https://securefhir.zimt.work Seems to be partially working.

[Joseph Shook]

Hello Dan, 

Not sure what is up.  I have been testing Authorization Code flow and getting 500 errors during authorization code  requests.  I figure I am doing something wrong because I have not yet been successfull against your server for this flow.  

Then I tried Client Credentials flow and it is also returning 500 errors during access token requests.  I believe i have succeeded on that flow yesterday. 

Let me know what you find:

Here are two ClientIds successfully registered.  

Client Credentials   0oa75hcqowK5kULcX1d7

Authorization Flow  0oa75hm2rttutJBYg1d7

Thanks

Joe

[Dan Cinnamon]

Ok thanks Joe- let me investigate and I'll get back to you!

[Dan Cinnamon]

Looks like I let a certificate expire *face-palm*.  Should be good to go now!

[Joseph Shook]

OK, I am failing for both client_credentials and authorization_code.

client_credentials clientID = 0oa78p41gogelcDnf1d7

result:

{ "errorCode": "invalid_client", "errorSummary": "Invalid value for \u0027client_id\u0027 parameter.", "errorLink": "invalid_client", "errorId": "oaepRja9ToUR-mOFOsBRIIRXA", "errorCauses": [] }

authorization_code clientId  0oa78qcokxWMKrzjL1d7

registered scopes:  openid system/Patient.r user/Patient.r

requested scope user/Patient.r

result:

HTTP/1.1 302 Found

?state=ztvQ36A-5JyNCohebMP41EmfTTOt_7PUpwRHp6DtCIs& error=invalid_scope& error_description=One+or+more+scopes+are+not+configured+for+the+authorization+server+resource.

[Brett Stringham]

Hi @Dan - 

I also get the same error as Joe using the client_credentials grant. Registration was successful, but JWT-based Authentication fails (cliend_id=0oa79femb3aKRcVT51d7) with the following error:

{
   "errorCode":"invalid_client",
   "errorSummary":"Invalid value for 'client_id' parameter.",
   "errorLink":"invalid_client",
   "errorId":"oaeIQRyhSlpQLSnxWKf6ziGbA",
   "errorCauses":[
     
   ]
}

Client registration succeeded:

