EPIC FHIR SMART Backend Services: { "error": "invalid_client", "error_description": null }

I'm trying to implement the EPIC FHIR SMART Backend Services (Backend OAuth 2.0)
on go programming language.

I've created my dev account, uploaded the public key there, and selecting the backend system as the application audience.

I'm pretty sure my jwt token is correct. I've inspected it on jwt.io, the signature is correct. However, I always get this error:

> { "error": "invalid_client", "error_description": null }

I've tried other possible solutions as well such as:

• ensuring the expiration date within the jet claim is below 5 minutes
• placing the payload in the body with the correct content type, which is application/x-www-form-urlencoded
• ensuring to use the sandbox client_id
• using the correct jwt sign in method (RS384)

What should I do to resolve this issue?

Btw, I also saw several discussions on the google groups saying that it's worth to wait for one or two days after the dev account is created.

Below is my code. Appreciate the help!

var (
	oauth2TokenUrl  = "https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token"
	sandboxClientID = "..."
	privateKey      = "..."
)

// load private key
signKey, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(privateKey))
So(err, ShouldBeNil)

// construct jwt claims
now := time.Now()
claims := jwt.MapClaims{
	"iss": sandboxClientID,
	"sub": sandboxClientID,
	"aud": oauth2TokenUrl,
	"jti": uuid.New().String(),             // fill with reference id
	"exp": now.Add(1 * time.Minute).Unix(), // cannot be more than 5 minutes!
}
log.Info("  => claims:", utility.ToJsonString(claims))

// generate signed token using private key with RS384 algorithm
alg := jwt.SigningMethodRS384
signedToken, err := jwt.NewWithClaims(alg, claims).SignedString(signKey)
So(err, ShouldBeNil)
log.Info("  => signed token", signedToken)

// prepare api call payload
payload := map[string]string{
	"grant_type":            "client_credentials",
	"client_assertion_type": "urn:ietf:params:oauth:client-assertion-type:jwt-bearer",
	"client_assertion":      signedToken,
}

// dispatch the api call
req := resty.New().
	R().
	EnableTrace().
	SetFormData(payload)
res, err := req.Post(oauth2TokenUrl)
So(err, ShouldBeNil)
log.Info("  => response status:", res.StatusCode())
log.Info("  => response header:", res.Header())
log.Info("  => response body:", string(res.Body()))

// parse response
resBody := make(map[string]interface{})
err = json.Unmarshal(res.Body(), &resBody)
So(err, ShouldBeNil)


</details>


# 答案1
**得分**: 9

太棒了，我现在明白了。

解决方案就是**等待**！这让我感到困惑，因为我在文档中找不到任何关于这个的解释，而且错误信息也不太友好。

总结一下，在创建开发应用程序并上传公钥之后，我们需要等待几个小时/几天，然后凭证最终将可用。

等待部分适用于**开放史诗**和**应用市场**的开发者账户。

<details>
<summary>英文:</summary>

Fantastic, I got it working now.

The solution is simply **waiting**! it was confusing because I can&#39;t find any explanation about this on the doc, and also the error message is not quite friendly.

in summary, after creating dev app and the public key is uploaded there, we have to wait for a few hours/days, and then the credentials will eventually be usable.

The waiting part is applied to both **open epic** and **app orchard** dev accounts.


</details>



# 答案2
**得分**: 4

似乎 Epic 游戏公司有一种每天运行一次的同步机制。所以在创建账户后等待是唯一的解决办法。请注意，在应用程序设置中更改“Endpoint URI”后，您还需要等待一段时间。

当将 `redirect_uri` 参数设置为类似 `localhost:3000` 的内容时，也会出现错误 `{ "error": "invalid_client", "error_description": null }`。

<details>
<summary>英文:</summary>

It seems that Epic has some kind of synchronising mechanism which runs once a day. So waiting after account create is the only solution. Please also note that, in app settings after `Endpoint URI` change you also have to wait some time.

Error `{ &quot;error&quot;: &quot;invalid_client&quot;, &quot;error_description&quot;: null }` also shows up when `redirect_uri` param is set to something like `localhost:3000`.

</details>



# 答案3
**得分**: 1

我也遇到了这个问题。在我的情况下，我在Epic SMART on FHIR应用程序的"应用受众"中选择了"患者"。我能够在测试服务器上成功获取授权码，但是当我尝试将其交换为访问令牌时，我收到了"invalid_client"的错误消息。

我犯的错误是**HTTP POST中的`redirect_uri`必须是一个绝对URL，并且必须与您为应用程序指定的重定向URI匹配。如果重定向URI无效，生成的错误消息将显示"invalid client"（这是误导性的）。**

以下是我使用的Python代码示例...

    data = {
        'grant_type': 'authorization_code',
        'code': request.GET.get('code'),
        'redirect_uri': 'http://127.0.0.1:8000/ehr_connection_complete/', # 这必须是一个绝对URL
        'client_id': '11111111-2222-3333-4444-555555555555',
    }
    response = post(url, data)

对于`redirect_uri`参数出现错误时生成"invalid_client"的错误消息，我觉得有点奇怪，但这在Epic的测试FHIR服务器上是正确的。

希望这些信息对其他人有所帮助。

<details>
<summary>英文:</summary>

I encountered this problem too. In my case, I was using &quot;Patients&quot; as the &quot;Application Audience&quot; selected for the Epic SMART on FHIR app. I was able to successfully obtain an authorization code on the test server, but when I attempted to exchange it for an access token I received &quot;invalid_client&quot; error message.

The mistake I made is that **the `redirect_uri` in the HTTP POST must be an absolute URL and must match a redirect URI you have specified for your app. If the redirect URI is invalid, the resulting error message will say &quot;invalid client&quot; (which is misleading).**

Here is a sample of the Python code I was using...

		data = {
			&#39;grant_type&#39;: &#39;authorization_code&#39;,
			&#39;code&#39;: request.GET.get(&#39;code&#39;),
			&#39;redirect_uri&#39;: &#39;http://127.0.0.1:8000/ehr_connection_complete/&#39;, # THIS MUST BE AN ABSOLUTE URL
			&#39;client_id&#39;: &#39;11111111-2222-3333-4444-555555555555&#39;,
		}
		response = post(url, data)

It felt odd to me that an error with the `redirect_uri` parameter generates an error message about `invalid_client`, but it&#39;s true with Epic&#39;s test FHIR server.

I hope this information helps others.

</details>