The token end point is: https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token
Client ID: JWTClientCredentials
Issuer: JWTClientCredentials
Audience: https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token
Scope: system/*.read
or system/*.*
Signing private key:
-----BEGIN PRIVATE KEY----- MIIEywIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC9tUk1ZlaUzLQrjpVLx4fggLtz bg+IoYs+JCxllq4I/NJ+CfWPu3wlKsf9AVEQc0O1czYR1Ekx1kDGYT+W8VEB0FyHFJMzihV5nYTg NEjw9v1+eyjjjgDN8W4YWiHFoclKSvyjfSz+GSntlMlEJkpE9Fg2d8AY4hTW7pwA5BbQvHPWUWh6 Zel/1dhwl2/+x3i34Scl/npJdqMZWD0MCIc3I6j/ZXvZ3jvMu2bSwexculgHhLpc37OLw4RlFgwO /5/8np2ci0Bwt2rTU1PlMQOK8NuBFkRBgqnanrfaDqdGaW/ZPQwBlX/8Fwz3EtdDvyCb0YgOVU9m ljQkzLyBpi/RAgMBAAECggEAf15U3a5tGRBrMwdTA4LenoOv1ysg8MoNM9aTnE1TYaNlK8xB+5OU IVwc06hrpdDNt+i3d7cAwZ4o9Uhbqlsw2Tfst6C/yA3Ap1tz2BgilO4vehj0dftkXODo2x7Ap/Ec tW2tO5MSfzOj6+hGTSQsHymyhDdYWRyJg1jGku6Qxuln+TzJF9fOKRDdzMOW5TSSuscw2k+a9QuT OqWXgu1AV+lNa6WJuxayCVvisxW5W8oLUXVOJdO6jlkHtqeRhh95HP8YftNfT37k1u9mCYKFiI3l ASWgx2LhVF7OTXVuUrC/ctKk6yjIhYTIV/HlRdVfkgoTJ9oPj96lmC2qngdJJQKBgQDUZDrTjgHK Y+7AWqWaLYyOEnz7ov2Og1euDB0sox3dFSX5vauJXH9A0C/Ou1VQv1ur1YgcmdWdEw3s+o+bIDYD ngMHPfUsMhZv9CUdEKj94QMPBNu+qM03hryPKUZHtv0MPJDMIJmvNeiQRyaboT/StYqMZFnQpEzh CRgLyMbXDwKBgQDkqMSEJvHNeghkPYXIzbOhPlYuATe7NPUeOAp9AC53cG0XrezEBG8/OGPkMpSX viP6wmAhZnmWpgXQ8mL5KIsYMT/AnuBf8a2Y7Qmo11sMYJt7VDzKlL+oryr3yc7Ewjnns6Fdjs+u gQs/eKTkCLGBglBI9QuttgPTSWS48GOLHwKBgFh+Mmx23JQhMxb+LcWheNCxL1YBQTghzWR9M6Kn jAfTifEWb+RZn8O3elPehduQ/3cHDyErj29UwxacBz2RHDBBo+1eiUqSy/p1dQk5KdAt8oJNeelk l6ys/N+BSQEUYza3/XSvmJkCExYaLyHk+5yle0angSyHaGjSyywNyZtNAoGAfB8cpbvaMDbZDUjU MX9vzcxfzZM9pHKHyEKVdus9TfqKTXtM9c6OcNv0ZXALdx9wunL+6cKNp/gxWg3pKeUXNCevuqjD lXFEUaoCP1O/icV7QQQmB7WdID0N7vnuMqJX+m1o37dhBxHngCnGID6T1IBfgmr6Tu5pvyys7zMW ZfMCgYByiGtN8t3FZZ2grzDJONR3wfbQCwXXamIpXFC6sHwzM0tpzM6O6Cb59vvaIf1CCuuHdykM vsbHMxhWDztGFF97f0b/uVITE94vLXGIFa6H7GglO3PhI6vtW71351SyACoZffD6dyzp8BAxbcAo nBI5drUhHvUes8OJn0FPRUieBqANMAsGA1UdDzEEAwIAgA== -----END PRIVATE KEY-----or you can download the certificate, it has password
jwt.careevolution.com
.
