Fresh install : Authenticating...invalid_grant: Invalid JWT Signature.

[Nicolas Mirek]

Hi everyone !

I was doing a fresh install of GAM on a Chromebook virtual linux, everything went well until I had this error message :

Computer clock status:

 Your system time differs from admin.googleapis.com by less than 1 second   PASS

Service Account Private Key Authentication:

 Authenticating...invalid_grant: Invalid JWT Signature.                     FAIL

ERROR: Invalid private key in oauth2service.json. Please delete the file and then

recreate with "gam create project" or "gam use project"

Service account authorization failed. Confirm you entered the scopes correctly in the admin console. It can take a few minutes for scopes to PASS after they are entered in the admin console so if you're sure you entered them correctly, go grab a coffee and then hit Y to try again. Say N to skip admin authorization.

Thinking it was related to the Chromebook, I tried on a Mac but I got the same message.

Any idea ?

Regards,

Nicolas.

[Jay Lee]

Look at the oauth2service.json file and grab the value of private_key_id (it'll be a random string).

Compare that to the cloud console value from:

cloud.console.google.com > IAM > Service accounts > keys

Do they match?

Jay

--
You received this message because you are subscribed to the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/b80f17ee-818c-48cb-895a-3760cd137447n%40googlegroups.com.

[Nicolas Mirek]

Hi Jay,

Yes, they match.

Regards,

Nicolas.

[Henrik Tinnberg]

Hi

Any update on how to solve this? Get this error as well on Mac. Never seen it before.

The private_key_id match here as well.

Please advise

Henrik

[Rance Hall]

On a new install this is normal.  It only happens because that GAM app isn’t authorized to work on your domain yet.  The install is likely fine, just follow the authorization steps.

 

I don’t remember this output format till the “check serviceaccount” step.  If you are getting this error there, then you didn one of the other steps wrong.

 

Update your config, set web_browser to “false” and try again.

 

Rance

 

-- 

 

Rance Hall

Application Specialist

ESU 10

308-698-1919

 

Some days are better, some days are worse.

Look for the blessing instead of the curse.

 

 

 

 

 

 

From: google-ap...@googlegroups.com <google-ap...@googlegroups.com> on behalf of Nicolas Mirek <nicol...@l214.com>
Date: Monday, October 18, 2021 at 2:09 AM
To: GAM for Google Workspace <google-ap...@googlegroups.com>
Subject: [GAM] Fresh install : Authenticating...invalid_grant: Invalid JWT Signature.

[EXTERNAL EMAIL]

--

[Shekhar Pathak]

I've got the same problem when I tried to update from 6.08 to 6.09

[Muhammad Saka Syauqi]

Hi All
I am Saka
I got the same error after execute 

could anyone help me please, thanks

NOTICE: This e-mail and any files transmitted with it may contain confidential information, 
and are intended solely for the use of the individual or entity to whom they are addressed. 
Any retransmission, dissemination or other use of the information by persons other than 
the intended recipient or entity is prohibited. If you receive this e-mail in error please 
contact the sender by return e-mail and delete the material from your system. Thank you.

[Shekhar Pathak]

Hi Saka,

Try this.

download the ouath2service.json from the google cloud console.

https://console.cloud.google.com/apis/credentials should take you there

once you download the json file, rename it to oauth2service.json.

Then it should work.

[Ross Scroggs]

You can't re-download the current oauth2service.json file; you have to delete the current key, add a new key and download it.

Log on here: https://console.cloud.google.com/apis/credentials

In the lower right, click on Manage service accounts

Click the 3 dots at the right end of the project line

Click Manage keys

Click the trash can icon and the right end of the line

Click Delete

Click Add Key

Click Create new key

Select JSON

Click Create

Save the file

Click close

Rename your existing oauth2service.json file to oauth2service.old

Move the downloaded file (gam-project-xxx-yyy-zzz-123456.json) to the same location as oauth2service.old

Rename the downloaded file (gam-project-xxx-yyy-zzz-123456.json) to oauth2service.json

You should be good to go.

Ross

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/bb89c489-bced-4b0b-b749-2bc546c0106bn%40googlegroups.com.

--

Ross Scroggs

ross.s...@gmail.com

[Henrik Tinnberg]

Thanks Ross

That worked!

BR

Henrik

[Jay Lee]

Ross and I are trying to reproduce the issue here but haven't been able to yet.

Can someone facing this give it an hour and then try the check serviceaccount again? I'm wondering if it's a timing issue.

Jay Lee

To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/0263b70a-5d0a-468d-9614-9387255201a8n%40googlegroups.com.

[Muhammad Saka Syauqi]

Hi Ross
Thanks, That's worked
Could you tell us what make it happened 
Many thanks

Regards

Saka Syauqi
Engineer 

Cloud Solutions | IT Procurement | Web Development
Ph: (021) 5086 1517, (031) 731 3390
www.eikontechnology.com  blog.eikontechnology.com

You received this message because you are subscribed to a topic in the Google Groups "GAM for Google Workspace" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-manager/rF937zjk5oA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-man...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-manager/CAJkvRS-ur42pfhbir%3DSPxNha4U26GASLA990woYz6qsApSUk%3Dw%40mail.gmail.com.

[Shekhar Pathak]

@jay & @Ross,

I have recreated the creds for my account.

same issue.

Will wait for an hour and try again.

I have backed up the working creds, so if all else fails I can revert to those.

[Shekhar Pathak]

I think it is a timing issue.

I ran GAM again with the new credentials [that I created 14 hours ago].

It is working now, asked me to go through an additional step though.

************************************************************************************************************

C:\Users\Shekh>gam user xxxx...@xxxxx.xxx check serviceaccount

Computer clock status:

 Your system time differs from admin.googleapis.com by less than 1 second   PASS

Service Account Private Key Authentication:

 Authenticating...                                                          PASS

Checking key age. Google recommends rotating keys on a routine basis...

 Key is 0 days old                                                          PASS

Domain-Wide Delegation authentication as  xxxx...@xxxxx.xxx  :

 https://mail.google.com/                                                   FAIL

 https://www.googleapis.com/auth/apps.alerts                                FAIL

 https://www.googleapis.com/auth/calendar                                   FAIL

 https://www.googleapis.com/auth/cloud-identity                             FAIL

 https://www.googleapis.com/auth/drive                                      FAIL

 https://www.googleapis.com/auth/drive.activity                             FAIL

 https://www.googleapis.com/auth/gmail.settings.basic                       FAIL

 https://www.googleapis.com/auth/gmail.settings.sharing                     FAIL

 https://www.googleapis.com/auth/spreadsheets                               FAIL

ERROR: Some scopes failed! To authorize them, please go to:

  https://gam-shortn.appspot.com/xxxxxx

You will be directed to the Google Workspace admin console Security/API Controls/Domain-wide Delegation page

The "Add a new Client ID" box will open

Make sure that "Overwrite existing client ID" is checked

Please click Authorize to allow these scopes access.

After authorizing it may take some time for this test to pass so

go grab a cup of coffee and then try this command again.

************************************************************************************************************

went to the link, followed the instructions and now it works fine.

It took me to Security > API Controls > Domain-wide delegation