R4 Secure Sandbox Token invalid authorization header

[Alex Creech]

I have a Provider based confidential app using the Smart workflow. I have a system account setup with a secret and a jwks url.

When i get to the point where I call the token endpoint, I've got it work using the secret by creating a Basic authorization header (client_id:client_secret base64 encoded) with the following parameters:

grant_type : authorization_code

redirect_url : [my url]

code : [code from auth call]

state : [my state]

audience : https://fhir-ehr-code.cerner.com/r4/ec2458f2-1e24-41c8-b71b-0e701af7583d

Now, when I try to use the jwks url instead of the secret, i can't get it to work. From what I can tell from the documentation I do the exact same as above but set the authorization header to Bearer and create a jwt token based on a key in the jwks url and some other information for sub, issuer, aud, etc...

When I try it I get an error saying the authorization header is invalid.

{"error":"invalid_client","error_uri":"https://authorization.cerner.com/errors/urn%3Acerner%3Aerror%3Aauthorization-server%3Aoauth2%3Atoken%3Ainvalid-authorization-header/instances/f7007d3d-8049-4264-b5a6-0e591e8c554c?tenant=ec2458f2-1e24-41c8-b71b-0e701af7583d"}

correlation id: f7007d3d-8049-4264-b5a6-0e591e8c554c

[Aaron McGinn (Oracle Cerner)]

Does your header value include "Basic " before the base64 encoded client ID/secret?

-Aaron (Oracle Cerner)

[Alex Creech]

When I do auth using clientid\secret, yes. And that works fine. What doesn't work is when trying to use the jwks url. I've tried "Bearer [jwttoken]" and also adding client_assertion_type and client_assertion as parameters to the post call.