Application Restricted JWT Authentication

Lloyd · 27 June 2025 09:25

Hi,

I’ve followed the steps line by line on the Application Restricted Restful APIS Signed JWT Authentication documentation here - https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/application-restricted-restful-apis-signed-jwt-authentication#environments-and-testing

Unfortunately after cloning the csharp repo and setting the appropriate environment variables I’m getting an exception. I’m not sure if the following lines are necessary, as the generated keys have BEGIN PRIVATE KEY, without RSA. I’m not sure if this is this issue or not. Here is the reference to these lines of code:

privateKey = privateKey.Replace("-----BEGIN RSA PRIVATE KEY-----", "");
privateKey = privateKey.Replace("-----END RSA PRIVATE KEY-----", "");

Either way, the exception I’m getting is on line 72 of the JWTHandler.

System.Security.Cryptography.CryptographicException: ‘ASN1 corrupted data.’

AsnContentException: The provided data is tagged with ‘Universal’ class value ‘16’, but it should have been ‘Universal’ class value ‘2’.

Would anyone be able to point me in the right direction on this one?

Many thanks

john.lister3 · 27 June 2025 10:13

You can’t simply change the PEM header. You’ll need to use openssl to convert the key to a "traditional"format. The underlying key is different

Lloyd · 27 June 2025 10:18

I’ve moved away from the example repo now as it doesn’t match up with the generated keys. I’ve had a bit more luck by using rsa.ImportFromPem(privateKey);. This also means that I don’t have to replace any content from the generated keys in code.

However, now I’m further down the line, when I try to hit the token url (https://int.api.service.nhs.uk/oauth2), I’m getting a 404.

john.lister3 · 27 June 2025 10:35

You are missing part of the access token url by the look of it

Lloyd · 27 June 2025 11:25

You are correct, I was missing /token from the url

Lloyd · 30 June 2025 08:55

If it benefits anyone in the future. I’ve added functionality for the newer versions of openssl generated keys. It’s currently in PR - Add modern openssl key functionality by NHCT-Lloyd · Pull Request #119 · NHSDigital/hello-world-auth-examples

john.lister3 · 30 June 2025 10:16

Thank you for this lloyd

Topic		Replies	Views
Tutorial: C# Application-restricted RESTful APIs - signed JWT authentication General enquiries	2	512	30 December 2022
Why am I getting this error when trying to auth? General enquiries testing , authentication	3	313	15 January 2024
Problem uploading public key General enquiries onboarding	10	459	18 April 2023
Token Request with Private Key JWT fails Care Identity Service (CIS2) authentication , jwt	2	37	23 June 2025
Help needed with certificate generation Personal Demographics Service (PDS)	2	374	3 January 2023

Application Restricted JWT Authentication

Related topics