How to authenticate using backend services authorization

The token end point is: https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token

Client ID: JWTClientCredentials

Issuer: JWTClientCredentials

Audience: https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token

Scope: system/*.read or system/*.*

Signing private key:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAwrF3meoSKUq1Qcxh7CZg20koes44qou146J2b9G2Mo0HtEnC
kDI3w+BhDUzXK6cGVKAyjyqUCYv4JFkBxGj9w6Da6i37CTyz5Q6IZ49bNDfTp6bU
xhYRaBZzaZLlepFAWMhgOA0PTu6G+m5XyrCBR2CqnRxMu43hnfIMc3xW6hjgaeJU
bBCG/JrwztD3h82FLvlfR2k0ZW43PYoqT4qVSsF6T3tU3Im6ckCOTlNV9aWvEx2Y
eBrgGx5Mr64fKCSUo3euAW4XxCR4pbtkt8vtOriGvDGkgMOdpT12ruygxQdlHlS/
jbqHhx435u24hOcmr38dzgXcN7Ib7rSKtQ2O4wIDAQABAoIBACke9pXpnGBgSRxW
oLASAw8NyqD1gX5z97zWiZFgh8zxgJkRoyh1ktWqRJVcj23G301scIFQiufhSk3T
Bs6HJmH1TYd8orL2wUA165WD7819pRSZ5gLYkmCbrVC1GAblOuQFnlz4VS1kr9mh
CKXk1clPn3mDiqlqdCa6Aus5bdoPfHkxhyeJbBFo2HegFdsmcrrgZa1EldYYArTu
DDU2N+zBpzVDpsoy3HPXp6Pjo1w3LSsQKF9Ny2XltnHdGGe/b+Pyh+3b9GhZ6Seb
yxn5m0sBb4ncMFZDeYDj4hK2hFehghPazWT+NWsmukOIt6kfM0POxFPnOJXW9mez
zyEezpECgYEA7/Lg2fLhkez5iak/q7DTgsY67VbipnhUwIk5eV0uYHJh/w6pg/uo
ViRJ7HVF8ush77PPOv6gionIAzdsadsijG2KrNBIqxnlNutkRhTFrduiRFTN/uL8
4RkXOxqyzhUCltErT5B2/OGKW+T/rGYzkVt6I9RfIYc33wMCmGKJYJ8CgYEAz7eW
nHJK9xR/AWsrn5jBdKSumoXFV1Fqh0uDAxNiI/9LBvruhK8jCPdL5rFNdyptFbMs
H7aLHT1HHX9w5qpVctxnqXvwmXPxCM+XZKk5tm1jXwJgryas9abK7SbNRzMlqEnj
/HoSVrnrM3HEHeof17Rf93KTheL5xWW3qhpU1z0CgYEA7XHGakb8SyBbK4vNkwQv
ukiZxYXmUd/f1ou00VGRdCWcrf5/ZzkgsuXENXczmhhug7rGxlV03sNLp0swQGx2
espnoW2Xi6HbfoZfuy4RFGO05rOZCbLrlYDzySw5Zs/JuR8SIfEOnl4+QYOSMrMM
Mrp4Wn5tCUu60Tg0WEGiOncCgYEAk6cTHp53/27IYT/HQKmbSskNfLX+c3ViXk4l
EPikWKZOtOWGyzablvIDODdss3qrFDPK97gQ53X5qVQ/8xe9qepWnbmGa+5otjSq
j1ljtvPHIXBVPewmInCv6ygb37LR3/C2aXB0vMVoFaeXGxSkEfccCI+fohqYJeOK
TRZunJkCgYAxIGFRbutiaj6UfhcnlQqDweINVAqdAIxt8nM4vJdtVoIzs8jZdQap
yRutayhUvBV2gp/mIXts2fjVZNP6OQbMyMxqJhR4mU+t3byZ7btrL35Lt9aaLg0d
JM1+//zpCVq1zc63j+VQ8Wt/psRwAuUoWk/b1AbkeKIYRVFy/H/9MQ==
-----END RSA PRIVATE KEY-----
or you can download the certificate, it has password jwt.careevolution.com.

Corresponding public certificate (to check if the signature is valid):

-----BEGIN CERTIFICATE-----
MIIC9TCCAd2gAwIBAgIJAJVDz7qx3iFnMA0GCSqGSIb3DQEBCwUAMCAxHjAcBgNV
BAMTFWp3dC5jYXJlZXZvbHV0aW9uLmNvbTAeFw0yMDAxMDkyMTMxMjRaFw0yNTA3
MDEyMTMxMjRaMCAxHjAcBgNVBAMTFWp3dC5jYXJlZXZvbHV0aW9uLmNvbTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMKxd5nqEilKtUHMYewmYNtJKHrO
OKqLteOidm/RtjKNB7RJwpAyN8PgYQ1M1yunBlSgMo8qlAmL+CRZAcRo/cOg2uot
+wk8s+UOiGePWzQ306em1MYWEWgWc2mS5XqRQFjIYDgND07uhvpuV8qwgUdgqp0c
TLuN4Z3yDHN8VuoY4GniVGwQhvya8M7Q94fNhS75X0dpNGVuNz2KKk+KlUrBek97
VNyJunJAjk5TVfWlrxMdmHga4BseTK+uHygklKN3rgFuF8QkeKW7ZLfL7Tq4hrwx
pIDDnaU9dq7soMUHZR5Uv426h4ceN+btuITnJq9/Hc4F3DeyG+60irUNjuMCAwEA
AaMyMDAwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0lBAwwCgYIKwYB
BQUHAwIwDQYJKoZIhvcNAQELBQADggEBABfhf1OUsYlFuQ3fAVjkneHqnVvnUGdM
9Pm+k3aUMJ6qBHBrghoDyEjzBXR+YQSp6VeQUfbWhOPOleMdFmON2d+BRVXoZgoG
JqVs32sS8jav0IH8oi9t+qZRXhCiLs0xNOhn/FdKqnxMfcrRq6knCw7b/WSsoHCS
UoJ+GClRebRz4pTEJKR4wyxyCZsIMIOUlYcYG51kUDEAhxVKJHeYUawHjAFsiqFI
m2J+PA1/XQaI9VXNNv+/WiHPIeMsyTff7kKHc/vvQ/LH66z80Oe5VY8kGt0rq6Jh
IK8a/MmOxqlxuBIwwVwEtL9u/ThAywCHrlfFQ5fO1BevlhiAw+h33XY=
-----END CERTIFICATE-----

The JWT must be signed using the RS256 algorithm (this is not conformant with the specifications that prescribe either RS384 or ES384 - but it is what we have at the moment)

The JWT must have the x5t header property set to kd_Uob1ueoByiUFZQaiS8tPdto4= (the thumbprint of the above certificate)

JWT header example:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "kd_Uob1ueoByiUFZQaiS8tPdto4="
}

JWT body example:

{
  "iss": "JWTClientCredentials",
  "sub": "JWTClientCredentials",
  "aud": "https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token",
  "exp": 1583332880,
  "jti": "8b30fa537e075e98a3da4c6f5b64250f931fb3f85a386938d044f0a87176a381"
}