Good morning, I have an issue with the int api token exchange not accepting our client assert. The CIS2 & API team has confirmed that the assert generated correctly (content) and checked it against our jkws end point to validate the encoding. If would apricate if anyone has info that could help me resolve the problem. Enviroment - CIS2 auth with separate exchange flow. INT enviroment for the auth and ERS (fhir) int access.
Assert:
eyJhbGciOiJSUzUxMiIsImtpZCI6ImRldl9jaXMyX2tleV8zMDA4MjAyMyIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ3WWdZa2ZCOGdDZVExY1RwTkRSY2ZqWnNxdzNXSHA2WiIsImp0aSI6ImRjbk9CM2ljR2JFcE84SG9-TER5Wkt3cEUiLCJleHAiOjE2OTk1MTY4MzgsImlzcyI6IndZZ1lrZkI4Z0NlUTFjVHBORFJjZmpac3F3M1dIcDZaIiwiYXVkIjoiaHR0cHM6Ly9pbnQuYXBpLnNlcnZpY2UubmhzLnVrL29hdXRoMi90b2tlbiJ9.ic1nI0h7CjyaJ0rEWSy9XPdgRhDAlgk8nAEfBWoerq89j58GzcSNgj2WQsfZ1iflqSfQZX9Ew3-rWeSLIUG6yuLvHmH8jedWoSaqzgUxejzYib4c4Xjpda9ye00FhC4v2H45ijzJXiFjUGBP_QiBBpqrEnz1oqya8qzTmWwIPoXvRNwyk2op0aNc9RXf8PpORU2-CIUgk6_XQdiFVp-w7EHMpLWGLdknBCMfbh3MzNZ-zrCeTHjVqXmJQJI4CjCVsGCXV00j2ZJhOposLfdXDVZO1I_Vz9qD8L2ysn0z5_7F_9kMZUmJ4iI0NojOR_esyjrCAc18avr94MyGPY5Vu7cuHNRolMMN16dQc2GCrSPcJJrW3KC90GbKhJb4Ymh9nm4URUb1ZmiARJJlggYSmLaQS_hfQNwrmuDZjKrrgZ6Bb2Lsi0aqvpbuOKtSiQsxheYsGDws6LaOoXw6mIrM1_qL9ztEGIfRwiCH0Vmk2FPd3MFXU19oKTeXuqIehiNpdf03wCr-Qq77AOjTLx7HM4XfirWbp3G4TQci3xIRRPv0fBU3Sjr31yemJeiKWMZ3ymbbvfliUKrLqkXrYyS3wZspGhSb5lL158lpakzTZuQP5XFk6IXrp1VRgdwIDdKAhe1bgf7wEwRGf_LzW4fT_zBwATE2S9kZ0EkfMSMdB1Q
relevant part of the jkws:
{
“kty”: “RSA”,
“n”: “rK5dhRE5b_3cvdxC8cYcg6Ul2_wxmNcCW4bMXI49wwD3cHdDUFCs7QYsphF8tVorg9e81WQxTjBoOrOkZJh_2lLrm_wCoCOhpAhP4B58xzHrYYXdjndF-V3txnOnfMzZeYuXYi_s5VzT9cbpvzxrmxg9JVSneiblqkpUXCfxHA1WgH1PEbw8mWigZs_G_3DbH-4yL7o_OWaGLvnX9sju6-FVYbxqtOva3wWl50I5cniKQD2VBSj71X8aX0-h6qKhIZMBY5-gKtZaRdbmRG3fGHXh2jPWaeMnxNGigjjV-AjnewIHX5ww1YD0UDo-X31pNBVDrVFAU0eQ3hwBsgJlP2HfMiYzGCzIRbffodKnYMdz22O_Ha_CdUqfw0Vn_ZsqlMB2W8IEDwW0qjuPKvIYeK92KaTnNxOcPi_ViQEjh4Vyb8VIn5m4QP3JcB5KXIPCFi5YgN2YOyQTybw7ZE3Nl9lc6NZDAHglEZhC2nL27E4_vQxD8yEF0M6qtLBi-j_GiFrWabTP625dGMHd4YMcf65FpYawMuLos2zW0-dfiFPUcnU-V89sZyuGoetpC_jEd1NktahlBV-xfIOnxrBHo3PiZAuQQEo5-eUETcuaVksAvkJVyE78047lmQmPaVdc6fiehadI3eUrK68b2PQ6HDa3Obl5iOA70JyJIibnvbE”,
“e”: “AQAB”,
“alg”: “RS512”,
“kid”: “dev_cis2_key_30082023”,
“use”: “sig”
}
Hello johan.pretorius,
I passed this by our support team.
They can see that their expiry date for that token was 09/11/23 at 8am.
Can you ask Johan to generate a new token and get back to us if they’re having the same issue?
Also the kid is dev_cis2_key_30082023 . I wonder if they’re using the correct key if they’re targeting INT.
Hi Alan, I apologize for the delayed response. We have had an connectivity outage our side and I have not been able to regenerate and send back a proper response to you. I will do so as soon as we are properly online again.