• client_id: 0oa79femb3aKRcVT51d7
• client_name: FHIR UDAP Client (Springboot)
• <201 CREATED Created,RegistrationResponse(clientId=0oa79femb3aKRcVT51d7, softwareStatement=eyJ4NXQjUzI1NiI6InpySzFpYnp4LXdzbzR2bTc0NzBWZ2IxdlhpSFZ3Z0ZhM0tfQ1F6bWZnYXciLCJ4NWMiOlsiTUlJRklUQ0NCQW1nQXdJQkFnSUlQdStaNk9MNkpad3dEUVlKS29aSWh2Y05BUUVMQlFBd2diTXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saE1SSXdFQVlEVlFRSERBbFRZVzRnUkdsbFoyOHhFekFSQmdOVkJBb01Da1ZOVWlCRWFYSmxZM1F4UHpBOUJnTlZCQXNNTmxSbGMzUWdVRXRKSUVObGNuUnBabWxqWVhScGIyNGdRWFYwYUc5eWFYUjVJQ2hqWlhKMGN5NWxiWEprYVhKbFkzUXVZMjl0S1RFbE1DTUdBMVVFQXd3Y1JVMVNJRVJwY21WamRDQlVaWE4wSUVOc2FXVnVkQ0JUZFdKRFFUQWVGdzB5TXpBeU1Ea3hPRFU1TWpGYUZ3MHlOREF5TURreE9EVTVNakZhTUlHZE1TZ3dKZ1lEVlFRS0RCOUNjbVYwZENCVGRISnBibWRvWVcwZ0tITmxiR1lnWVhOelpYSjBaV1FwTVRNd01RWURWUVFMRENwVlJFRlFJRlJsYzNRZ1EyVnlkR2xtYVdOaGRHVWdUazlVSUVaUFVpQlZVMFVnVjBsVVNDQlFTRWt4UERBNkJnTlZCQU1NTTJoMGRIQnpPaTh2YzJGdVpHSnZlQzUxWkdGd0xtOXlaeTlqYkdsbGJuUXRZWEJ3Y3k5aWNtVjBkSE4wY21sdVoyaGhiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOTVJRNm0rM090MTY4Q1JqSXlMeTB4bm5VcTFCMHZiMTZTbmJRVWoyOVFZbUxUWC9GQkExbHUvelA4bU1hbmJMbUd1MWRMZSsxdUo2SDZ1bTJRQXBNYk12dGU4aEE2WUtyakU2bFExc0tFa1d2cTZvYVdYZ2JRNnR0czR1eU1RNDE1YndBOE1seUxYMkNTUURSUUxNYUpoNDNwRUMvYkpXYTdUNkdGK21xVVh5b09teVl1NFl6dVgwVmtSSGJBTkZkQ3lZb0gxN1dQb0I2TGFrajRVcXdWMGdtWTdzaWMxL1NTNXV4UjY5Mnp5OTNlN0NwRTBMMDB5bTlhU3Q0MkFXUGIvTTF5VzRxQWdlK1FJdWoxQ0tvcGVTZGVwMGdNZitLR0hDYUlmQ00rL1BaTnZSd25xSVAxNEhsbGhxek15UmFLejRTUTdTWGdGLzdvbUp5eXJtcE1DQXdFQUFhT0NBVXN3Z2dGSE1Ga0dDQ3NHQVFVRkJ3RUJCRTB3U3pCSkJnZ3JCZ0VGQlFjd0FvWTlhSFIwY0RvdkwyTmxjblJ6TG1WdGNtUnBjbVZqZEM1amIyMHZZMlZ5ZEhNdlJVMVNSR2x5WldOMFZHVnpkRU5zYVdWdWRGTjFZa05CTG1OeWREQWRCZ05WSFE0RUZnUVVuY3ZZbEdHWUNiQnl2RXViR1VuZGgrVzlIUkF3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlNqbFcxcnZTdFJ6ZUhQNVpCdjF5WlB2OTArM2pCTUJnTlZIUjhFUlRCRE1FR2dQNkE5aGp0b2RIUndPaTh2WTJWeWRITXVaVzF5WkdseVpXTjBMbU52YlM5amNtd3ZSVTFTUkdseVpXTjBWR1Z6ZEVOc2FXVnVkRk4xWWtOQkxtTnliREFPQmdOVkhROEJBZjhFQkFNQ0I0QXdQZ1lEVlIwUkJEY3dOWVl6YUhSMGNITTZMeTl6WVc1a1ltOTRMblZrWVhBdWIzSm5MMk5zYVdWdWRDMWhjSEJ6TDJKeVpYUjBjM1J5YVc1bmFHRnRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJyTE9RRjRjZkRjQTZCYjNTZDlhTXJPQUtXbm9ZM0pvVE1tdVhIRXR6VW9LNVY0cmlJMGtOUlBPOGtXOE4zekE4czZ0bC9abm9Lay85R2xwYXRKV3hSSnpPVmRLOGk5OTAyWWpvd09iaUVrQk42ZlJHQnE1TW5jK0VCalpZYXQ4WnZGNkh6ZlprREhoTHRYQUZaa3l4Wkl3SXR6MDJJNk1rL2g3RlZWV2pGd1E3YVZhWlFockNMS0Y2Z1BmOGpDU3lyTTlSRSs1UTYrSlZTeTR1NEVkZEFFdnU5Z0tYSnFOS0JFVCtNc3VFbHN3ekFYNEtwZHF2WWFUUmtIQ2VmR1FuQXVDaHQxOHFseEVpcHlNdnBJSGUrYkRTWEpPS3MzWXB1cjhHL08wSkhqZXp0MjJsSGlkeVBKUEZyVGZxc1FnczZCWjZoMEZLS3lPbzVyTHlMV0JjZSJdLCJraWQiOiJodHRwczovL3NhbmRib3gudWRhcC5vcmcvY2xpZW50LWFwcHMvYnJldHRzdHJpbmdoYW0iLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJodHRwczovL3NhbmRib3gudWRhcC5vcmcvY2xpZW50LWFwcHMvYnJldHRzdHJpbmdoYW0iLCJncmFudF90eXBlcyI6WyJjbGllbnRfY3JlZGVudGlhbHMiXSwibG9nb191cmkiOiJodHRwczovL3d3dy5nb29nbGUuY29tL2ltYWdlcy9icmFuZGluZy9nb29nbGVsb2dvLzJ4L2dvb2dsZWxvZ29fY29sb3JfMjcyeDkyZHAucG5nIiwiaXNzIjoiaHR0cHM6Ly9zYW5kYm94LnVkYXAub3JnL2NsaWVudC1hcHBzL2JyZXR0c3RyaW5naGFtIiwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJwcml2YXRlX2tleV9qd3QiLCJhdWQiOiJodHRwczovL3VkYXAuemltdC53b3JrL3JlZ2lzdGVyIiwic2NvcGVzIjpbInN5c3RlbS9QYXRpZW50LnJlYWQiLCJzeXN0ZW0vUHJvY2VkdXJlcy5yZWFkIl0sImV4cCI6MTY3Nzk1ODAzMiwiaWF0IjoxNjc3OTU3NzMyLCJjbGllbnRfbmFtZSI6IkZISVIgVURBUCBDbGllbnQgKFNwcmluZ2Jvb3QpIiwianRpIjoiOTNkM2M5MjMtZGNiMS00YjQ0LWJmNzItMTk1MDE2MGVkNGQ1IiwiY29udGFjdHMiOlsibWFpbHRvOmJzdHJpbmcuc2xjQGdtYWlsLmNvbSJdfQ.qCJQgHE2mXH2p1Qx_K8pl9-e4BPUgFNWM9Lz09Wqce8SSEKlILeqlsL8YyUdM9bJvBurt6Ef6S02snUUBBbPqlQTRIlwKKPJLX9JNHlgzk6l_Zce3V-QClF-fiPzTLAq2eTHKx_Ntzmb3-Bo_pMt3qsoTKSaIRCO5WSGSHDbzdPKxIA61o17Xi583uOUpjQwzmZlHmlGtEths9H6TrpXbpjJQVwGU0LTB3SWGHzwOwx9MpL9SRe3KtJNTefglFyooDlJJ-Wphfm-E-pHqQyT-a6eHW4uQV7S9EsvV2Qpa42PlbqKrlP8ZlI0PN2qKKU0l23COAO1FfS2VTMWGCR4tA, clientName=FHIR UDAP Client (Springboot), redirectUris=null, grantTypes=[client_credentials], responseTypes=null, tokenEndpointAuthMethod=private_key_jwt),[Content-Type:"application/json", Content-Length:"4277", Connection:"keep-alive", Date:"Sat, 04 Mar 2023 19:22:50 GMT", x-amzn-RequestId:"7e1fb718-648d-40fb-8d59-fc35cca3353f", x-amz-apigw-id:"BRUVQGV2IAMFb9Q=", Cache-Control:"no-store", X-Amzn-Trace-Id:"Root=1-64039a87-0589fcbd53fcdd951ca47cc6;Sampled=0", Pragma:"no-cache", X-Cache:"Miss from cloudfront", Via:"1.1 007f474c20bf8a7a3cce4825eb52f2c8.cloudfront.net (CloudFront)", X-Amz-Cf-Pop:"DEN52-P1", X-Amz-Cf-Id:"c7_ffyb0bObghnG8JcNQdQ0qK1blCAseM5xomfso5dp-SQ0lZ8xYLA=="]>

JWT-based Authentication - signed JWT used @ https://udap.zimt.work/oauth2/aus5wvee13EWm169M1d7/v1/token

