Sandbox token endpoint error: "Client Assertion could not be parsed"
255 views
Skip to first unread message
aa...@astartemedical.com
Nov 23, 2022, 7:11:42 PM11/23/22
to Oracle Cerner FHIR Developers
I'm POSTing to the sandbox token endpoint to get an access token for authorization on behalf of a system:
In the request body, I've provided the following parameters:
- grant_type: client_credentials
- client_assertion_type: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
- client_assertion: RS384-encoded JWT with the following parameters provided:
- jti
- sub (value is my client ID)
- nbf
- exp
- iat
- iss (value is my client ID)
- aud (value is the token endpoint above)
The JWT is signed using my private signing key, for which I've uploaded the public signing key to the system account as a JWKS. However, I'm getting a URL to an error with the following message as a response:
Client Assertion could not be parsed.
Error Code:
urn:cerner:error:authorization-server:client-assertion:jwt-bearer:invalid-assertionaa...@astartemedical.com
Nov 28, 2022, 1:07:52 PM11/28/22
to Oracle Cerner FHIR Developers
Correlation ID:
9d1ff1a3-22e0-4753-8135-43386957fa2c
Vandhana Gopinath
Dec 6, 2022, 4:54:32 AM12/6/22
to Oracle Cerner FHIR Developers
I am having the same problem, following..
Correlation ID:
146e5c05-0f6e-480e-bfcf-f50f4efa09a3aa...@astartemedical.com
Dec 6, 2022, 4:41:52 PM12/6/22
to Oracle Cerner FHIR Developers
Is there a certain algorithm or set of algorithms that are supported? I'm using the following process to generate my JWKS:
- Create keypair
openssl genrsa -out private_key.pem 2048 - Create public key
openssl req -new -x509 -key private_key.pem -out public_key.pem -subj '/CN=App Name' - Get public key in X.509 format
openssl x509 -in public_key.pem -pubkey -noout - Create signing JWK using tool at https://russelldavies.github.io/jwk-creator using both RS256 and RS384
- Create JWKS JSON and upload to system account
Then, I'm using .NET libraries to generate a JWT (tried both RS256 and RS384) using the parameters specified above. In both instances, I get the error "Client Assertion could not be parsed."
Guillaume Milan
Mar 15, 2023, 4:16:50 AM3/15/23
to Oracle Cerner FHIR Developers
I am having exactly the same problem when trying to issue a client_credential assertion with the correlation ID: 2754f0f5-372e-4c04-a2ad-7ba5f5ebb8c4
Did you found any solution that can be linked to this conversation since then?
Did you found any solution that can be linked to this conversation since then?
aa...@astartemedical.com
Mar 15, 2023, 9:02:07 AM3/15/23
to Oracle Cerner FHIR Developers
I have not found any solution, but I haven't tried lately.
Richard Braman
Mar 15, 2023, 9:46:00 AM3/15/23
to cerner-fhir...@googlegroups.com
I would recommend putting your generated JWTs into a tool like JWT.io and make sure the JWT is parsable , format is correct , and the signature can be validated with your public pen
--
You received this message because you are subscribed to the Google Groups "Oracle Cerner FHIR Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cerner-fhir-devel...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cerner-fhir-developers/06738abc-8f1e-4dac-a751-7e040dc67747n%40googlegroups.com.
Guillaume Milan
Mar 15, 2023, 10:50:32 AM3/15/23
to Oracle Cerner FHIR Developers
Yes I tested the JWT token against jwt.io with the provided jwk set to cerner and it was working.
