Workflow or API calls:
Same constants
CLIENT_ID = '6d31c3f5-1e10-4644-9dc2-f4e51aa9c403'
CLIENT_SECRET = 'YhUI8ss6bVFjJounNZ3DtR3GwosYJq2z'
TOKEN_URL =
'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token'
Background Information:
I have a backend service to integrate with Oracle's FHIR API using Smart Authorization
I generated the key pair and JWKS with kid and added to https://cernercentral.com
I am already generating the JWT token based on the specification https://hl7.org/fhir/smart-app-launch/client-confidential-ametric.html#authenticating-to-the-token-endpoint
private generateJWT() {
const publicKeyPEM = fs.readFileSync('public_key.pem', 'utf8')
const kid = crypto.createHash('sha256').update(publicKeyPEM).digest('hex').slice(0, 32)
const privateKey = fs.readFileSync('private_key.pem', 'utf8')
const now = Math.floor(Date.now() / 1000)
const payload = {
iss: CLIENT_ID,
sub: CLIENT_ID,
aud: TOKEN_URL,
jti: Math.random().toString(36).substring(7),
exp: now + 200,
}
return jwt.sign(payload, privateKey, { algorithm: 'RS384', keyid: kid, header: { alg: 'RS384', kid, typ: 'JWT' } })
}
Sample:
method: POST
url: 'https://authorization.cerner.com/tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token',
data: 'grant_type=client_credentials&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCIsImtpZCI6ImUxNjNjOGJmYzBjNDFiNTE0NTlmOTgyNDhiMmNhZjNlIn0.eyJpc3MiOiI2ZDMxYzNmNS0xZTEwLTQ2NDQtOWRjMi1mNGU1MWFhOWM0MDMiLCJzdWIiOiI2ZDMxYzNmNS0xZTEwLTQ2NDQtOWRjMi1mNGU1MWFhOWM0MDMiLCJhdWQiOiJodHRwczovL2F1dGhvcml6YXRpb24uY2VybmVyLmNvbS90ZW5hbnRzL2VjMjQ1OGYyLTFlMjQtNDFjOC1iNzFiLTBlNzAxYWY3NTgzZC9wcm90b2NvbHMvb2F1dGgyL3Byb2ZpbGVzL3NtYXJ0LXYxL3Rva2VuIiwianRpIjoiZjdpbGJnIiwiZXhwIjoxNzM4MDg3MDg1LCJpYXQiOjE3MzgwODY4ODV9.hKvWhchlw7Ze6-ZGQ2CGwCQbFBPVWWdJeZ2EygV5Pm6unJ9aXSyMZ-W-JCkbjeLuct4-wjpZajNkae5BCqnWWVrq7qD9eZL2iYG6sHjTZDbDiO-_RxDPSNoIV8Jb2ffj9nDrvvVoavbgVai8T_PtqiJWej8YJhvSYx_bAPpORWkkP5z0MmoL3n-qfa5S5Slst2aEoc2YMydESxeAVPyEopmf5fQejOym692bVqIGFZUMXNBKaVAJGMr4kLW2ol-7QLqFsfHYxotLgXk20Yom7Ry4wikoSL3IM4apdOem_fKaBdi5ZARrvSRxuCg5e1U-MmMEmSfRmYi8wGwN1-rhvA&scope=system%2F*.rs'
I tried send with authorization headers:
Authorization: `Basic ${Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString('base64')}`
Expected Result:
Payload with access_token to call FHIR APIs or any error message more clarify
Actual Result:
data: {
error: 'invalid_client',
error_uri: 'https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aclient-assertion%3Ajwt-bearer%3Ainvalid-signature/instances/588304d3-b8e8-4019-b46c-7a6dfa036029?client=6d31c3f5-1e10-4644-9dc2-f4e51aa9c403&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d'
}