I'm writing a single-page-app in javascript that will be accessing BlueButton via the PKCE auth flow (since I cannot securely store a client_secret).
My authorize step is working, however when I attempt to swap the code for a token, I'm getting a `invalid_client` error.
The BlueButton documentation states that PKCE is supported, however it doesn't seem to work for me. This code is "known" to be working, as I've used it to successfully authenticate to other healthcare providers.
Here's are my requests against the authorize and token endpoints, formatted with newlines for readability:
Authorize Request:
https://sandbox.bluebutton.cms.gov/v2/o/authorize/?
client_id=XQPwCYLXmqZkiQZWhLX56mToZ29MSfekrPEkNUaF&
code_challenge=n0PLtewJtE7u5vP9InZNdF4DIMlQjCLN7I9y_DzLJhg&
code_challenge_method=S256&
redirect_uri=https%3A%2F%2Flighthouse.fastenhealth.com%2Fsandbox%2Fcallback%2Fbluebutton&
response_type=code&
state=88a9127c-ffce-49da-a139-43840410abf9&
scope=profile+patient%2FPatient.read+patient%2FExplanationOfBenefit.read+patient%2FCoverage.read&
aud=https%3A%2F%2Fsandbox.bluebutton.cms.gov%2Fv2%2Ffhir
Callback URL:
https://lighthouse.fastenhealth.com/sandbox/callback/bluebutton?code=rMpvrVEPEFyWEghfs2gcL5lzPpLzS2&state=88a9127c-ffce-49da-a139-43840410abf9
Token Request:
curl 'https://sandbox.bluebutton.cms.gov/v2/o/token/'
-X POST
-H 'Accept: application/json'
-H 'Accept-Language: en-US,en;q=0.5'
-H 'Accept-Encoding: gzip, deflate, br'
-H 'Referer: http://localhost:9090/'
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--data-raw 'redirect_uri=https%3A%2F%2Flighthouse.fastenhealth.com%2Fsandbox%2Fcallback%2Fbluebutton&code_verifier=S2MDjql-ItUeE9hH1wmyVqe-Che-4ErA9BCn8ynWD5s&code=rMpvrVEPEFyWEghfs2gcL5lzPpLzS2&grant_type=authorization_code&client_id=XQPwCYLXmqZkiQZWhLX56mToZ29MSfekrPEkNUaF'
{"error": "invalid_client"}Any help would be appreciated