• eyJ4NXQjUzI1NiI6InpySzFpYnp4LXdzbzR2bTc0NzBWZ2IxdlhpSFZ3Z0ZhM0tfQ1F6bWZnYXciLCJ4NWMiOlsiTUlJRklUQ0NCQW1nQXdJQkFnSUlQdStaNk9MNkpad3dEUVlKS29aSWh2Y05BUUVMQlFBd2diTXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saE1SSXdFQVlEVlFRSERBbFRZVzRnUkdsbFoyOHhFekFSQmdOVkJBb01Da1ZOVWlCRWFYSmxZM1F4UHpBOUJnTlZCQXNNTmxSbGMzUWdVRXRKSUVObGNuUnBabWxqWVhScGIyNGdRWFYwYUc5eWFYUjVJQ2hqWlhKMGN5NWxiWEprYVhKbFkzUXVZMjl0S1RFbE1DTUdBMVVFQXd3Y1JVMVNJRVJwY21WamRDQlVaWE4wSUVOc2FXVnVkQ0JUZFdKRFFUQWVGdzB5TXpBeU1Ea3hPRFU1TWpGYUZ3MHlOREF5TURreE9EVTVNakZhTUlHZE1TZ3dKZ1lEVlFRS0RCOUNjbVYwZENCVGRISnBibWRvWVcwZ0tITmxiR1lnWVhOelpYSjBaV1FwTVRNd01RWURWUVFMRENwVlJFRlFJRlJsYzNRZ1EyVnlkR2xtYVdOaGRHVWdUazlVSUVaUFVpQlZVMFVnVjBsVVNDQlFTRWt4UERBNkJnTlZCQU1NTTJoMGRIQnpPaTh2YzJGdVpHSnZlQzUxWkdGd0xtOXlaeTlqYkdsbGJuUXRZWEJ3Y3k5aWNtVjBkSE4wY21sdVoyaGhiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOTVJRNm0rM090MTY4Q1JqSXlMeTB4bm5VcTFCMHZiMTZTbmJRVWoyOVFZbUxUWC9GQkExbHUvelA4bU1hbmJMbUd1MWRMZSsxdUo2SDZ1bTJRQXBNYk12dGU4aEE2WUtyakU2bFExc0tFa1d2cTZvYVdYZ2JRNnR0czR1eU1RNDE1YndBOE1seUxYMkNTUURSUUxNYUpoNDNwRUMvYkpXYTdUNkdGK21xVVh5b09teVl1NFl6dVgwVmtSSGJBTkZkQ3lZb0gxN1dQb0I2TGFrajRVcXdWMGdtWTdzaWMxL1NTNXV4UjY5Mnp5OTNlN0NwRTBMMDB5bTlhU3Q0MkFXUGIvTTF5VzRxQWdlK1FJdWoxQ0tvcGVTZGVwMGdNZitLR0hDYUlmQ00rL1BaTnZSd25xSVAxNEhsbGhxek15UmFLejRTUTdTWGdGLzdvbUp5eXJtcE1DQXdFQUFhT0NBVXN3Z2dGSE1Ga0dDQ3NHQVFVRkJ3RUJCRTB3U3pCSkJnZ3JCZ0VGQlFjd0FvWTlhSFIwY0RvdkwyTmxjblJ6TG1WdGNtUnBjbVZqZEM1amIyMHZZMlZ5ZEhNdlJVMVNSR2x5WldOMFZHVnpkRU5zYVdWdWRGTjFZa05CTG1OeWREQWRCZ05WSFE0RUZnUVVuY3ZZbEdHWUNiQnl2RXViR1VuZGgrVzlIUkF3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlNqbFcxcnZTdFJ6ZUhQNVpCdjF5WlB2OTArM2pCTUJnTlZIUjhFUlRCRE1FR2dQNkE5aGp0b2RIUndPaTh2WTJWeWRITXVaVzF5WkdseVpXTjBMbU52YlM5amNtd3ZSVTFTUkdseVpXTjBWR1Z6ZEVOc2FXVnVkRk4xWWtOQkxtTnliREFPQmdOVkhROEJBZjhFQkFNQ0I0QXdQZ1lEVlIwUkJEY3dOWVl6YUhSMGNITTZMeTl6WVc1a1ltOTRMblZrWVhBdWIzSm5MMk5zYVdWdWRDMWhjSEJ6TDJKeVpYUjBjM1J5YVc1bmFHRnRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJyTE9RRjRjZkRjQTZCYjNTZDlhTXJPQUtXbm9ZM0pvVE1tdVhIRXR6VW9LNVY0cmlJMGtOUlBPOGtXOE4zekE4czZ0bC9abm9Lay85R2xwYXRKV3hSSnpPVmRLOGk5OTAyWWpvd09iaUVrQk42ZlJHQnE1TW5jK0VCalpZYXQ4WnZGNkh6ZlprREhoTHRYQUZaa3l4Wkl3SXR6MDJJNk1rL2g3RlZWV2pGd1E3YVZhWlFockNMS0Y2Z1BmOGpDU3lyTTlSRSs1UTYrSlZTeTR1NEVkZEFFdnU5Z0tYSnFOS0JFVCtNc3VFbHN3ekFYNEtwZHF2WWFUUmtIQ2VmR1FuQXVDaHQxOHFseEVpcHlNdnBJSGUrYkRTWEpPS3MzWXB1cjhHL08wSkhqZXp0MjJsSGlkeVBKUEZyVGZxc1FnczZCWjZoMEZLS3lPbzVyTHlMV0JjZSJdLCJraWQiOiJodHRwczovL3NhbmRib3gudWRhcC5vcmcvY2xpZW50LWFwcHMvYnJldHRzdHJpbmdoYW0iLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwb2E3OWZlbWIzYUtSY1ZUNTFkNyIsImF1ZCI6Imh0dHBzOi8vdWRhcC56aW10Lndvcmsvb2F1dGgyL2F1czV3dmVlMTNFV20xNjlNMWQ3L3YxL3Rva2VuIiwiaXNzIjoiaHR0cHM6Ly9zYW5kYm94LnVkYXAub3JnL2NsaWVudC1hcHBzL2JyZXR0c3RyaW5naGFtIiwiZXhwIjoxNjc3OTU4MDk4LCJpYXQiOjE2Nzc5NTc3OTgsImp0aSI6ImJkZmI0YmE4LTc4M2MtNGM5ZC1hN2JlLTRlN2YzNTZhYzNiYiJ9.0OKybE3j7CEvMHWuFb022zZ9NajHvgOejGsUsyQIpztunJMiQe8QFhLrbE282gzztyCElkGi-MWSWqwQSXV9gCviPlu9AYsdlcOPAzsTQsG3bVyTrlMuCR8wHdKC_BJXGyobVQOZ_FyBrg8J75Ms6_Qt0JPMBE6YzvXG69iRze9kIUyVKdU8PfxaYSxb_RMl0k8Akq0JUZ3_IDDw_bGfTWzkzGW1lrNOtp-4VVOF3ZssyFwOf9I0BwXw581WJDA5Gsvgr6zfjC64eFRmJxKml7UU1l5xM8JIcb2Q_4Q03XL-9bZ8uSTJaEdv4ijxFHTGwE5JCxoz32_YzzqWWJSTlg

[Dan Cinnamon]

I took a quick look at both of your errors, and they are caused by the exact same issue.

In the latest version of the UDAP specification, we updated it such that, in your authentication JWT, sub == iss == client_id.  Right now it looks like both of you have your certificate SAN in the iss field instead (which is indeed what UDAP had before the change).

The reasoning for updating the UDAP spec was to play nice, and layer with other specifications, like OIDC and SMART launch framework, both of which have sub == iss == client_id.

 -Dan

[Brett Stringham]

Thanks for the insights Dan. Your noted adjustment has been made -- almost to the finish line.

Next error is: {"error":"invalid_client","error_description":"The client_assertion JWT kid is invalid."}

Below, I include the software statement from the successful registration request where the client_id (0oa79ufg1zBySHnyX1d7) was issued.  I'm also including the AuthN token submit to the token endpoint below as well. The kid (used a uuid --> f4bea258-ca1b-415b-a297-f809be5a7294) for software statement and in the authN token .