Here is an example of an outdated token I used yesterday
eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL2F1dGhvcml6YXRpb24uY2VybmVyLmNvbS90ZW5hbnRzLzJmOGY1ZWMxLWI3YjgtNGJlNS1hZTI3LWUzMDgyODRkZDljMS9ob3N0cy9maGlyLW15cmVjb3JkLXNjLmNlcm5lci5jb20vcHJvdG9jb2xzL29hdXRoMi9wcm9maWxlcy9zbWFydC12MS90b2tlbiIsImV4cCI6MTY3ODgwNTA3MCwiaWF0IjoxNjc4ODA0NzcxLCJpc3MiOiIyMzY0ZmMyNy02NDIzLTRiOGMtYWRhNC03YTRmYjEzZmU1NmMiLCJqdGkiOiIxNTFmOTg4OC02NTFjLTQ3ODEtOWYyNC03YTVlYzM0MzFjZjkiLCJuYmYiOjE2Nzg4MDQ3NzEsInN1YiI6IjIzNjRmYzI3LTY0MjMtNGI4Yy1hZGE0LTdhNGZiMTNmZTU2YyJ9.xiVCn_3HmFl9RwM7fh4ju5TEtMVV2sjrXtv0y8zgaD2M_A46vHiT4ugTex0Nowz4SUofWBuJIQRKe0gqJOaBzzVPxIu3MBliq2ELeZ13qpTJ07iPVy9sxXlMSH-WT9nSL7QPO6zKLo_eaf_wz6-uyHUgaZwrZ6OJmXP3G6eSnC1FwcFq_aSI3Ciq7PqOm9auRqfsb6nh9SQDQk1gcPRykJKlxE5CzRjFTL6F2Ypi_Ywmmjxmk0hkNBnyvmnXUuf1EtQUlnE15JmLl9z56D4084-050WSmRxonsgKtVDRIIpZhajUQeYhki1vv0UVrceKKtwTgMDMwc_RUhHcSyQUsw
{"keys":[{"alg":"RS384","e":"AQAB","kty":"RSA","n":"3IE0-coLR7lf-KnYzluxxTTjl_1uPskAk_zxaYLHVOeduKCTMEOcB7vi8l35riCWxE2to1cojqUg1MBO2R7cId7_kaHN7te9H0dfgnwqTDlO5UcS_zNaKtOnudwZozC0Pk7oGeOmKeJv_YWm__vogcIDAp_7-p20gtAjhnUwKKu_8oBarbeU7tTz6IjqlanqqM5rKDjAwLSiz8eGfnJDYeBGQ_M7_eDkozRWQHlB7QowSGYMeBP_fxP6uTeNV2d6dF70BP-dLaO1lSJuytbg9QTFT5sD8I51C-dYRuarAzw-b8_RspEOoOQIVzCHxj7z9_8TWOot77HpnyvNMMtgFQ"}]}
eyJhbGciOiJSUzM4NCIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJodHRwczovL2F1dGhvcml6YXRpb24uY2VybmVyLmNvbS90ZW5hbnRzLzJmOGY1ZWMxLWI3YjgtNGJlNS1hZTI3LWUzMDgyODRkZDljMS9ob3N0cy9maGlyLW15cmVjb3JkLXNjLmNlcm5lci5jb20vcHJvdG9jb2xzL29hdXRoMi9wcm9maWxlcy9zbWFydC12MS90b2tlbiIsImV4cCI6MTY3ODgwNTA3MCwiaWF0IjoxNjc4ODA0NzcxLCJpc3MiOiIyMzY0ZmMyNy02NDIzLTRiOGMtYWRhNC03YTRmYjEzZmU1NmMiLCJqdGkiOiIxNTFmOTg4OC02NTFjLTQ3ODEtOWYyNC03YTVlYzM0MzFjZjkiLCJuYmYiOjE2Nzg4MDQ3NzEsInN1YiI6IjIzNjRmYzI3LTY0MjMtNGI4Yy1hZGE0LTdhNGZiMTNmZTU2YyJ9.xiVCn_3HmFl9RwM7fh4ju5TEtMVV2sjrXtv0y8zgaD2M_A46vHiT4ugTex0Nowz4SUofWBuJIQRKe0gqJOaBzzVPxIu3MBliq2ELeZ13qpTJ07iPVy9sxXlMSH-WT9nSL7QPO6zKLo_eaf_wz6-uyHUgaZwrZ6OJmXP3G6eSnC1FwcFq_aSI3Ciq7PqOm9auRqfsb6nh9SQDQk1gcPRykJKlxE5CzRjFTL6F2Ypi_Ywmmjxmk0hkNBnyvmnXUuf1EtQUlnE15JmLl9z56D4084-050WSmRxonsgKtVDRIIpZhajUQeYhki1vv0UVrceKKtwTgMDMwc_RUhHcSyQUsw
and the jwt_key set I am using
{"keys":[{"alg":"RS384","e":"AQAB","kty":"RSA","n":"3IE0-coLR7lf-KnYzluxxTTjl_1uPskAk_zxaYLHVOeduKCTMEOcB7vi8l35riCWxE2to1cojqUg1MBO2R7cId7_kaHN7te9H0dfgnwqTDlO5UcS_zNaKtOnudwZozC0Pk7oGeOmKeJv_YWm__vogcIDAp_7-p20gtAjhnUwKKu_8oBarbeU7tTz6IjqlanqqM5rKDjAwLSiz8eGfnJDYeBGQ_M7_eDkozRWQHlB7QowSGYMeBP_fxP6uTeNV2d6dF70BP-dLaO1lSJuytbg9QTFT5sD8I51C-dYRuarAzw-b8_RspEOoOQIVzCHxj7z9_8TWOot77HpnyvNMMtgFQ"}]}
Reply all
Reply to author
Forward
0 new messages