I’m trying to generate a token in the sandpit environment, but I am getting this error from the /oauth2/token endpoint:
{
"error": "invalid_request",
"error_description": "Missing or non-matching 'iss' claim in subject_token JWT",
"message_id": "rrt-826575031932329240-a-geu2-3684765-160410878-1"
}
NHS Login Client ID:
jpmonette-patient-services
NHS Login Endpoint:
https://auth.sandpit.signin.nhs.uk
OAuth2 endpoint:
https://sandbox.api.service.nhs.uk/oauth2/token
API Key:
lcIZTc7Pt2k3JgyhhFPPoUUFhWAfY5aN
Claims:
{
sub: 'lcIZTc7Pt2k3JgyhhFPPoUUFhWAfY5aN',
iss: 'lcIZTc7Pt2k3JgyhhFPPoUUFhWAfY5aN',
jti: '44e1d5bb-dfdf-4094-a8e4-18ebf3ca2279',
aud: 'https://sandbox.api.service.nhs.uk/oauth2/token',
exp: 1753186529
}
Is it possible to investigate what I might be missing? I suspect the API key I am using is wrong, but I use the one from:
https://onboarding.prod.api.platform.nhs.uk/MyApplications/ApplicationDetails/EditAPIKeys?appId=51cfb45a-55f6-4f24-bfe9-2ed1f86fba31
Thanks
I’ve been troubleshooting some more today and still getting the same issue.
I tried with this “AUD” as I think the one I was previously using wasn’t paired with NHS Login:
dev.api.service.nhs.uk/oauth2
Unauthorized {
error: ‘invalid_request’,
error_description: “Invalid ‘iss’/‘sub’ claims in client_assertion JWT”,
message_id: ‘rrt-4653645618588871751-c-geu2-3260888-157594417-1’
}
Hi @jpmonette I have flagged to the team and they should get back to you on the community soon.
Hi @jpmonette, I have verified the API key details and it seems fine. The claims what you have shared is from client_assertion. However, the error is related to subject_token. Can you please share the subject token once for further verification?
Also, please go through following link having required details : https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-nhs-login-separate-authentication-and-authorisation
Thanks for reviewing this. I did go through the documentation to build the token exchange query.
Here’s the curl for my token exchange:
> curl 'https://dev.api.service.nhs.uk/oauth2/token'
> -X POST
> -H "Content-Type: application/x-www-form-urlencoded"
