Unsupported grant type

[Oleksiy Kononenko]

• Issue Summary: Getting following error even I sent grant_type=client_credentials (authenticating on behalf of a system) in grant type url param

  Error Code

  urn:cerner:error:authorization-server:oauth2:token:unsupported-grant-type

• X-Request-Id or CorrelationId: 

  Correlation ID

  66db61b5-65f5-46bf-923d-82d4ab2c9e63

Can someone please look into what you guys are getting on your side? Exact same values are working correctly from Postman but not in our application.

[Hank DeDona]

We're seeing unsupported grant type as well on our side, can you post a web trace of what you're posting to the token endpoint?

[Oleksiy Kononenko]

I am calling this endpoint from ccl with following:

url: https://authorization.sandboxcerner.com/tenants/<TENNANT_ID_GOES_HERE>/protocols/oauth2/profiles/smart-v1/token?grant_type=client_credentials&scope=system%2FObservation.read

Method: 'POST'

Headers: 

'Authorization: Basic <System auth token goes here>.'

'Content-Type: application/x-www-form-urlencoded`

[Hank DeDona]

What is the POST body? It looks like you're passing in the grant type and scope as query params...

[Oleksiy Kononenko]

i am sending an empty body just like from Postmen (where it seems to work - i can get the access token using postman with above values)

[Oleksiy Kononenko]

So i populated the url encoded body and removed query params but now getting empty-scopes error but i am passing scopes in body (also tried as url query):

Correlation ID

a55fa258-14f0-4e8f-888b-16152b7719c5

The resulting token contains no scopes, either due to unsatisfied constraints specified in the token request, or because the client is no longer authorized for the scopes associated with the refresh token.

Error Code

urn:cerner:error:authorization-server:oauth2:token:empty-scopes

Calling service with this:

url: https://authorization.sandboxcerner.com/tenants/<TENNANT ID GOES HERE>/protocols/oauth2/profiles/smart-v1/token

method: POST

body: grant_type=client_credentials&scope=system%252FObservation.read

headers: 

[Hank DeDona]

We're making progress! What that error means is that you're client is not authorized for any of the scopes you requested. Kol & company can check your client to make sure you're authorized for the scopes you need.

[Oleksiy Kononenko]

this is weird because that client id authorized for every scope, that is available, and this is all working from Postman i am able to get access token. Can you please confirm that you are getting `scope` on your side?

[Oleksiy Kononenko]

i should say that this works using curl where scope and grant type are passed in thru query parameters:

curl -X POST \

  'https://authorization.sandboxcerner.com/tenants/<tennant_id>/protocols/oauth2/profiles/smart-v1/token?grant_type=client_credentials&scope=system%2FObservation.read' \

  -H 'Authorization: Basic <token>' \

  -H 'Content-Type: application/x-www-form-urlencoded'

But this does not work - passing grant_type and scope thru url encoded body:

curl -X POST \

  https://authorization.sandboxcerner.com/tenants/<tennant_id>/protocols/oauth2/profiles/smart-v1/token \

  -H 'Authorization: Basic <token>' \

  -H 'Content-Type: application/x-www-form-urlencoded' \

  -d 'grant_type=client_credentials&scope=system%252FObservation.read'

[Hank DeDona]

The second one is double encoded for the scope "system%252FObservation.read"

[Oleksiy Kononenko]

Ok, I got this! 

My problem was that scope value `system/Observation.read` was url encoded 2 times! 

Thanks for your help.

[Oleksiy Kononenko]

Yeah! thanks for your help