Search code examples
oauthsingle-page-applicationhl7-fhirepic

How to resolve EPIC's FHIR OAuth2 dynamic registration "invalid_client_metadata" error? Does EPIC's dynamic registration endpoint work?

I'm currently developing an Single Page Application (SPA) that is attempting to implement EPIC's Standalone Launch with Dynamic Registration. I am currently stuck on the step that requires the SPA to register itself at the https://fhir.epic.com/interconnect-fhir-oauth/oauth2/register endpoint with a JSON Web Key Set. Every time I do this, I get a response back:

{
  "error": "invalid_client_metadata",
  "error_description": null
}

The request I'm sending looks like the following:

POST https://fhir.epic.com/interconnect-fhir-oauth/oauth2/register 
Content-type: application/json
Authorization: Bearer <redacted>

{
   "software_id":"<sandbox-id>",
   "jwks":{
      "keys":[
         {
            "e":"AQAB",
            "kty":"RSA",
            "n":"tK2-...<redacted>...Q93sc",
            "kid":"1"
         }
      ]
   }
}

I'm generating private/public key pairs using WebCrypto and I've verified that the JWKS of the public key I'm sending over is valid (I have tested signing and verifying jwt's using WebCrypto and validated them on jwt.io)

I've created a minimal reproduction repo on github that shows this issue. I've also deployed that repo so you can see the issue yourself.

To walk through the steps, I've been able to successfully do the following: 1: Request an Authorization Code 2: Exchange the Authorization Code for an Access Token

I am currently stuck on specifically using the Access Token and registering my SPA via the /oauth2/register endpoint. I know that the Access Token I'm receiving back is valid as I can access other protected FHIR endpoints using it. I've tried making the request both in a browser and in Postman, neither seem to work.

I am starting to wonder if anyone has ever been able to successfully register using the dynamic registration endpoint before? Searching google and stack overflow for this specific issue returns nothing.

Solution

  • Couple of things to try:

    1. In web-crypto.ts, you have the hash in the config set like this: hash: "SHA-384". Per the docs, it seems it should be this instead: hash: { name: "SHA-384" }.
    2. If that doesn't work, try bumping down the key length to 2048.

    Also, this isn't causing your issue but fyi that your scope parameter in the /authorize call is invalid. Valid scopes are openid and fhirUser (can include both separated by a space).