How to authenticate using backend services authorization

The token end point is: https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token

Client ID: JWTClientCredentials

Issuer: JWTClientCredentials

Audience: https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token

Scope: system/*.read or system/*.*

Signing private key:

-----BEGIN PRIVATE KEY-----
MIIEywIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC9tUk1ZlaUzLQrjpVLx4fggLtz
bg+IoYs+JCxllq4I/NJ+CfWPu3wlKsf9AVEQc0O1czYR1Ekx1kDGYT+W8VEB0FyHFJMzihV5nYTg
NEjw9v1+eyjjjgDN8W4YWiHFoclKSvyjfSz+GSntlMlEJkpE9Fg2d8AY4hTW7pwA5BbQvHPWUWh6
Zel/1dhwl2/+x3i34Scl/npJdqMZWD0MCIc3I6j/ZXvZ3jvMu2bSwexculgHhLpc37OLw4RlFgwO
/5/8np2ci0Bwt2rTU1PlMQOK8NuBFkRBgqnanrfaDqdGaW/ZPQwBlX/8Fwz3EtdDvyCb0YgOVU9m
ljQkzLyBpi/RAgMBAAECggEAf15U3a5tGRBrMwdTA4LenoOv1ysg8MoNM9aTnE1TYaNlK8xB+5OU
IVwc06hrpdDNt+i3d7cAwZ4o9Uhbqlsw2Tfst6C/yA3Ap1tz2BgilO4vehj0dftkXODo2x7Ap/Ec
tW2tO5MSfzOj6+hGTSQsHymyhDdYWRyJg1jGku6Qxuln+TzJF9fOKRDdzMOW5TSSuscw2k+a9QuT
OqWXgu1AV+lNa6WJuxayCVvisxW5W8oLUXVOJdO6jlkHtqeRhh95HP8YftNfT37k1u9mCYKFiI3l
ASWgx2LhVF7OTXVuUrC/ctKk6yjIhYTIV/HlRdVfkgoTJ9oPj96lmC2qngdJJQKBgQDUZDrTjgHK
Y+7AWqWaLYyOEnz7ov2Og1euDB0sox3dFSX5vauJXH9A0C/Ou1VQv1ur1YgcmdWdEw3s+o+bIDYD
ngMHPfUsMhZv9CUdEKj94QMPBNu+qM03hryPKUZHtv0MPJDMIJmvNeiQRyaboT/StYqMZFnQpEzh
CRgLyMbXDwKBgQDkqMSEJvHNeghkPYXIzbOhPlYuATe7NPUeOAp9AC53cG0XrezEBG8/OGPkMpSX
viP6wmAhZnmWpgXQ8mL5KIsYMT/AnuBf8a2Y7Qmo11sMYJt7VDzKlL+oryr3yc7Ewjnns6Fdjs+u
gQs/eKTkCLGBglBI9QuttgPTSWS48GOLHwKBgFh+Mmx23JQhMxb+LcWheNCxL1YBQTghzWR9M6Kn
jAfTifEWb+RZn8O3elPehduQ/3cHDyErj29UwxacBz2RHDBBo+1eiUqSy/p1dQk5KdAt8oJNeelk
l6ys/N+BSQEUYza3/XSvmJkCExYaLyHk+5yle0angSyHaGjSyywNyZtNAoGAfB8cpbvaMDbZDUjU
MX9vzcxfzZM9pHKHyEKVdus9TfqKTXtM9c6OcNv0ZXALdx9wunL+6cKNp/gxWg3pKeUXNCevuqjD
lXFEUaoCP1O/icV7QQQmB7WdID0N7vnuMqJX+m1o37dhBxHngCnGID6T1IBfgmr6Tu5pvyys7zMW
ZfMCgYByiGtN8t3FZZ2grzDJONR3wfbQCwXXamIpXFC6sHwzM0tpzM6O6Cb59vvaIf1CCuuHdykM
vsbHMxhWDztGFF97f0b/uVITE94vLXGIFa6H7GglO3PhI6vtW71351SyACoZffD6dyzp8BAxbcAo
nBI5drUhHvUes8OJn0FPRUieBqANMAsGA1UdDzEEAwIAgA==
-----END PRIVATE KEY-----
or you can download the certificate, it has password jwt.careevolution.com.