> --data-binary 'subject_token_type=urn%3Aietf%3Aparams%3Aoauth%3Atoken-type%3Aid_token&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Atoken-exchange&client_assertion=eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6ImFwcC1zYW5kYm94LTEifQ.eyJzdWIiOiJsY0laVGM3UHQyazNKZ3loaEZQUG9VVUZoV0FmWTVhTiIsImlzcyI6ImxjSVpUYzdQdDJrM0pneWhoRlBQb1VVRmhXQWZZNWFOIiwianRpIjoiZjhmNTEwODctZWQxZS00YjczLWE4MTQtOWJjNzk4MmJlOTlhIiwiYXVkIjoiaHR0cHM6Ly9kZXYuYXBpLnNlcnZpY2UubmhzLnVrL29hdXRoMi90b2tlbiIsImV4cCI6MTc1MzQzODIwOH0.EFA-PO_5oCGt-LWTXwgK851CzA9BfR6Hu-RVQWBMV5h3T0c9coGA0YCVC3D2i3EOq-9jHYB4JIXZB5cv03AGZvdk8GPprB3a5OVXPyu2nXq7NtXH1m_Etgnze9n_milTbWawwJ3sRKi1QzB7tquE9rWhY20IKK-aAMTCFIh2DbJz27wIU4OixAL0lDsINLTW_FGvNxCM-ZLMzJx_l-FCs90odfExjMcF_s6jYvtBjf5SQyISpGeWJ1ZYEvoUZXJRHOGSB33Nw5wsZpXxQSp8KBGThJtJnNvQQxi6isdqskk0XohTZoQ8s8Um9wDrfeKJU90dj2XOrbX9LbRQf99bS00C2FGQE270tJzyXilYp_PxeKG4gJ4Y_pa3-UAf_MPfi6CoU5V1BGbzb4MxW9W9B48oFBowj0Cqyt8FYvOXprc5wzbI910l8TDP-jueIApQiun_8tQ7BgRUfLdf6zpqaVb0DSJY2WZ4nEI4GDFAQDnyX-YLyW8Yb9dGIEY7CA-oCnCftHWz0gd-86xIAK_IFA1osiCWKXU5SqW0cSt9hZJqRAUBpKsBHpG5L2zezp0qGa_xp3rm0_IMkCIMDiCsgTUxYGGctPtx21wYl8S6nc0MvLZi5AcbxT6X9lxYbMO9mvtOqLfnROsiTQkrL6dBa6cDdgueWDH7lDv1iu4hRrI&subject_token=eyJhbGciOiJSUzUxMiIsImF1ZCI6ImpwbW9uZXR0ZS1wYXRpZW50LXNlcnZpY2VzIiwiZXhwIjoxNzUzNDQxNTAwLCJpYXQiOjE3NTM0Mzc5MDAsImlzcyI6Imh0dHBzOi8vYXV0aC5zYW5kcGl0LnNpZ25pbi5uaHMudWsiLCJqdGkiOiJmNmQ0YjhmMy0yMzJkLTRmOGYtODUzMi05MmUyZDBiZmIyYjQiLCJraWQiOiJhYzEwMjlkMmNiODFiNDUyN2EwYjYzZTJiNGYyODAzNDVmMDRkZDQyIiwic3ViIjoiNDlmNDcwYTEtY2M1Mi00OWI3LWJlYmEtMGY5Y2VjOTM3YzQ2IiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguc2FuZHBpdC5zaWduaW4ubmhzLnVrIiwic3ViIjoiNDlmNDcwYTEtY2M1Mi00OWI3LWJlYmEtMGY5Y2VjOTM3YzQ2IiwiYXVkIjoianBtb25ldHRlLXBhdGllbnQtc2VydmljZXMiLCJpYXQiOjE3NTM0Mzc5MDAsInZ0bSI6Imh0dHBzOi8vYXV0aC5zYW5kcGl0LnNpZ25pbi5uaHMudWsvdHJ1c3RtYXJrL2F1dGguc2FuZHBpdC5zaWduaW4ubmhzLnVrIiwiYXV0aF90aW1lIjoxNzUzNDM3ODkyLCJ2b3QiOiJQOS5DcC5DZCIsImV4cCI6MTc1MzQ0MTUwMCwianRpIjoiZjZkNGI4ZjMtMjMyZC00ZjhmLTg1MzItOTJlMmQwYmZiMmI0IiwibmhzX251bWJlciI6Ijk2ODYzNjg5NzMiLCJpZGVudGl0eV9wcm9vZmluZ19sZXZlbCI6IlA5IiwiaWRfc3RhdHVzIjoidmVyaWZpZWQiLCJ0b2tlbl91c2UiOiJpZCIsInN1cm5hbWUiOiJNSUxMQVIiLCJmYW1pbHlfbmFtZSI6Ik1JTExBUiIsImJpcnRoZGF0ZSI6IjE5NjgtMDItMTIifQ.qpzRl4WW5xW9_QKI8VTQwpt7idyFdm7eSeYWYOY7eRKrU7usLBHJSyKK7Ru8MWeyLmA1iUQ1SPAgh4vPswg1OhMSzbAucZqQheqkazQP9cbtJ16E3GV8wi7DqnxxbUUWB4UWJXxLBVT4kDi8c9nGTvpt4jzgL817mcFOT8lc_L-YMPdHPJRu_9SCY6RdcYwXfSQtIV56-PvzlDB9cFVT-euULi59PvwD8XmmeIbAHqZOkwe30n5rxAOq5w2pNgF42Y4QYumFeN90zNE8WtBvnA4NKJDdOauEsA9I7caJIWjKVeSOPo62VNGflp_LwkW6NNNvhH2BUMlZYkVpL6cBhQ'
Subject Token:
