FHIR Chat · Connectathon: SMART Launch JWKS · smart

Stream: smart

Topic: Connectathon: SMART Launch JWKS

view this post on Zulip Ricardo Quintano (Jan 10 2022 at 11:39):

Hi all,

We are testing launching an Java app with https://smart.argo.run/ . We are using the following launch parameters:
- Validate that my client performs PKCE
- Client Identity Validation Method: client-confidential-asymmetric

We are getting the following response when requesting an access token (http://hl7.org/fhir/smart-app-launch/app-launch.html#obtain-access-token):

<html>

<head>
<title>502 Bad Gateway</title>
</head>

<body>
<center>
<h1>502 Bad Gateway</h1>
</center>
<hr>
<center>nginx</center>
</body>

</html>

Do you have any suggestion on how to solve this error? Attached are A.png B.png C.png :
A. jwks.json.
B. The body of the POST request
C. The POST request and response (Postman) - which is the same response we are getting in the Java console.

Thanks!

view this post on Zulip Josh Mandel (Jan 10 2022 at 14:43):

Hmm, thanks for the report! Will see if we can reproduce with the demo app, and will check error logs -- normally a Bad Gateway error would be transient, but there's not a ton to go on here. Could you also paste the text of the full request inside code block (triple back quotes in zulip)? Screenshots can make it hard to dig into the tokens, etc.

view this post on Zulip Josh Mandel (Jan 10 2022 at 14:53):

Also, for debugging: you mentioned that you have two validation options turned on in the launcher. Do you get the same errors if you turn off one or both of the validation options?

view this post on Zulip Ricardo Quintano (Jan 10 2022 at 14:58):

Thanks Josh! Here it is. I generated a new one.

