClientId, _config.UserId, $"account-d.docusign.com", _config.Key, 1);

I had copy/pasted the contents of the .pem file from the website. Opening the .pem in Notepad++ and switching its encoding from UTF-8 BOM to just UTF-8 resolved this error for me.

Tonneau answered 24/3, 2021 at 15:31 Comment(1)

That was fix I needed. I copied from the website and pasted into a new text file I created with Visual Studio which I guess was not the right thing to do. – Calibre 24/3, 2022 at 12:26

I encountered the same issue and resolved it by using the following code below. It seems that in the previous SDK ( <=2.1.10 ?) required the physical file location, now (SDK >= 2.2.0 ?), the file content is required

testConfig.PrivateKeyFilename = File.ReadAllText("./private.pem");

OAuth.OAuthToken tokenInfo = apiClient.ConfigureJwtAuthorizationFlowByKey
            (testConfig.IntegratorKey, testConfig.UserId, testConfig.OAuthBasePath, testConfig.PrivateKeyFilename, testConfig.ExpiresInHours);

Discipline answered 17/7, 2018 at 15:33 Comment(4)

At least now in the api its ConfigureJwtAuthorizationFlow - takes filename and ConfigureJwtAuthorizationFlowByKey uses the key data itself – Feces 20/7, 2018 at 12:41

Like I mentioned in my answer, it depends the version of the API you're using – Discipline 20/7, 2018 at 14:26

Actually, in the 2.2.1 DocuSign C# SDK, the method is marked as deprecated and it is advised to use the ConfigureJwtAuthorizationFlowByKey method instead – Discipline 20/7, 2018 at 20:42

Yes, after upgrading, I have start using the new call. Where you send the key via byte[] or Stream instead of string – Feces 23/8, 2019 at 20:23

Old post, but maybe it helps someone:

I tried anything without success, then I ended up noticing that the issue was on the "BouncyCastle.Crypto.dll" version. It seems that I had an older version in my project.

Installing the latest one (1.9.0) solved my issue

Receiptor answered 4/2, 2022 at 17:29 Comment(0)

Recommended topics

Hot tags