invalid_client error in Authorisation

[Shivani Yadav]

Hi All,

I got Authorisation Code after making a GET request  at https://fhir.epic.com/interconnect-fhir-oauth/oauth2/authorize 

then, I had made a Post request at https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token.

with code, grant_type ="authorization_code",  redirect_uri  and non-production client id.

Here, I had use

1) content-type : application/x-www-form-urlencoded in header, and

2) payload values are URL-encoded

After making a post request, I got "400 bad requests" in response. with this message:

{

"error": "invalid_client",

"error_description": null

}

and I also attached the screenshot of postman for reference:

             

[Shivani Yadav]

postman Screenshot:

[Luis Sayago]

If you checked the "Require Refresh Tokens" option in the sandbox, you will need to include the Authorization header with the client_id:secret in your request.

https://fhir.epic.com/Documentation?docId=oauth2&section=Standalone-Oauth2-Launch_Access-Token-Request_With-Refresh-Tokens

[dvac...@xinonix.com]

Also, I just want to point out something that is very frustrating with fhir.epic.com.... the changes you make to your app registration do NOT take effect immediately ... you need to wait some time (hours ... perhaps a day) for the edits become live. 

So you should configure for refresh token (as detailed above), make sure to provide your clientid:secret (as Basic authorization header) when POST requesting the authorization token ...but be sure to give fhir.epic.com some time to update before re-testing.

Dave

[Shivani Yadav]

Thank you for the prompt reply,

I had added the Authorisation in the Header and remove the client_id from payload still getting the same error response.

Thanks 

[Vishal Singh]

Hi, I am having the same problem, followed everything very carefully but still got no luck. Any help will be appreciated

I am getting "401 unauthorized"

{

"error": "invalid_client",

"error_description": null

}

On Thursday, January 14, 2021 at 9:31:28 PM UTC+5:30 lu...@candisa.com wrote:

[Diep Pham]

I got the same error when trying to obtain a token client client credentials flow for a backend application. I already uploaded the public key and use the non-production client id following this documentation https://fhir.epic.com/Documentation?docId=oauth2&section=BackendOAuth2Guide.

Anyone has any idea on how to debug this issue?

[Diep Pham]

My JWT payload is:

{
  "iss": “<non-production-client-id>",
  "sub": "<non-production-client-id>",
  "jti": "35126a04-1b15-4f58-8bdc-ea7fbfbdd3b4",
  "aud": "https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token",
  "exp": 1617072878,
  "iat": 1617072818
}

Current time:

% date +%s                 

1617072822

I think the exp value matched the requirement already. Also, this is the curl command I used to request access token.

curl --silent -X POST "https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token" \
    -H 'Content-Type: application/x-www-form-urlencoded; charset=utf-8' \
    --data-urlencode "grant_type=client_credentials" \
    --data-urlencode "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer" \
    --data-urlencode “client_assertion=<jwt>”

I think I’m missing something, but not sure what it is.

Thanks,

On Mar 29, 2021, at 11:53 PM, Hong Kha Dang Nguyen wrote:

Hi Diep Pham,

A lot of developers who use the Epic Sandbox oAuth2 get this error was missed a very important note of the documents, 

that is "The exp value must be in the future, and can be no more than 5 minutes in the future at the time the access token request is received. "

Please double check if your exp value meets the requirement? I've just tested the oAuth2 api, it works perfectly! 

Hope this helps.

Kha Dang

[CONCERN Project]

Hello,

Have you figured out how to resolve this? I have the same problem and am sure my expiration time is no more than 60 seconds in the future. Attached are the POST from postman and verification of the payload using jwt.io. Same as you - cannot figure out what is missing...

[Diep Pham]

Hi,

I still haven't figured out how to resolve the issue.

According to Hong Kha Dang Nguyen, the application might need some time to be approved, but I’m not very sure how to check the approval status of the application. I also send a support email to EPIC, but received no response yet.

--
You received this message because you are subscribed to a topic in the Google Groups "SMART on FHIR" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/smart-on-fhir/wknzhCURsRY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to smart-on-fhi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/smart-on-fhir/9b8542c5-0944-4df0-8ef2-6b7033c750a4n%40googlegroups.com.
<Screen Shot 2021-03-30 at 5.50.13 PM.png><Screen Shot 2021-03-30 at 5.45.36 PM.png>

[CONCERN Project]

I fixed my issue - it did have to do with the exp time. The package I was using was adding 4 hours to the UTC (there's a difference between UTC and UTC-04), so I would suggest really checking this. Put the JWT into jwt.io and hover over the exp field and check that it makes sense (5 minutes in the future from now).

[Nageswararao Vankayalapati]

Hi All, did any one have the solution for this problem, i'm stuck here 

[dvac...@xinonix.com]

Nageswararao, possibly this will help you:  https://groups.google.com/g/smart-on-fhir/c/ilBAAG2_GMQ/m/yGpkejTQAwAJ

Dave

[Diep Pham]

Wait for some time after created the client and upload the public key, I think 1 day is enough. If it still doesn’t work, try to remove/re-upload the public key.

--
You received this message because you are subscribed to a topic in the Google Groups "SMART on FHIR" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/smart-on-fhir/wknzhCURsRY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to smart-on-fhi...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/smart-on-fhir/922d1e27-479f-4df2-b1cf-aeeb8c886ef3n%40googlegroups.com.