2022-01-10 15:54:15.476  INFO 1860 --- [nio-8080-exec-7] c.p.r.l.utils.LoggingRequestInterceptor  : URI         : https://smart.argo.run/v/r4/auth/token
2022-01-10 15:54:15.476  INFO 1860 --- [nio-8080-exec-7] c.p.r.l.utils.LoggingRequestInterceptor  : Method      : POST
2022-01-10 15:54:15.476  INFO 1860 --- [nio-8080-exec-7] c.p.r.l.utils.LoggingRequestInterceptor  : Headers     : [Accept:"text/plain, application/json, application/*+json, */*", Content-Type:"application/x-www-form-urlencoded;charset=UTF-8", Content-Length:"2544"]
2022-01-10 15:54:15.476  INFO 1860 --- [nio-8080-exec-7] c.p.r.l.utils.LoggingRequestInterceptor  : Request body: code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb250ZXh0Ijp7Im5lZWRfcGF0aWVudF9iYW5uZXIiOmZhbHNlLCJzbWFydF9zdHlsZV91cmwiOiJodHRwczovL3NtYXJ0LmFyZ28ucnVuLy9zbWFydC1zdHlsZS5qc29uIiwidmFsX21ldGhvZCI6ImNjLWFzeW0iLCJqd2tzX3VyaSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9qd2tzLmpzb24iLCJqd2tzIjoie1wia2V5c1wiOlt7XCJrdHlcIjpcIlJTQVwiLFwiZVwiOlwiQVFBQlwiLFwidXNlXCI6XCJzaWdcIixcImtpZFwiOlwiZDQ2ZDAwYzMtNGE0YS00YTkxLWExNWMtYzhkOTg2MjMxMTljXCIsXCJhbGdcIjpcIlJTMzg0XCIsXCJuXCI6XCJrRk84VGdpcGItcVFzZ1ZXeldIUm93NG9OOExwdmZIRnQ0NGVuN21ROHBHYmhuMDFQSDBaQzBWZGl4RFc3bnBiV1VfMDZueWpFamtGNTJWSmJyYWwwa05aXzFCNjl1TmUxdGZ0bVJoTW91SGw4aUxhMDMzYnlPdENWcmdVQWNldkJEVko1TnlKbnJZYXNyTWVuNWxSQXZJZTJuRFNCWlVnQ1ZuSTlENjJHbnZZRklyTzd2WkZreHNpYng5TW1Kd2Nxdy1ZNVpfV3hSX2FzX1VHLVFiY1FsTUgxaTVVN2dQMXN2QW5qcF9jdk5aRFk5Zy1iaUphLVQ2SXlQdzhMaFBXSWowRGtXTjdETk95ejQ5UlhGblUzVGpKM2pmMUxLZGpKYnoxc0pfZDhoZlUzRWEzVmVRZVFob1lGMlRzOWFtVmR4QkkzT09HNkgtcmZ5elJPbVJCbFFcIn1dfSIsInBhdGllbnQiOiIyY2RhNWFhZC1lNDA5LTQwNzAtOWExNS1lMWMzNWM0NmVkNWEiLCJlbmNvdW50ZXIiOiIxZTM4Yjc3MS1lYTg3LTQzNDMtYTVhOC02MDAyMjM3NGNiYWEifSwiY2xpZW50X2lkIjoiNDI3Yzk5ZTUtZTZhMC00OWIxLTgyMDEtNGYxOGRjNzVlZjFkIiwiY29kZV9jaGFsbGVuZ2VfbWV0aG9kIjoiUzI1NiIsImNvZGVfY2hhbGxlbmdlIjoiV2FWNHJUeExpcDRuOXVVajF6MmNVcm44WG9RajhjUzdxd3Bydk9zMk8xayIsInNjb3BlIjoibGF1bmNoIGxhdW5jaC9wYXRpZW50IHBhdGllbnQvT2JzZXJ2YXRpb24ucmVhZCBwYXRpZW50L1BhdGllbnQucmVhZCIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9zbWFydC9yZWRpcmVjdCIsImlhdCI6MTY0MTgyNjQ1NSwiZXhwIjoxNjQxODI2NzU1fQ.5aCihPSviKhIG9FrKB_H8dsTKtmpjnVxEuByu-SW1Ck&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fsmart%2Fredirect&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJqa3UiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MFwvandrcy5qc29uIiwia2lkIjoiZDQ2ZDAwYzMtNGE0YS00YTkxLWExNWMtYzhkOTg2MjMxMTljIiwidHlwIjoiSldUIiwiYWxnIjoiUlMzODQifQ.eyJpc3MiOiI0MjdjOTllNS1lNmEwLTQ5YjEtODIwMS00ZjE4ZGM3NWVmMWQiLCJzdWIiOiI0MjdjOTllNS1lNmEwLTQ5YjEtODIwMS00ZjE4ZGM3NWVmMWQiLCJhdWQiOiJodHRwczpcL1wvc21hcnQuYXJnby5ydW5cL3ZcL3I0XC9hdXRoXC90b2tlbiIsImV4cCI6MTY0MTgyNjUxNSwianRpIjoiODNlMjI5OWYtZGI3ZC00MWEyLTkyODktMDY0Y2EyY2VmZDVkIn0.II_26YchntrBaETP-i558FzPtf2gd-pSDFvM3-Tg13DoJoC-EPy_UHYXYWVcPtyZQv6jqMWa0bnEqFmIjCsMWmnjq--jIS_Pe01lSDao6mpmdGtGstMXNPqzqLHsj9AOy9ryoncNtv3ZrPsYRjrpxpM1poUTIUeNdYssh52yJdIEqYGuzXIvdws-SUkTjUSAjXj8StZhaz10DG2_7n56xDsQE7TNBkE1c4KHuJoi-c7S3BqowsoEXnBJEJDwzSyYBRUHnJxBctduUjp4fMwSA8g54TOCl4gEwm-4DSlKZbHyvo3Or2mX2-VyeD3ooyaQQZlyglUqFOCuZ2r3sSw_xw&code_verifier=a3nnKLRYw3nvl5ukrrbaispIAGjlnx9j2ZNlJbqEpsU

