Invalid JWT Signature

+KimNilsson

unread,

Sep 12, 2016, 8:01:09 AM9/12/16

to Google Apps Manager

(Running GAMADV-X as alias gamx)

$ gamx user UserA sendas Us...@my.domain "Testing SendAs" default

ERROR: Authentication Token Error - invalid_grant: Invalid JWT Signature.

What am I missing?

$ gamx oauth info

Client OAuth2 File: /Users/me/.gam/oauth2.txt

Client ID: xxxx.apps.googleusercontent.com

Secret: xxxx

Scopes:

https://apps-apis.google.com/a/feeds/compliance/audit/

https://apps-apis.google.com/a/feeds/domain/

https://apps-apis.google.com/a/feeds/emailsettings/2.0/

https://mail.google.com/

https://sites.google.com/feeds

https://www.google.com/m8/feeds/contacts

https://www.googleapis.com/auth/admin.datatransfer

https://www.googleapis.com/auth/admin.directory.customer

https://www.googleapis.com/auth/admin.directory.device.chromeos

https://www.googleapis.com/auth/admin.directory.device.mobile

https://www.googleapis.com/auth/admin.directory.domain

https://www.googleapis.com/auth/admin.directory.group

https://www.googleapis.com/auth/admin.directory.notifications

https://www.googleapis.com/auth/admin.directory.orgunit

https://www.googleapis.com/auth/admin.directory.resource.calendar

https://www.googleapis.com/auth/admin.directory.rolemanagement

https://www.googleapis.com/auth/admin.directory.user

https://www.googleapis.com/auth/admin.directory.user.security

https://www.googleapis.com/auth/admin.directory.userschema

https://www.googleapis.com/auth/admin.reports.audit.readonly

https://www.googleapis.com/auth/admin.reports.usage.readonly

https://www.googleapis.com/auth/apps.groups.settings

https://www.googleapis.com/auth/apps.licensing

https://www.googleapis.com/auth/calendar

https://www.googleapis.com/auth/classroom.courses

https://www.googleapis.com/auth/classroom.guardianlinks.students

https://www.googleapis.com/auth/classroom.profile.emails

https://www.googleapis.com/auth/classroom.profile.photos

https://www.googleapis.com/auth/classroom.rosters

https://www.googleapis.com/auth/cloudprint

https://www.googleapis.com/auth/drive.file

https://www.googleapis.com/auth/siteverification

Google Apps Admin: my.e...@my.domain

Other commands seem to work.

$ gamx update user Us...@my.domain gal no

User: Us...@my.domain , Updated

If I run the command with my regular gam it works.

$ gam user UserA sendas Us...@my.domain "Testing SendAs" default

Allowing UserA@my.domain to send as Us...@my.domain (1 of 1)

Ross Scroggs

unread,

Sep 12, 2016, 8:06:16 AM9/12/16

to google-ap...@googlegroups.com

Kim,

When you installed GAMADV-X, did you perform these stapes:

Go here: https://github.com/jay0lee/GAM/wiki/CreatingClientSecretsFile

Log on to the admin console as in steps 6.ii.c, d, e.

In the list of Authorized API clients, locate your Gam OAuth2 Client, copy the Client ID and then remove the entry.

Paste the Client ID into the Client name box as in step 6.ii.f, then do steps 6.ii.g and 6.ii.h.

You'll notice that the API Scopes - OAuth2 list has additional entries, these are what is required in Gam 3.7.

Skip down to step 6.iii.

In the list of Authorized API clients, locate your Gam Service Account, copy the Client ID and then remove the entry.

Paste the Client ID into the Client name box as in step 6.iii.c, then do steps 6.iii.d and 6.iii.e.

You'll notice that the API Scopes - Service Account list has additional entries, these are what is required in Gam 3.7.

The list of scopes for the client should be:

https://mail.google.com/,
https://sites.google.com/feeds,
https://www.google.com/m8/feeds/contacts,
https://www.googleapis.com/auth/admin.datatransfer,
https://www.googleapis.com/auth/admin.directory.customer,
https://www.googleapis.com/auth/admin.directory.domain,
https://www.googleapis.com/auth/admin.directory.resource.calendar,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/classroom.courses,
https://www.googleapis.com/auth/classroom.profile.emails,
https://www.googleapis.com/auth/classroom.profile.photos,
https://www.googleapis.com/auth/classroom.rosters,
https://www.googleapis.com/auth/classroom.guardianlinks.students,
https://www.googleapis.com/auth/cloudprint,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/plus.login,
https://www.googleapis.com/auth/plus.me,
https://www.googleapis.com/auth/siteverification,

The list of scopes for the Service Account should be:

https://mail.google.com/,
https://sites.google.com/feeds,
https://www.google.com/m8/feeds/contacts,
https://www.googleapis.com/auth/activity,
https://www.googleapis.com/auth/calendar,
https://www.googleapis.com/auth/drive,
https://www.googleapis.com/auth/gmail.settings.basic,
https://www.googleapis.com/auth/gmail.settings.sharing,
https://www.googleapis.com/auth/plus.login,
https://www.googleapis.com/auth/plus.me,
https://www.googleapis.com/auth/userinfo.email,
https://www.googleapis.com/auth/userinfo.profile,

Ross

--

ross.s...@gmail.com

--
You received this message because you are subscribed to the Google Groups "Google Apps Manager" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To post to this group, send email to google-ap...@googlegroups.com.
Visit this group at https://groups.google.com/group/google-apps-manager.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/1d91ee08-d2b8-4c7c-8712-e0eab74fe959%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

+KimNilsson

unread,

Sep 12, 2016, 8:30:08 AM9/12/16

to Google Apps Manager

Yup, sure did.

Just re-did it now. Same error.

+KimNilsson

unread,

Sep 12, 2016, 11:00:08 AM9/12/16

to Google Apps Manager

Turns out I did something wrong somewhere.

Re-did my JSON files and all works now.

Reply all

Reply to author

Forward

Invalid JWT Signature - (GAMADV-X)

+KimNilsson

Ross Scroggs

+KimNilsson

+KimNilsson