Corresponding public certificate (to check if the signature is valid):
-----BEGIN CERTIFICATE----- MIIDGjCCAgKgAwIBAgIQcIG7Jq86KLpN65IuVMCSZTANBgkqhkiG9w0BAQsFADAg MR4wHAYDVQQDDBVqd3QuY2FyZWV2b2x1dGlvbi5jb20wHhcNMjUwNzA3MjA1ODIz WhcNMzAwNzAxMDQwMDAwWjAgMR4wHAYDVQQDDBVqd3QuY2FyZWV2b2x1dGlvbi5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9tUk1ZlaUzLQrjpVL x4fggLtzbg+IoYs+JCxllq4I/NJ+CfWPu3wlKsf9AVEQc0O1czYR1Ekx1kDGYT+W 8VEB0FyHFJMzihV5nYTgNEjw9v1+eyjjjgDN8W4YWiHFoclKSvyjfSz+GSntlMlE JkpE9Fg2d8AY4hTW7pwA5BbQvHPWUWh6Zel/1dhwl2/+x3i34Scl/npJdqMZWD0M CIc3I6j/ZXvZ3jvMu2bSwexculgHhLpc37OLw4RlFgwO/5/8np2ci0Bwt2rTU1Pl MQOK8NuBFkRBgqnanrfaDqdGaW/ZPQwBlX/8Fwz3EtdDvyCb0YgOVU9mljQkzLyB pi/RAgMBAAGjUDBOMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD AgYIKwYBBQUHAwEwHQYDVR0OBBYEFAaX9M1/klV4pLUP3B9TK7vMj9+AMA0GCSqG SIb3DQEBCwUAA4IBAQApwKwBt5r+ST1URLzW4Pw7CLoTpBiKu5eV1lQ1yogz2LOZ 4wDldSAQciAJx8tf+PN6GhY7T6fxzku6qremeA4R9upnw1XedImZamTbtZBS3bFn Xc6rCMWgHfjqP2Lwb0BjFVRGIVg0rTSEy0OzZxCYV1KIxZ2oomrBsCHap3NlVpPb iUlw3CwgDaT+cDE6j1dTSS+9Isn1TtFvAY6CuZs7vUKE2pBzRaeI7bwUc/C8CR6h Dx+7m2BxokLTlthGxiOGuwlhmWh3MQrH78ev5cDKXEzH+iWnmvot06yCxK9r3fjc NaDcnnvgnMImGAlJ8E2+sL0fF73KI8oeVm2D6j4g -----END CERTIFICATE-----
The JWT must be signed using the RS384 or the RS256 algorithm (the specifications prescribe RS384, but we support also RS256)
The key identifier (kid
) is 7851B3BBDA1B5E0212D65D5CFB66538D03170C00
, the X.509 Certificate thumbprint (x5t
) is eFGzu9obXgIS1l1c-2ZTjQMXDAA
, but they are both optional.
JWT header example:
{ "typ": "JWT", "alg": "RS384" }or
{ "typ": "JWT", "alg": "RS384", "kid": "7851B3BBDA1B5E0212D65D5CFB66538D03170C00" }or
{ "typ": "JWT", "alg": "RS384", "x5t": "eFGzu9obXgIS1l1c-2ZTjQMXDAA" }
JWT body example:
{ "iss": "JWTClientCredentials", "sub": "JWTClientCredentials", "aud": "https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token", "jti": "dffcd1b7-7633-4324-9e65-4729ef893afa", "exp": 1637709663 }
Please note that the example above is valid only for the pre-configured sandbox configuration, in a production environment you will be providing either
the certificate (public key) or the JWKS to use, you'll receive the corresponding client id, and you'll have to use those when requesting the access token. kid
and x5t
remain optional, if specified they must match the provided certificate (use x5t
) or one of the keys in the JWKS (use kid
).