RegistrationResponse(clientId=0oa79ufg1zBySHnyX1d7, softwareStatement=eyJ4NXQjUzI1NiI6InpySzFpYnp4LXdzbzR2bTc0NzBWZ2IxdlhpSFZ3Z0ZhM0tfQ1F6bWZnYXciLCJ4NWMiOlsiTUlJRklUQ0NCQW1nQXdJQkFnSUlQdStaNk9MNkpad3dEUVlKS29aSWh2Y05BUUVMQlFBd2diTXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saE1SSXdFQVlEVlFRSERBbFRZVzRnUkdsbFoyOHhFekFSQmdOVkJBb01Da1ZOVWlCRWFYSmxZM1F4UHpBOUJnTlZCQXNNTmxSbGMzUWdVRXRKSUVObGNuUnBabWxqWVhScGIyNGdRWFYwYUc5eWFYUjVJQ2hqWlhKMGN5NWxiWEprYVhKbFkzUXVZMjl0S1RFbE1DTUdBMVVFQXd3Y1JVMVNJRVJwY21WamRDQlVaWE4wSUVOc2FXVnVkQ0JUZFdKRFFUQWVGdzB5TXpBeU1Ea3hPRFU1TWpGYUZ3MHlOREF5TURreE9EVTVNakZhTUlHZE1TZ3dKZ1lEVlFRS0RCOUNjbVYwZENCVGRISnBibWRvWVcwZ0tITmxiR1lnWVhOelpYSjBaV1FwTVRNd01RWURWUVFMRENwVlJFRlFJRlJsYzNRZ1EyVnlkR2xtYVdOaGRHVWdUazlVSUVaUFVpQlZVMFVnVjBsVVNDQlFTRWt4UERBNkJnTlZCQU1NTTJoMGRIQnpPaTh2YzJGdVpHSnZlQzUxWkdGd0xtOXlaeTlqYkdsbGJuUXRZWEJ3Y3k5aWNtVjBkSE4wY21sdVoyaGhiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOTVJRNm0rM090MTY4Q1JqSXlMeTB4bm5VcTFCMHZiMTZTbmJRVWoyOVFZbUxUWC9GQkExbHUvelA4bU1hbmJMbUd1MWRMZSsxdUo2SDZ1bTJRQXBNYk12dGU4aEE2WUtyakU2bFExc0tFa1d2cTZvYVdYZ2JRNnR0czR1eU1RNDE1YndBOE1seUxYMkNTUURSUUxNYUpoNDNwRUMvYkpXYTdUNkdGK21xVVh5b09teVl1NFl6dVgwVmtSSGJBTkZkQ3lZb0gxN1dQb0I2TGFrajRVcXdWMGdtWTdzaWMxL1NTNXV4UjY5Mnp5OTNlN0NwRTBMMDB5bTlhU3Q0MkFXUGIvTTF5VzRxQWdlK1FJdWoxQ0tvcGVTZGVwMGdNZitLR0hDYUlmQ00rL1BaTnZSd25xSVAxNEhsbGhxek15UmFLejRTUTdTWGdGLzdvbUp5eXJtcE1DQXdFQUFhT0NBVXN3Z2dGSE1Ga0dDQ3NHQVFVRkJ3RUJCRTB3U3pCSkJnZ3JCZ0VGQlFjd0FvWTlhSFIwY0RvdkwyTmxjblJ6TG1WdGNtUnBjbVZqZEM1amIyMHZZMlZ5ZEhNdlJVMVNSR2x5WldOMFZHVnpkRU5zYVdWdWRGTjFZa05CTG1OeWREQWRCZ05WSFE0RUZnUVVuY3ZZbEdHWUNiQnl2RXViR1VuZGgrVzlIUkF3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlNqbFcxcnZTdFJ6ZUhQNVpCdjF5WlB2OTArM2pCTUJnTlZIUjhFUlRCRE1FR2dQNkE5aGp0b2RIUndPaTh2WTJWeWRITXVaVzF5WkdseVpXTjBMbU52YlM5amNtd3ZSVTFTUkdseVpXTjBWR1Z6ZEVOc2FXVnVkRk4xWWtOQkxtTnliREFPQmdOVkhROEJBZjhFQkFNQ0I0QXdQZ1lEVlIwUkJEY3dOWVl6YUhSMGNITTZMeTl6WVc1a1ltOTRMblZrWVhBdWIzSm5MMk5zYVdWdWRDMWhjSEJ6TDJKeVpYUjBjM1J5YVc1bmFHRnRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJyTE9RRjRjZkRjQTZCYjNTZDlhTXJPQUtXbm9ZM0pvVE1tdVhIRXR6VW9LNVY0cmlJMGtOUlBPOGtXOE4zekE4czZ0bC9abm9Lay85R2xwYXRKV3hSSnpPVmRLOGk5OTAyWWpvd09iaUVrQk42ZlJHQnE1TW5jK0VCalpZYXQ4WnZGNkh6ZlprREhoTHRYQUZaa3l4Wkl3SXR6MDJJNk1rL2g3RlZWV2pGd1E3YVZhWlFockNMS0Y2Z1BmOGpDU3lyTTlSRSs1UTYrSlZTeTR1NEVkZEFFdnU5Z0tYSnFOS0JFVCtNc3VFbHN3ekFYNEtwZHF2WWFUUmtIQ2VmR1FuQXVDaHQxOHFseEVpcHlNdnBJSGUrYkRTWEpPS3MzWXB1cjhHL08wSkhqZXp0MjJsSGlkeVBKUEZyVGZxc1FnczZCWjZoMEZLS3lPbzVyTHlMV0JjZSJdLCJraWQiOiJmNGJlYTI1OC1jYTFiLTQxNWItYTI5Ny1mODA5YmU1YTcyOTQiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJodHRwczovL3NhbmRib3gudWRhcC5vcmcvY2xpZW50LWFwcHMvYnJldHRzdHJpbmdoYW0iLCJncmFudF90eXBlcyI6WyJjbGllbnRfY3JlZGVudGlhbHMiXSwibG9nb191cmkiOiJodHRwczovL3d3dy5nb29nbGUuY29tL2ltYWdlcy9icmFuZGluZy9nb29nbGVsb2dvLzJ4L2dvb2dsZWxvZ29fY29sb3JfMjcyeDkyZHAucG5nIiwiaXNzIjoiaHR0cHM6Ly9zYW5kYm94LnVkYXAub3JnL2NsaWVudC1hcHBzL2JyZXR0c3RyaW5naGFtIiwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJwcml2YXRlX2tleV9qd3QiLCJhdWQiOiJodHRwczovL3VkYXAuemltdC53b3JrL3JlZ2lzdGVyIiwic2NvcGVzIjpbInN5c3RlbS9QYXRpZW50LnIiXSwiZXhwIjoxNjc4MTYzMDYwLCJpYXQiOjE2NzgxNjI3NjAsImNsaWVudF9uYW1lIjoiRkhJUiBVREFQIENsaWVudCBUZXN0IChTcHJpbmdib290KSIsImp0aSI6IjZjOTFjNzU1LTBjN2QtNDI3Ny04N2E4LWQwMTI0N2IxN2M1OSIsImNvbnRhY3RzIjpbIm1haWx0bzpic3RyaW5nLnNsY0BnbWFpbC5jb20iXX0.jVRm1NfYbsYmj-DgPr9TwIiP36fXped9VDaCyuU024KSrO3bx8gsNeoWoIWtqrYJp_Idwje1hpu2a5H8kFCDxKzojmSlmZxu-DG7eADZeCtmkZd_2DzRXAm2hgAirb3Si9oBWP7U3zOa2OaOrg9njADXLE5w4OrLfRk15Ul_9MkCSq6uUbHMcgCOh12HAJkMxbGvvzdmft_u_gOtG-rXmT7P6NuiRsMAOTqZmIf3jc5w6V4hlQvNEh5fSGRiv7Le9dWeECYviSCJ-ohqAVk5-vPski-sLTFddJC4uTgUBkZfP4PFhw2QRvdMNCV4upI8zQdSDu0VOyPVmn2TYz-yXQ, clientName=FHIR UDAP Client Test (Springboot), redirectUris=null, grantTypes=[client_credentials], responseTypes=null, tokenEndpointAuthMethod=private_key_jwt)

