I have created a System account in the Code Console. Using the client_id and secret of that account, I am able to use the sandbox authorisation server and a client_credentials grant_type to obtain an access token.
I am now trying to use the JWT client authentication, as described in the Authorisation documentation, to obtain an Access Token, but am failing every time, with a 401 Unauthorized with the following body:
{
"error": "invalid_client",
"error_uri": "https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Ainvalid-authorization-header/instances/826bf054-f12e-48d9-9e74-1b8db5ffaa44?client=unknown&tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d"
}
I have uploaded to the System account a JWK Set which includes a public key with the same “kid” as that in the JOSE Header of the JWT, and which matches the private key used to sign the JWT.
One of several access requests I have attempted is:
POST /tenants/ec2458f2-1e24-41c8-b71b-0e701af7583d/protocols/oauth2/profiles/smart-v1/token HTTP/1.1
Host: authorization.cerner.com
Accept: application/json
Content-Type: application/x-www-form-urlencoded
Authorization: Bearer <removed>
Content-Length: 59
grant_type=client_credentials&scope=system%2FEncounter.read
The associated Correlation ID reported in the header of the error response is: 826bf054-f12e-48d9-9e74-1b8db5ffaa44.
The above example is using an EC key-pair and the ES384 algorithm to sign the JWT. I have also tried an RSA key-pair and the RS384 algorithm, with the same result.
What am I doing wrong?