Malformed JWT for Token Exchange

glabonte · 20 July 2023 14:11

I am working through doing a Token Exchange as laid out in the CIS2 Separate Authentication and Authorization, using the Sandbox Environment, and I keep getting back a “Malformed JWT in client_assertion” error.

The JWT is valid when checked with JWT.io.

The most recent example:
eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6Ik1ULVNhbmRib3gtMSJ9.eyJpYXQiOjE2ODk4NjE5ODAsInN1YiI6Im1NQ3NVR3VteE8wbU05ekM4S1NNczJLSUh3dFJNUkRRIiwiZXhwIjoxNjg5ODYyMjgwLCJhdWQiOiJodHRwczovL3NhbmRib3guYXBpLnNlcnZpY2UubmhzLnVrL29hdXRoMi90b2tlbiIsImlzcyI6Im1NQ3NVR3VteE8wbU05ekM4S1NNczJLSUh3dFJNUkRRIiwianRpIjoiNDhlMzNiMDMtZDljYy00ODM2LTgwNzEtODQ3YTFlNDMzNmYyIn0.U7pnXT5opYgFF_rDhu0G7sj-ZtxA8iWV-Sa6s1Sg_J-Y0KN1ZWHnTMBf9xsAc9thGkhqp3V–Dkke7qCC4Q2piEAnGW7JKagtrzh5O05Pc3iOivcTUauQwHYZB8W78TuKKDxPtPbXs4pyYhTjP-Vuy4ghKW4HUe-xLdegZ1crOVF3-kyB2XS0g-_HJqXffoFKKqQwpacB70z6Z0h6zI3yjPM-zQm9IyrwGUobib9g1E63EbaQ8b6gRdaMfr71Dj2fG5veD65QASpXIUvW1RYH6Dj-E6vrq9-uDUu3KHEpDhUvRLNQMxn8ThPkl208CALabV2dQ6IXPQOX_JBwcD6bpVZWQXaR6lB1VthC0XDmWyFDz2q0uD2X9SItARWt1hWRrUEzKsogWHyOd4ALnBIhtH1qo4Y9pvnY0SPlZoZfkLNepVC9l1-Ilk7cOJoovB-BgLc6mpnSlVyilc3d-wDEZLIeHW2Y0tbRJRrLKKIVY1EVQLX7mnz7iynxZKIw_TeUTEuNBV6QHX3gJj21VACGZi2UV9AdQEyXNnC7sxFoTR_lkJUXZUVQTyTbBCtm2mQU7E-j1iymDqKsyv6zb8r76CzO2umxwmu-J1u74CekOqrXMBBd1hYSbfRnhSfCaFxWsVGexWP-faLlWk5KnL0pddVzIF4KIBWpW14kmzVSJQ

Any help would be appreciated, Thank you.

alan.rawlings2 · 20 July 2023 15:12

Hello glabonte,
Did you use the Token in postman or via code?

glabonte · 20 July 2023 16:44

I’ve tried both, but have resorted to Postman for the short term.

alan.rawlings2 · 21 July 2023 16:34

Hello glabonte,
The Team have taken a look and the JWT looks fine, but it is possibly how its being created is why its invalid.
Can you list the App ID so we can check the App looks as it should be, thank you.

glabonte · 21 July 2023 16:56

Hi @alan.rawlings2,
The app ID is 33f00de9-75c6-44fb-84f8-31069537068b.

greenbox03 · 22 July 2023 02:36

hi @glabonte
i am working on a similar thing and wonder where the Relying Party code(client_id) should come from.

Regarding the question, the sandbox env requires token in order to consume API ?

alan.rawlings2 · 24 July 2023 13:21

Hello glabonte, Which specific API does this relate to?
1

robert.tonnessen · 24 July 2023 15:30

Running your token through JWTIO gives the following error;

“Looks like your JWT signature is not encoded correctly using base64url (RFC 4648 - The Base16, Base32, and Base64 Data Encodings). Note that padding (”=“) must be omitted as per RFC 7515 - JSON Web Signature (JWS)”

Maybe this will help?

glabonte · 25 July 2023 15:45

I am trying to get started with eRS in Healthcare worker mode.

alan.rawlings2 · 26 July 2023 15:39

Hello glabonte,

The team have adivsed, if you are in the sandbox environment the URL is sandbox.api.service.nhs.uk/oauth2, not int.