AuthN Token: eyJ4NXQjUzI1NiI6InpySzFpYnp4LXdzbzR2bTc0NzBWZ2IxdlhpSFZ3Z0ZhM0tfQ1F6bWZnYXciLCJ4NWMiOlsiTUlJRklUQ0NCQW1nQXdJQkFnSUlQdStaNk9MNkpad3dEUVlKS29aSWh2Y05BUUVMQlFBd2diTXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saE1SSXdFQVlEVlFRSERBbFRZVzRnUkdsbFoyOHhFekFSQmdOVkJBb01Da1ZOVWlCRWFYSmxZM1F4UHpBOUJnTlZCQXNNTmxSbGMzUWdVRXRKSUVObGNuUnBabWxqWVhScGIyNGdRWFYwYUc5eWFYUjVJQ2hqWlhKMGN5NWxiWEprYVhKbFkzUXVZMjl0S1RFbE1DTUdBMVVFQXd3Y1JVMVNJRVJwY21WamRDQlVaWE4wSUVOc2FXVnVkQ0JUZFdKRFFUQWVGdzB5TXpBeU1Ea3hPRFU1TWpGYUZ3MHlOREF5TURreE9EVTVNakZhTUlHZE1TZ3dKZ1lEVlFRS0RCOUNjbVYwZENCVGRISnBibWRvWVcwZ0tITmxiR1lnWVhOelpYSjBaV1FwTVRNd01RWURWUVFMRENwVlJFRlFJRlJsYzNRZ1EyVnlkR2xtYVdOaGRHVWdUazlVSUVaUFVpQlZVMFVnVjBsVVNDQlFTRWt4UERBNkJnTlZCQU1NTTJoMGRIQnpPaTh2YzJGdVpHSnZlQzUxWkdGd0xtOXlaeTlqYkdsbGJuUXRZWEJ3Y3k5aWNtVjBkSE4wY21sdVoyaGhiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOTVJRNm0rM090MTY4Q1JqSXlMeTB4bm5VcTFCMHZiMTZTbmJRVWoyOVFZbUxUWC9GQkExbHUvelA4bU1hbmJMbUd1MWRMZSsxdUo2SDZ1bTJRQXBNYk12dGU4aEE2WUtyakU2bFExc0tFa1d2cTZvYVdYZ2JRNnR0czR1eU1RNDE1YndBOE1seUxYMkNTUURSUUxNYUpoNDNwRUMvYkpXYTdUNkdGK21xVVh5b09teVl1NFl6dVgwVmtSSGJBTkZkQ3lZb0gxN1dQb0I2TGFrajRVcXdWMGdtWTdzaWMxL1NTNXV4UjY5Mnp5OTNlN0NwRTBMMDB5bTlhU3Q0MkFXUGIvTTF5VzRxQWdlK1FJdWoxQ0tvcGVTZGVwMGdNZitLR0hDYUlmQ00rL1BaTnZSd25xSVAxNEhsbGhxek15UmFLejRTUTdTWGdGLzdvbUp5eXJtcE1DQXdFQUFhT0NBVXN3Z2dGSE1Ga0dDQ3NHQVFVRkJ3RUJCRTB3U3pCSkJnZ3JCZ0VGQlFjd0FvWTlhSFIwY0RvdkwyTmxjblJ6TG1WdGNtUnBjbVZqZEM1amIyMHZZMlZ5ZEhNdlJVMVNSR2x5WldOMFZHVnpkRU5zYVdWdWRGTjFZa05CTG1OeWREQWRCZ05WSFE0RUZnUVVuY3ZZbEdHWUNiQnl2RXViR1VuZGgrVzlIUkF3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlNqbFcxcnZTdFJ6ZUhQNVpCdjF5WlB2OTArM2pCTUJnTlZIUjhFUlRCRE1FR2dQNkE5aGp0b2RIUndPaTh2WTJWeWRITXVaVzF5WkdseVpXTjBMbU52YlM5amNtd3ZSVTFTUkdseVpXTjBWR1Z6ZEVOc2FXVnVkRk4xWWtOQkxtTnliREFPQmdOVkhROEJBZjhFQkFNQ0I0QXdQZ1lEVlIwUkJEY3dOWVl6YUhSMGNITTZMeTl6WVc1a1ltOTRMblZrWVhBdWIzSm5MMk5zYVdWdWRDMWhjSEJ6TDJKeVpYUjBjM1J5YVc1bmFHRnRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJyTE9RRjRjZkRjQTZCYjNTZDlhTXJPQUtXbm9ZM0pvVE1tdVhIRXR6VW9LNVY0cmlJMGtOUlBPOGtXOE4zekE4czZ0bC9abm9Lay85R2xwYXRKV3hSSnpPVmRLOGk5OTAyWWpvd09iaUVrQk42ZlJHQnE1TW5jK0VCalpZYXQ4WnZGNkh6ZlprREhoTHRYQUZaa3l4Wkl3SXR6MDJJNk1rL2g3RlZWV2pGd1E3YVZhWlFockNMS0Y2Z1BmOGpDU3lyTTlSRSs1UTYrSlZTeTR1NEVkZEFFdnU5Z0tYSnFOS0JFVCtNc3VFbHN3ekFYNEtwZHF2WWFUUmtIQ2VmR1FuQXVDaHQxOHFseEVpcHlNdnBJSGUrYkRTWEpPS3MzWXB1cjhHL08wSkhqZXp0MjJsSGlkeVBKUEZyVGZxc1FnczZCWjZoMEZLS3lPbzVyTHlMV0JjZSJdLCJraWQiOiJmNGJlYTI1OC1jYTFiLTQxNWItYTI5Ny1mODA5YmU1YTcyOTQiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwb2E3OXVmZzF6QnlTSG55WDFkNyIsImF1ZCI6Imh0dHBzOi8vdWRhcC56aW10Lndvcmsvb2F1dGgyL2F1czV3dmVlMTNFV20xNjlNMWQ3L3YxL3Rva2VuIiwiaXNzIjoiMG9hNzl1ZmcxekJ5U0hueVgxZDciLCJleHAiOjE2NzgxNjMyMzEsImlhdCI6MTY3ODE2MjkzMSwianRpIjoiYThkYTdjYzMtMDkzMy00YTVlLWExYjgtYWI0NTUyNzFhN2IzIn0.FzodiUrfi_u5EzwfVyYnKJkkJTKftZoK0q4cYgE0GfSVf0CWEnPgOp1MZWXHsEABF3ahqyZonISsDNbnQqt3J360SQc4cbb2IMz2Y_2lzurHVIogkZrt5StU0D5Aw19Inx2V5Tzc0voFBfqU5kyQgEDxJu7e-TPcdc6dUTTrkU60605s7jUo-rYkXXLboP_Y7QQi8H8rNie48YaKWbR1HvNYvxUiSCw_eOeVUviKs63_C2di7eQ9U1pxl69hPIULcflwsfYGhEwYH4dxXli7evbObj8ywT_fNPeCqAk3zacFoiPeyHW4MMCu1I7AxvOKBRrSq0eL3djneRt7UzepHg

