Obtaining a refresh_token from Epic's sandbox

[Andrew Argraves]

Hi All,

I am attempting to obtain a refresh token from Epic's sandbox while launching a Smart on FHIR web application. I am following Epic’s documentation for obtaining refresh tokens, as well as this guide, but I keep receiving an “invalid_client” response from the token endpoint even after waiting several days for Epic to update the configuration.  

The application is written in angular, below are the two main functions for obtaining the token. Assume the values for the variables are correct, as this flow worked fine for getting the access_token without the refresh.

First we redirect the web application to the authorization endpoint to obtain our Auth code.

 public redirectForAuthorizationCode() {

    var fhirLoginLink = `${authorizeEndpoint}?response_type=code&redirect_uri=${encodeURIComponent(location.origin)}&client_id=${this.clientId}&state=${this.state}&scope=online_access user/Binary.read user/DocumentReference.read user/Patient.read&aud=${encodeURIComponent(this.fhirEndpoint)}`;

    window.location.href = fhirLoginLink;

  }

 

After that, we use the code to obtain a token. Included is the  Authorization header with the base64 encoded clientId and secret.

 async GetOauthTokenApi() {

      var base64EncodedSecret = btoa(encodeURIComponent(this.clientId) + ":" + encodeURIComponent(this.refreshTokenSecret))

      var headers = new HttpHeaders({'Content-Type':'application/x-www-form-urlencoded', "Accept": "*/*", "Authorization": "Basic " + base64EncodedSecret});

      var queryString =  `grant_type=authorization_code&code=${this.authorizationCode}&redirect_uri=${encodeURIComponent(location.origin)}`;

    await this.http.post(this.tokenEndpoint, queryString, {headers: headers}).toPromise().then(resp => { // do stuff }})

  }

 

Perhaps I am doing something wrong with encoding, or with the scope, or something else I am not seeing. Any advice?