Corresponding public certificate (to check if the signature is valid):

-----BEGIN CERTIFICATE-----
MIIDGjCCAgKgAwIBAgIQcIG7Jq86KLpN65IuVMCSZTANBgkqhkiG9w0BAQsFADAg
MR4wHAYDVQQDDBVqd3QuY2FyZWV2b2x1dGlvbi5jb20wHhcNMjUwNzA3MjA1ODIz
WhcNMzAwNzAxMDQwMDAwWjAgMR4wHAYDVQQDDBVqd3QuY2FyZWV2b2x1dGlvbi5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9tUk1ZlaUzLQrjpVL
x4fggLtzbg+IoYs+JCxllq4I/NJ+CfWPu3wlKsf9AVEQc0O1czYR1Ekx1kDGYT+W
8VEB0FyHFJMzihV5nYTgNEjw9v1+eyjjjgDN8W4YWiHFoclKSvyjfSz+GSntlMlE
JkpE9Fg2d8AY4hTW7pwA5BbQvHPWUWh6Zel/1dhwl2/+x3i34Scl/npJdqMZWD0M
CIc3I6j/ZXvZ3jvMu2bSwexculgHhLpc37OLw4RlFgwO/5/8np2ci0Bwt2rTU1Pl
MQOK8NuBFkRBgqnanrfaDqdGaW/ZPQwBlX/8Fwz3EtdDvyCb0YgOVU9mljQkzLyB
pi/RAgMBAAGjUDBOMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AgYIKwYBBQUHAwEwHQYDVR0OBBYEFAaX9M1/klV4pLUP3B9TK7vMj9+AMA0GCSqG
SIb3DQEBCwUAA4IBAQApwKwBt5r+ST1URLzW4Pw7CLoTpBiKu5eV1lQ1yogz2LOZ
4wDldSAQciAJx8tf+PN6GhY7T6fxzku6qremeA4R9upnw1XedImZamTbtZBS3bFn
Xc6rCMWgHfjqP2Lwb0BjFVRGIVg0rTSEy0OzZxCYV1KIxZ2oomrBsCHap3NlVpPb
iUlw3CwgDaT+cDE6j1dTSS+9Isn1TtFvAY6CuZs7vUKE2pBzRaeI7bwUc/C8CR6h
Dx+7m2BxokLTlthGxiOGuwlhmWh3MQrH78ev5cDKXEzH+iWnmvot06yCxK9r3fjc
NaDcnnvgnMImGAlJ8E2+sL0fF73KI8oeVm2D6j4g
-----END CERTIFICATE-----

The JWT must be signed using the RS384 or the RS256 algorithm (the specifications prescribe RS384, but we support also RS256)

The key identifier (kid) is 7851B3BBDA1B5E0212D65D5CFB66538D03170C00, the X.509 Certificate thumbprint (x5t) is eFGzu9obXgIS1l1c-2ZTjQMXDAA, but they are both optional.

JWT header example:

{
  "typ": "JWT",
  "alg": "RS384"
}
or
{
  "typ": "JWT",
  "alg": "RS384",
  "kid": "7851B3BBDA1B5E0212D65D5CFB66538D03170C00"
}
or
{
  "typ": "JWT",
  "alg": "RS384",
  "x5t": "eFGzu9obXgIS1l1c-2ZTjQMXDAA"
}

JWT body example:

{
  "iss": "JWTClientCredentials",
  "sub": "JWTClientCredentials",
  "aud": "https://fhir.careevolution.com/Master.Adapter1.WebClient/identityserver/connect/token",
  "jti": "dffcd1b7-7633-4324-9e65-4729ef893afa",
  "exp": 1637709663
}

Please note that the example above is valid only for the pre-configured sandbox configuration, in a production environment you will be providing either the certificate (public key) or the JWKS to use, you'll receive the corresponding client id, and you'll have to use those when requesting the access token. kid and x5t remain optional, if specified they must match the provided certificate (use x5t) or one of the keys in the JWKS (use kid).