[Dan Cinnamon]

Ohhhh... nice catch.  It looks like my registration is not properly passing your kid to my authz server as I register the OAuth2 client- so therefore what's happening is that my authz server is generating it's own kid, which of course will not match yours.  

For the immediate test case, would it be possible to simply remove the kid parameter from your /token JWT? I do think it's important to resolve this so I can support multiple public keys for a given client (for key rotation for example)- it'll just take me a day or 2 to get the update in.

Thanks!!

[Brett Stringham]

(q) would it be possible to simply remove the kid parameter from your /token JWT?

(a) absolutely -- lmk once I can put back and I'll retest.

I'll make the code change tonight to prune the kid for the time being.

Thanks for the quick confirmation!

[Brett Stringham]

Good morning @Dan -

I registered a new client (0oa7a8zo7qkjyhXXn1d7) that was successful. Next I requested an access_token using the same newly registered client. I also pruned the kid header claim from the client_assertion. That part seems good now, but I do get the following error. At the bottom of my post, I also include the registration request if that info is helpful too.  

HTTP/1.1 400 Bad Request
{"error":"invalid_scope","error_description":"The authorization server resource does not have any configured default scopes, 'scope' must be provided."}

Access Token Request

POST /oauth2/aus5wvee13EWm169M1d7/v1/token HTTP/1.1
user-agent: ReactorNetty/1.1.2
host: udap.zimt.work
Content-Type: application/x-www-form-urlencoded;charset=UTF-8
Accept: application/json
content-length: 3228

