Hello, I am attempting to generate an access token using jwt-bearer assertion_type, but I am getting back “client_id is missing” (and later client_secret is missing if I add the client_id). If I supply a valid JWT as client_assertion, my understanding is I should not have to also include my client ID and secret. Is it possible to confirm?
It sounds like you are setting the authentication type for the token endpoint wrong - for the jwt-bearer option the value must be exact as listed in our documentation, otherwise it is ignored and defaults to client secret. If you want to DM the payload you are sending including the JWT I can verify the contents
We attempted to use the authorize flow in the document you referenced
This returns a 400 response, and even the example in the document seems to always generate a 400. Can you verify the correct endpoint addresses for this? Is it as above ? Previously we were using int.api.service.nhs.uk/oauth2/authorize
Hi David, have you requested CIS2 client information from the onboarding team? The value for the client_id you are using looks like the API-M client-id. A CIS2 Auth client ID would be of the form XXXX.supplier.app - I can’t see any valid client configurations on our side. As part of the guidance please reach out to the onboarding team to get set up with CIS2 Auth which is a pre-requisite for authentication
Whilst there are 2 similar token requests as part of the user-restricted separate flow - they are different and use different client IDs and “secrets”.