> eyJhbGciOiJSUzUxMiIsImF1ZCI6ImpwbW9uZXR0ZS1wYXRpZW50LXNlcnZpY2VzIiwiZXhwIjoxNzUzNDQxNTAwLCJpYXQiOjE3NTM0Mzc5MDAsImlzcyI6Imh0dHBzOi8vYXV0aC5zYW5kcGl0LnNpZ25pbi5uaHMudWsiLCJqdGkiOiJmNmQ0YjhmMy0yMzJkLTRmOGYtODUzMi05MmUyZDBiZmIyYjQiLCJraWQiOiJhYzEwMjlkMmNiODFiNDUyN2EwYjYzZTJiNGYyODAzNDVmMDRkZDQyIiwic3ViIjoiNDlmNDcwYTEtY2M1Mi00OWI3LWJlYmEtMGY5Y2VjOTM3YzQ2IiwidHlwIjoiSldUIn0.eyJpc3MiOiJodHRwczovL2F1dGguc2FuZHBpdC5zaWduaW4ubmhzLnVrIiwic3ViIjoiNDlmNDcwYTEtY2M1Mi00OWI3LWJlYmEtMGY5Y2VjOTM3YzQ2IiwiYXVkIjoianBtb25ldHRlLXBhdGllbnQtc2VydmljZXMiLCJpYXQiOjE3NTM0Mzc5MDAsInZ0bSI6Imh0dHBzOi8vYXV0aC5zYW5kcGl0LnNpZ25pbi5uaHMudWsvdHJ1c3RtYXJrL2F1dGguc2FuZHBpdC5zaWduaW4ubmhzLnVrIiwiYXV0aF90aW1lIjoxNzUzNDM3ODkyLCJ2b3QiOiJQOS5DcC5DZCIsImV4cCI6MTc1MzQ0MTUwMCwianRpIjoiZjZkNGI4ZjMtMjMyZC00ZjhmLTg1MzItOTJlMmQwYmZiMmI0IiwibmhzX251bWJlciI6Ijk2ODYzNjg5NzMiLCJpZGVudGl0eV9wcm9vZmluZ19sZXZlbCI6IlA5IiwiaWRfc3RhdHVzIjoidmVyaWZpZWQiLCJ0b2tlbl91c2UiOiJpZCIsInN1cm5hbWUiOiJNSUxMQVIiLCJmYW1pbHlfbmFtZSI6Ik1JTExBUiIsImJpcnRoZGF0ZSI6IjE5NjgtMDItMTIifQ.qpzRl4WW5xW9_QKI8VTQwpt7idyFdm7eSeYWYOY7eRKrU7usLBHJSyKK7Ru8MWeyLmA1iUQ1SPAgh4vPswg1OhMSzbAucZqQheqkazQP9cbtJ16E3GV8wi7DqnxxbUUWB4UWJXxLBVT4kDi8c9nGTvpt4jzgL817mcFOT8lc_L-YMPdHPJRu_9SCY6RdcYwXfSQtIV56-PvzlDB9cFVT-euULi59PvwD8XmmeIbAHqZOkwe30n5rxAOq5w2pNgF42Y4QYumFeN90zNE8WtBvnA4NKJDdOauEsA9I7caJIWjKVeSOPo62VNGflp_LwkW6NNNvhH2BUMlZYkVpL6cBhQ
Decoded:
> Header:
> {
> "alg": "RS512",
> "aud": "jpmonette-patient-services",
> "exp": 1753441500,
> "iat": 1753437900,
> "iss": "[https://auth.sandpit.signin.nhs.uk](https://auth.sandpit.signin.nhs.uk/)",
> "jti": "f6d4b8f3-232d-4f8f-8532-92e2d0bfb2b4",
> "kid": "ac1029d2cb81b4527a0b63e2b4f280345f04dd42",
> "sub": "49f470a1-cc52-49b7-beba-0f9cec937c46",
> "typ": "JWT"
> }
> Payload:
> {
> "iss": "[https://auth.sandpit.signin.nhs.uk](https://auth.sandpit.signin.nhs.uk/)",
> "sub": "49f470a1-cc52-49b7-beba-0f9cec937c46",
> "aud": "jpmonette-patient-services",
> "iat": 1753437900,
> "vtm": "https://auth.sandpit.signin.nhs.uk/trustmark/auth.sandpit.signin.nhs.uk",
> "auth_time": 1753437892,
> "vot": "[P9.Cp.Cd](http://p9.cp.cd/)",
> "exp": 1753441500,
> "jti": "f6d4b8f3-232d-4f8f-8532-92e2d0bfb2b4",
> "nhs_number": "9686368973",
> "identity_proofing_level": "P9",
> "id_status": "verified",
> "token_use": "id",
> "surname": "MILLAR",
> "family_name": "MILLAR",
> "birthdate": "1968-02-12"
> }
Hopefully this provides a bit more information.
Thanks