Hi,
Following documentation from here: https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-cis2-separate-authentication-and-authorisation
I am not able to successfully generate an access token with refresh token properties from https://int.api.service.nhs.uk/oauth2/token when I use the following request example:
{ “client_assertion”, clientAssertion },
{ “client_assertion_type”, “urn:ietf:params:oauth:client-assertion-type:jwt-bearer” },
{ “grant_type”, “urn:ietf:params:oauth:grant-type:token-exchange” },
{ “subject_token”, idToken },
{ “subject_token_type”, “urn:ietf:params:oauth:token-type:id_token” }
clientAssertion = “eyJhbGciOiJSUzUxMiIsImtpZCI6IkNPQldFQi1CRC1DSVMyLUlOVCIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJjNjVmMGVkNC04MzFkLTRmZTAtYjRjYS1hZmI4NjJkY2RlMDEiLCJzdWIiOiIxRGY0VlJoT1dKbmlDNUFnMXREWjBHRzBJelJwdHB2eCIsIm5iZiI6MTc1MTQ3MjI4MCwiZXhwIjoxNzUxNDcyMzQwLCJpc3MiOiIxRGY0VlJoT1dKbmlDNUFnMXREWjBHRzBJelJwdHB2eCIsImF1ZCI6Imh0dHBzOi8vaW50LmFwaS5zZXJ2aWNlLm5ocy51ay9vYXV0aDIvdG9rZW4ifQ.s3vBX9zz_3kowk4Ku7mS8GsK6_5_EwiGj84ARsqYuJBJVeLiLC3pe6bxnY_p-bvJRYtMgTeLJSgrRS7HaTEI8tmdHCzxCXAAX7s33Y90tNX7qhNlIK_Pftb4YrWDDUtVs4UHEaIhd6T_WDEX980g7YyNoEA0bjF05C9D80Q3s46Uuoi6cV4-B-StXk3UuQhqBkqW1ibmTxMLms65f1Uct9M1jSl4gMbUzKDHe5w_s6KZE-Z1W3Zqs27pL6mCN5c8qlaDNcAfYn-p5jhEJkspToVzPhAFY_863cTdH46vzzPRQ7-lvc0NtDKkT_vMMl8JDr6KpYsRK42mLj24sXrrhQR40BsLjLDN28Ov6CSSbvtT8lbwtc3uM-4sYjncPlDuZKnK3GCrY1MopuSG6QDwbPnEIjT9KphafTmjU0wzwRS1Ai76ANBIQk5eKAuTKSlLvXvXWIbit_yUQUGG2SsYY1U1lGp0ITUNYbzfhNbLP61NRRXOaD_9yts_U9HXSwL-ruRZpq-RlsxircT_8nH6LSC3WeHvt-EgnUaRt8tSlWaj6ocDVZWTjQZeHoW24rnpADi2TUhHAA2WZYGzyKx5jM7bxj6tCyWhxAKEZXpFqyTnwANq-04DMfDPbuY0uvfyHJGO_7QY9XhyXcLP46ikCQ9AMxeMBB1RdAk1LWfrjb8”
idToken = “9SrRLS-XxM65UGJRlXR_6lqf604”
I have added x-request-id to header as well on this occassion was “7da24a2f-6e49-49eb-b4a7-b07dd0c15b13” for tracking
Response example:
{
“error”: “invalid_request”,
“error_description”: “Malformed JWT in subject_token”,
“message_id”: “rrt-1183045613714605707-b-geu2-2173710-114871213-1”
}
Is there anyway to debug “Malformed JWT in subject_token” is being raised? As far as I can tell JWT checks out ok and the id_token is being returned from CIS2 Auth fine.
Strangely enough the same API endpoint will successfully return an access token if my request is just the following parameters:
{ “client_assertion”, clientAssertion },
{ “client_assertion_type”, “urn:ietf:params:oauth:client-assertion-type:jwt-bearer” },
{ “grant_type”, “client_credentials” }
but in that instance the resulting access token does not have a corresponding refresh token e.g.
{
“access_token”: “W70FARrD7UHhuGDUAJplgSjyl7G9”,
“expires_in”: “599”,
“token_type”: “Bearer”,
“issued_at”: “1751473025853”
}
So if just passing client_assertion, client_assertion_type, grant_type, works does that confirm the JWT is formed correctly?