Good morning Alan,
Our connectivity has been restored and I can quickly regenerate the content/details for you. For this example I have regenerated an cert keypair using the mkjwk - JSON Web Key Generator as per your documentation at User-restricted RESTful APIs - NHS Care Identity Service 2 separate authentication and authorisation - NHS Digital to ensure that it was not the point of failure.
Find below the relevant part of the new JKWS entry registered against the product on the api portal, the assert and the response.
JKWS
{
“kty”: “RSA”,
“e”: “AQAB”,
“use”: “sig”,
“kid”: “ers_api_int_24112023”,
“alg”: “RS512”,
“n”: “pKndwUy67NTd1rzXVY5RqapFCCJmDiiV9_hawfxrMfR40qVfs4ujxsf4aV17tk6-jfmxU0NOvzROChzUv05KCmlapFRZy-XkXIoA6kFe6FUsRmyRFmoIV_gzuM7phyHRr1-iZr6pDP1vzHUPyl-W0FGnYqxF7IoYAQ0tmA9Jl9gqrAj7GhQruNCuy5hYNnoGTukI6We7QrOwlFdKRhTJgnvoWQ6nT-xZqjWuKioIBa34ACHtc6QR7Vm4DpG4Ut2OzacOR1bKQElI-5d1g5_AU0qgx7J6zrKnV0J2QmCIvm25bryECad5zkKtmEkACAWdM5A53C-fQ8kLD3RwpM7ZDpva1_wy4OQpfg7N-nszUquJbn8KjXiqf-APL7MGlcFMFQY4Rum5Hasscl8526ci61hfg0bHqCmSszmFFCZai-thGsCCjuDD9R8d2OxdJbMOeCVWJXzWNXGUpeNYelwKe9LE9DklwGBKa-S76Mn1xqurQS8i650k8NOb00hDZQb_GZNoWPWluVhVH3piekzWIMpbjb2ZL4zpTSe-FXbcJJFCWfg2RNLUfEcNAoHywkQlKqz2LQPu4NMh84uqXqI-Y0vcw5IVBa3mSPRFz_wjOiy_AIHLm-bmfAbm8br0PPn9_PIxlhJZRjINMYiFFrrqhrAV9eIFGTvzS1QqbafhfLc”
}
Assert:
eyJhbGciOiJSUzUxMiIsImtpZCI6ImVyc19hcGlfaW50XzI0MTEyMDIzIiwidHlwIjoiSldUIn0.eyJzdWIiOiJ3WWdZa2ZCOGdDZVExY1RwTkRSY2ZqWnNxdzNXSHA2WiIsImp0aSI6ImNZRUQ5cFRCc2tLZnVkN3U5VW50WTUzWUoiLCJleHAiOjE3MDA4MjY1MDYsImlzcyI6IndZZ1lrZkI4Z0NlUTFjVHBORFJjZmpac3F3M1dIcDZaIiwiYXVkIjoiaHR0cHM6Ly9pbnQuYXBpLnNlcnZpY2UubmhzLnVrL29hdXRoMi90b2tlbiJ9.iN-aVVQjihRbnwgH5RP6EnJUu5GtQRVIl9m2KHWXCPcH0Kaunh6QDjUXEcn-f0F_9PYg_q3qX1ZkLb_OIrMm3dO_vzILntUdGI8NS1sz7yHZKt27HDl3m-xKwBijlg21RlTwdn0ahDcs6hDv–u_K8GW_VUG-heJrCIBI3HAOGlNCQpQOzs1uBpaoMsQrzSo4GJ1IE0-aeCg4eu8D12o2nwYKfp0FAQb-LCsc65ZK0TUI7OzJrjGjhJTj3VY6ZUjnYAKn6WiffSh0L0cmGxDftWHzg85yNzLhM1mCYNjGAEv_PPKibFPJ7sqtk40gr7K78JSXfu7l1_cV5X37R_z81VI12VGMkzj1H-bZsq_g6UBqYGqJ0eTjiCdXWLNZd3VA_p_FJvL0Kn1VhsqBvT0uQClrS9Rads1qYdi-Xni2YnN6Ct0n_UDco_fXjh14BUGpRTHPbN2BWUDcDi37imT-mXrBUmVNiJPRHmYl5tgB3cVLi9IeoJCLpXrgtxkecb7Yplc-CHjV-k1Tl_lrEoPmo8Hg5IkI06_WIstPU72Wfk30NCaXuBcZf3P0c0TuK3eq-_Fy_DJaAjgOAX7LGGp2WeIih0MuIcNDw8J6sAPsTmyV0cztdfchqEzrUURkt4R9Ee1i_G2UXgJ7hs4TQSXHild9SLBxB2QxfTS7k1qxnw
Response
{ “error”: “invalid_request”, “error_description”: “Malformed JWT in client_assertion”, “message_id”: “rrt-1735614601207619263-c-geu2-13690-6998129-1” }
Kind Regards,
Johan
Thank you johan.pretorius, will get this across to the team to take a look.
Hello johan.pretorius,
The team have just put the code through https://jwt.io/ (useful site for this kind of thing) and the error returned says the JWT signature has not being encoded correctly using base64url.
Hope this helps.
@alan.rawlings2 can this thread be marked as closed? I don’t appear to be able to do it.