grant_type=client_credentials&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJ4NXQjUzI1NiI6InpySzFpYnp4LXdzbzR2bTc0NzBWZ2IxdlhpSFZ3Z0ZhM0tfQ1F6bWZnYXciLCJ4NWMiOlsiTUlJRklUQ0NCQW1nQXdJQkFnSUlQdStaNk9MNkpad3dEUVlKS29aSWh2Y05BUUVMQlFBd2diTXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saE1SSXdFQVlEVlFRSERBbFRZVzRnUkdsbFoyOHhFekFSQmdOVkJBb01Da1ZOVWlCRWFYSmxZM1F4UHpBOUJnTlZCQXNNTmxSbGMzUWdVRXRKSUVObGNuUnBabWxqWVhScGIyNGdRWFYwYUc5eWFYUjVJQ2hqWlhKMGN5NWxiWEprYVhKbFkzUXVZMjl0S1RFbE1DTUdBMVVFQXd3Y1JVMVNJRVJwY21WamRDQlVaWE4wSUVOc2FXVnVkQ0JUZFdKRFFUQWVGdzB5TXpBeU1Ea3hPRFU1TWpGYUZ3MHlOREF5TURreE9EVTVNakZhTUlHZE1TZ3dKZ1lEVlFRS0RCOUNjbVYwZENCVGRISnBibWRvWVcwZ0tITmxiR1lnWVhOelpYSjBaV1FwTVRNd01RWURWUVFMRENwVlJFRlFJRlJsYzNRZ1EyVnlkR2xtYVdOaGRHVWdUazlVSUVaUFVpQlZVMFVnVjBsVVNDQlFTRWt4UERBNkJnTlZCQU1NTTJoMGRIQnpPaTh2YzJGdVpHSnZlQzUxWkdGd0xtOXlaeTlqYkdsbGJuUXRZWEJ3Y3k5aWNtVjBkSE4wY21sdVoyaGhiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOTVJRNm0rM090MTY4Q1JqSXlMeTB4bm5VcTFCMHZiMTZTbmJRVWoyOVFZbUxUWC9GQkExbHUvelA4bU1hbmJMbUd1MWRMZSsxdUo2SDZ1bTJRQXBNYk12dGU4aEE2WUtyakU2bFExc0tFa1d2cTZvYVdYZ2JRNnR0czR1eU1RNDE1YndBOE1seUxYMkNTUURSUUxNYUpoNDNwRUMvYkpXYTdUNkdGK21xVVh5b09teVl1NFl6dVgwVmtSSGJBTkZkQ3lZb0gxN1dQb0I2TGFrajRVcXdWMGdtWTdzaWMxL1NTNXV4UjY5Mnp5OTNlN0NwRTBMMDB5bTlhU3Q0MkFXUGIvTTF5VzRxQWdlK1FJdWoxQ0tvcGVTZGVwMGdNZitLR0hDYUlmQ00rL1BaTnZSd25xSVAxNEhsbGhxek15UmFLejRTUTdTWGdGLzdvbUp5eXJtcE1DQXdFQUFhT0NBVXN3Z2dGSE1Ga0dDQ3NHQVFVRkJ3RUJCRTB3U3pCSkJnZ3JCZ0VGQlFjd0FvWTlhSFIwY0RvdkwyTmxjblJ6TG1WdGNtUnBjbVZqZEM1amIyMHZZMlZ5ZEhNdlJVMVNSR2x5WldOMFZHVnpkRU5zYVdWdWRGTjFZa05CTG1OeWREQWRCZ05WSFE0RUZnUVVuY3ZZbEdHWUNiQnl2RXViR1VuZGgrVzlIUkF3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlNqbFcxcnZTdFJ6ZUhQNVpCdjF5WlB2OTArM2pCTUJnTlZIUjhFUlRCRE1FR2dQNkE5aGp0b2RIUndPaTh2WTJWeWRITXVaVzF5WkdseVpXTjBMbU52YlM5amNtd3ZSVTFTUkdseVpXTjBWR1Z6ZEVOc2FXVnVkRk4xWWtOQkxtTnliREFPQmdOVkhROEJBZjhFQkFNQ0I0QXdQZ1lEVlIwUkJEY3dOWVl6YUhSMGNITTZMeTl6WVc1a1ltOTRMblZrWVhBdWIzSm5MMk5zYVdWdWRDMWhjSEJ6TDJKeVpYUjBjM1J5YVc1bmFHRnRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJyTE9RRjRjZkRjQTZCYjNTZDlhTXJPQUtXbm9ZM0pvVE1tdVhIRXR6VW9LNVY0cmlJMGtOUlBPOGtXOE4zekE4czZ0bC9abm9Lay85R2xwYXRKV3hSSnpPVmRLOGk5OTAyWWpvd09iaUVrQk42ZlJHQnE1TW5jK0VCalpZYXQ4WnZGNkh6ZlprREhoTHRYQUZaa3l4Wkl3SXR6MDJJNk1rL2g3RlZWV2pGd1E3YVZhWlFockNMS0Y2Z1BmOGpDU3lyTTlSRSs1UTYrSlZTeTR1NEVkZEFFdnU5Z0tYSnFOS0JFVCtNc3VFbHN3ekFYNEtwZHF2WWFUUmtIQ2VmR1FuQXVDaHQxOHFseEVpcHlNdnBJSGUrYkRTWEpPS3MzWXB1cjhHL08wSkhqZXp0MjJsSGlkeVBKUEZyVGZxc1FnczZCWjZoMEZLS3lPbzVyTHlMV0JjZSJdLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwb2E3YTh6bzdxa2p5aFhYbjFkNyIsImF1ZCI6Imh0dHBzOi8vdWRhcC56aW10Lndvcmsvb2F1dGgyL2F1czV3dmVlMTNFV20xNjlNMWQ3L3YxL3Rva2VuIiwiaXNzIjoiMG9hN2E4em83cWtqeWhYWG4xZDciLCJleHAiOjE2NzgyODI5MjAsImlhdCI6MTY3ODI4MjYyMCwianRpIjoiM2MyMDNiMGItMmM0OS00NGU1LWFlN2QtYTlkMTBlYjQ2NTkxIn0.X0_M2seKjCGD9eOBnIEIPf8i_N4rrIYXKez0ac5R9BgWiL1xUoBsSrzR8qFgEOTZt-OTIX7fjhA95yIDmBmc5nkbZA9tf5IYXsRx8JXqkMxNTaEZ8M07EcIsEfaPqlpOZdRveYffTVbbh-7XXkqsGrNfAP8aL_fkmUbyNKG6RB44OBR3MAs2rPHdwu1t1ej8gYmsUOjJmR-p9JXgjrw5AMUBhe939VpCoI8Y87fAg0fwtE6llWmvolGPKAS11c9YMD2pJCaEyD6urpo3YDQcD96oaj78drvDVxYLsW394Vz8HEvGLhhZ-WvqiCV8X70pXcHLj7c_cIGsQZJw3KI-4w&udap=1

Registration Request:

Registration response: RegistrationResponse(clientId=0oa7a8zo7qkjyhXXn1d7, softwareStatement=eyJ4NXQjUzI1NiI6InpySzFpYnp4LXdzbzR2bTc0NzBWZ2IxdlhpSFZ3Z0ZhM0tfQ1F6bWZnYXciLCJ4NWMiOlsiTUlJRklUQ0NCQW1nQXdJQkFnSUlQdStaNk9MNkpad3dEUVlKS29aSWh2Y05BUUVMQlFBd2diTXhDekFKQmdOVkJBWVRBbFZUTVJNd0VRWURWUVFJREFwRFlXeHBabTl5Ym1saE1SSXdFQVlEVlFRSERBbFRZVzRnUkdsbFoyOHhFekFSQmdOVkJBb01Da1ZOVWlCRWFYSmxZM1F4UHpBOUJnTlZCQXNNTmxSbGMzUWdVRXRKSUVObGNuUnBabWxqWVhScGIyNGdRWFYwYUc5eWFYUjVJQ2hqWlhKMGN5NWxiWEprYVhKbFkzUXVZMjl0S1RFbE1DTUdBMVVFQXd3Y1JVMVNJRVJwY21WamRDQlVaWE4wSUVOc2FXVnVkQ0JUZFdKRFFUQWVGdzB5TXpBeU1Ea3hPRFU1TWpGYUZ3MHlOREF5TURreE9EVTVNakZhTUlHZE1TZ3dKZ1lEVlFRS0RCOUNjbVYwZENCVGRISnBibWRvWVcwZ0tITmxiR1lnWVhOelpYSjBaV1FwTVRNd01RWURWUVFMRENwVlJFRlFJRlJsYzNRZ1EyVnlkR2xtYVdOaGRHVWdUazlVSUVaUFVpQlZVMFVnVjBsVVNDQlFTRWt4UERBNkJnTlZCQU1NTTJoMGRIQnpPaTh2YzJGdVpHSnZlQzUxWkdGd0xtOXlaeTlqYkdsbGJuUXRZWEJ3Y3k5aWNtVjBkSE4wY21sdVoyaGhiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFEZ2dFUEFEQ0NBUW9DZ2dFQkFOTVJRNm0rM090MTY4Q1JqSXlMeTB4bm5VcTFCMHZiMTZTbmJRVWoyOVFZbUxUWC9GQkExbHUvelA4bU1hbmJMbUd1MWRMZSsxdUo2SDZ1bTJRQXBNYk12dGU4aEE2WUtyakU2bFExc0tFa1d2cTZvYVdYZ2JRNnR0czR1eU1RNDE1YndBOE1seUxYMkNTUURSUUxNYUpoNDNwRUMvYkpXYTdUNkdGK21xVVh5b09teVl1NFl6dVgwVmtSSGJBTkZkQ3lZb0gxN1dQb0I2TGFrajRVcXdWMGdtWTdzaWMxL1NTNXV4UjY5Mnp5OTNlN0NwRTBMMDB5bTlhU3Q0MkFXUGIvTTF5VzRxQWdlK1FJdWoxQ0tvcGVTZGVwMGdNZitLR0hDYUlmQ00rL1BaTnZSd25xSVAxNEhsbGhxek15UmFLejRTUTdTWGdGLzdvbUp5eXJtcE1DQXdFQUFhT0NBVXN3Z2dGSE1Ga0dDQ3NHQVFVRkJ3RUJCRTB3U3pCSkJnZ3JCZ0VGQlFjd0FvWTlhSFIwY0RvdkwyTmxjblJ6TG1WdGNtUnBjbVZqZEM1amIyMHZZMlZ5ZEhNdlJVMVNSR2x5WldOMFZHVnpkRU5zYVdWdWRGTjFZa05CTG1OeWREQWRCZ05WSFE0RUZnUVVuY3ZZbEdHWUNiQnl2RXViR1VuZGgrVzlIUkF3REFZRFZSMFRBUUgvQkFJd0FEQWZCZ05WSFNNRUdEQVdnQlNqbFcxcnZTdFJ6ZUhQNVpCdjF5WlB2OTArM2pCTUJnTlZIUjhFUlRCRE1FR2dQNkE5aGp0b2RIUndPaTh2WTJWeWRITXVaVzF5WkdseVpXTjBMbU52YlM5amNtd3ZSVTFTUkdseVpXTjBWR1Z6ZEVOc2FXVnVkRk4xWWtOQkxtTnliREFPQmdOVkhROEJBZjhFQkFNQ0I0QXdQZ1lEVlIwUkJEY3dOWVl6YUhSMGNITTZMeTl6WVc1a1ltOTRMblZrWVhBdWIzSm5MMk5zYVdWdWRDMWhjSEJ6TDJKeVpYUjBjM1J5YVc1bmFHRnRNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJBUUJyTE9RRjRjZkRjQTZCYjNTZDlhTXJPQUtXbm9ZM0pvVE1tdVhIRXR6VW9LNVY0cmlJMGtOUlBPOGtXOE4zekE4czZ0bC9abm9Lay85R2xwYXRKV3hSSnpPVmRLOGk5OTAyWWpvd09iaUVrQk42ZlJHQnE1TW5jK0VCalpZYXQ4WnZGNkh6ZlprREhoTHRYQUZaa3l4Wkl3SXR6MDJJNk1rL2g3RlZWV2pGd1E3YVZhWlFockNMS0Y2Z1BmOGpDU3lyTTlSRSs1UTYrSlZTeTR1NEVkZEFFdnU5Z0tYSnFOS0JFVCtNc3VFbHN3ekFYNEtwZHF2WWFUUmtIQ2VmR1FuQXVDaHQxOHFseEVpcHlNdnBJSGUrYkRTWEpPS3MzWXB1cjhHL08wSkhqZXp0MjJsSGlkeVBKUEZyVGZxc1FnczZCWjZoMEZLS3lPbzVyTHlMV0JjZSJdLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJodHRwczovL3NhbmRib3gudWRhcC5vcmcvY2xpZW50LWFwcHMvYnJldHRzdHJpbmdoYW0iLCJncmFudF90eXBlcyI6WyJjbGllbnRfY3JlZGVudGlhbHMiXSwibG9nb191cmkiOiJodHRwczovL3d3dy5nb29nbGUuY29tL2ltYWdlcy9icmFuZGluZy9nb29nbGVsb2dvLzJ4L2dvb2dsZWxvZ29fY29sb3JfMjcyeDkyZHAucG5nIiwiaXNzIjoiaHR0cHM6Ly9zYW5kYm94LnVkYXAub3JnL2NsaWVudC1hcHBzL2JyZXR0c3RyaW5naGFtIiwidG9rZW5fZW5kcG9pbnRfYXV0aF9tZXRob2QiOiJwcml2YXRlX2tleV9qd3QiLCJhdWQiOiJodHRwczovL3VkYXAuemltdC53b3JrL3JlZ2lzdGVyIiwic2NvcGVzIjpbInN5c3RlbS9QYXRpZW50LnIiXSwiZXhwIjoxNjc4MjQ5MzExLCJpYXQiOjE2NzgyNDkwMTEsImNsaWVudF9uYW1lIjoiRkhJUiBVREFQIENsaWVudCBUZXN0IChTcHJpbmdib290KSIsImp0aSI6IjU0NDIwNzg3LWNlMTQtNDU0MC05MWJhLTMzZTQ0ZThjYzJmNiIsImNvbnRhY3RzIjpbIm1haWx0bzpic3RyaW5nLnNsY0BnbWFpbC5jb20iXX0.IHu_3RvPuKr38xgIP3RpGHlcJDmLuvbHpWSgGBZFSEJH3kAYKQTel3rbrehEnpvRzhHoM30_qfQP85SG8wCUn4kOSavVgUPaj32PFhhwTfzdH8YxeyySvE0yVAEdyYwBHI1A_PKZKq5Nop7KAbJfx19_rs4r7Q7BJYIxYa-5qp1LjFHmzg9oEVDRBtc-kLul8FZkRbvyORbWCcKZhFPkLYArbhg8AMxsyLG0aORV1NkJeKUQ-5ueT8KXQwB_ne4nlZmBE85gciu4MFs0TLYI3L6f1QIViQL0wRubzvKgJR8wLK5TiVgr6SOiTMPS2X4bevjRwwjRhPBYS-yY2RNhAA, clientName=FHIR UDAP Client Test (Springboot), redirectUris=null, grantTypes=[client_credentials], responseTypes=null, tokenEndpointAuthMethod=private_key_jwt)

[Dan Cinnamon]

Good morning Brett-

This behavior is because I am expecting you to pass in the "scope" parameter in your /token request. I had not configured my authz server with any default scopes up to this point- which are scopes that are passed back "implicitly" if the requesting application doesn't explicitly define what scopes they're asking for.  I did update my server to enable system/Patient.r as a default scope- so you can go ahead and re-request and you should get past this now.

That being said- I would recommend you pass in the scope parameter as the exact scope/scopes you request at runtime are not necessarily exactly the same as what you registered with (maybe you request a subset in some circumstances).  Additionally, there's really no explicit standardized behavior that I'm aware of for how a given authorization server will treat the scopes defined in the software_statement during registration.... so I feel like relying on the registration to define what you get in the token might have challenges down the road.  I'd love to hear your take on this though from a real world perspective!

[UDAP]

Thanks for the reminder about this, Dan.

UDAP Test Tool 1.0.18: Tests 7, 18 and 20 have now been updated accordingly; the 'sub' value of Authentication JWTs must now be set to the client_id.

[Brett Stringham]

Hi @Dan -

I'm playing some catch-up. I agree that expected client behavior would be to provide the applicable scope at the time of token request. Thanks again for the feedback.