public key

{"kty":"RSA","e":"AQAB","use":"sig","kid":"d46d00c3-4a4a-4a91-a15c-c8d98623119c","alg":"RS384","n":"kFO8Tgipb-qQsgVWzWHRow4oN8LpvfHFt44en7mQ8pGbhn01PH0ZC0VdixDW7npbWU_06nyjEjkF52VJbral0kNZ_1B69uNe1tftmRhMouHl8iLa033byOtCVrgUAcevBDVJ5NyJnrYasrMen5lRAvIe2nDSBZUgCVnI9D62GnvYFIrO7vZFkxsibx9MmJwcqw-Y5Z_WxR_as_UG-QbcQlMH1i5U7gP1svAnjp_cvNZDY9g-biJa-T6IyPw8LhPWIj0DkWN7DNOyz49RXFnU3TjJ3jf1LKdjJbz1sJ_d8hfU3Ea3VeQeQhoYF2Ts9amVdxBI3OOG6H-rfyzROmRBlQ"}

view this post on Zulip Josh Mandel (Jan 10 2022 at 15:13):

Thanks -- I'm able to reproduce this behavior when I put invalid data into the JWKS box at https://smart.argo.run (to be clear, these errors are not helpful and we need to surface better errors -- just want to figure out what's going on first).

Can you clarify whether you're supplying a JWKS by URL or inline at this form and if line can you share the actual content of this JWKS? Specifically it's important to check that you're pasting a JWKS and not a "bare" JWK? (i.e. a JSON structure like { "keys": [{...

image.png

view this post on Zulip Ricardo Quintano (Jan 10 2022 at 15:35):

In our initial tests we provided the JWKS by URLS.
After your remark we tried in line and it worked. Now we get a 200 - we copied the exact same content from the URL.

view this post on Zulip Ricardo Quintano (Jan 10 2022 at 15:37):

Here a new example:

2022-01-10 16:28:54.269  INFO 23836 --- [nio-8080-exec-5] c.p.r.l.utils.LoggingRequestInterceptor  : URI         : https://smart.argo.run/v/r4/auth/token
2022-01-10 16:28:54.269  INFO 23836 --- [nio-8080-exec-5] c.p.r.l.utils.LoggingRequestInterceptor  : Method      : POST
2022-01-10 16:28:54.269  INFO 23836 --- [nio-8080-exec-5] c.p.r.l.utils.LoggingRequestInterceptor  : Headers     : [Accept:"text/plain, application/json, application/*+json, */*", Content-Type:"application/x-www-form-urlencoded;charset=UTF-8", Content-Length:"2544"]
2022-01-10 16:28:54.269  INFO 23836 --- [nio-8080-exec-5] c.p.r.l.utils.LoggingRequestInterceptor  : Request body: code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJjb250ZXh0Ijp7Im5lZWRfcGF0aWVudF9iYW5uZXIiOmZhbHNlLCJzbWFydF9zdHlsZV91cmwiOiJodHRwczovL3NtYXJ0LmFyZ28ucnVuLy9zbWFydC1zdHlsZS5qc29uIiwidmFsX21ldGhvZCI6ImNjLWFzeW0iLCJqd2tzX3VyaSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9qd2tzLmpzb24iLCJqd2tzIjoie1wia2V5c1wiOlt7XCJrdHlcIjpcIlJTQVwiLFwiZVwiOlwiQVFBQlwiLFwidXNlXCI6XCJzaWdcIixcImtpZFwiOlwiZmIzOGNlOWYtMjUwYS00YTA1LThhZTItNDExMzkxZjkzZDViXCIsXCJhbGdcIjpcIlJTMzg0XCIsXCJuXCI6XCJ6SkdTNTNYNl8waXNkWldUY3p3LURoaHBfaE01UDVJTTE1eW50VS1qcTM4RHAxWHN3UWRUX2xRQ1ZjWEZlSUpJWmVzQ0dvWmdZRVRFYXJXQ19UZmJULUo2Q09QaFZDTUJvaE9pLXEtdktXVXgwcTJqa0hjc3ZEVHp3Vk9xcUQzX0UxSjBxdGRjYWluRnlnbk44TGo3N2E4RFVCcFdZc0NuN1VXZldhelhkQzFCYlBYTWYyRFByWmNfUFlocS1wd2g0UDUtd3l1WE1wRWYyUjFQRVJYc1VaZkdXeDBBVEw2VU5PS2JMdXd3RkRBWFZOdmI4R2tLWG5nNjI2cWw5TENBWUR4V1UxM0JRcXZrREcwaTVRY01PT1RFNzczcEJsbUtTc0thNnlOeVFZaGh1TUVhU3hQRE9mUTJWc2NzamltNnBIWHA0ZWN3RHVpemlGRXNwMFNIaHdcIn1dfSIsInBhdGllbnQiOiIyY2RhNWFhZC1lNDA5LTQwNzAtOWExNS1lMWMzNWM0NmVkNWEiLCJlbmNvdW50ZXIiOiIxZTM4Yjc3MS1lYTg3LTQzNDMtYTVhOC02MDAyMjM3NGNiYWEifSwiY2xpZW50X2lkIjoiNDI3Yzk5ZTUtZTZhMC00OWIxLTgyMDEtNGYxOGRjNzVlZjFkIiwiY29kZV9jaGFsbGVuZ2VfbWV0aG9kIjoiUzI1NiIsImNvZGVfY2hhbGxlbmdlIjoiWGtVRHZUcFRKWWlHVFlVamotLW5CRVdUa3hCNG1ELWlhMUpnYlFXbnA2QSIsInNjb3BlIjoibGF1bmNoIGxhdW5jaC9wYXRpZW50IHBhdGllbnQvT2JzZXJ2YXRpb24ucmVhZCBwYXRpZW50L1BhdGllbnQucmVhZCIsInJlZGlyZWN0X3VyaSI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MC9zbWFydC9yZWRpcmVjdCIsImlhdCI6MTY0MTgyODUzMCwiZXhwIjoxNjQxODI4ODMwfQ.cMKbnSA5wXwZ6KWESyOUaCqN8e_cxzIVaaynmPotXRw&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fsmart%2Fredirect&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=eyJqa3UiOiJodHRwOlwvXC9sb2NhbGhvc3Q6ODA4MFwvandrcy5qc29uIiwia2lkIjoiZmIzOGNlOWYtMjUwYS00YTA1LThhZTItNDExMzkxZjkzZDViIiwidHlwIjoiSldUIiwiYWxnIjoiUlMzODQifQ.eyJpc3MiOiI0MjdjOTllNS1lNmEwLTQ5YjEtODIwMS00ZjE4ZGM3NWVmMWQiLCJzdWIiOiI0MjdjOTllNS1lNmEwLTQ5YjEtODIwMS00ZjE4ZGM3NWVmMWQiLCJhdWQiOiJodHRwczpcL1wvc21hcnQuYXJnby5ydW5cL3ZcL3I0XC9hdXRoXC90b2tlbiIsImV4cCI6MTY0MTgyODU5MCwianRpIjoiYzNjMmMyZTItZDg3My00ZmY3LTk2NTAtNTEwOWFiYjUxNjFiIn0.WaftPGsHkxeAvvchzjSfAdN2bnUFBnSVrSjVL8-jgNXwTone7tN-LRVWdl7n2S6vJQcJ53PhKTHckQK-rk9M2c1lwIWEYnXV-pMSNlzPXN3zWJSxIFFTwqKHGszu94DHSjdpMnrM5wEhw1ozcA9ryGfPO_LpHie0XK0H8TjP_o_9V6MxLBLYmyDsm6zvSq-NBEhJXQa777_tjxyHF7Y2qpN9lQtimhXh-uVOKyhMT2FUolR22b5WbV9dJpt0j-vNdglhEosECTM4LWHP51wcuSyp65fFxyueMdKD1FXxHNpREk7oloh_fvZxWEZkDDSDfmmoVX7uNqV2hgN2hduJag&code_verifier=m1yQcBkzG4n3w6OWLV1bzvOz95EJxmQlfH7V-sgNCFA

And the JWKS

{"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"fb38ce9f-250a-4a05-8ae2-411391f93d5b","alg":"RS384","n":"zJGS53X6_0isdZWTczw-Dhhp_hM5P5IM15yntU-jq38Dp1XswQdT_lQCVcXFeIJIZesCGoZgYETEarWC_TfbT-J6COPhVCMBohOi-q-vKWUx0q2jkHcsvDTzwVOqqD3_E1J0qtdcainFygnN8Lj77a8DUBpWYsCn7UWfWazXdC1BbPXMf2DPrZc_PYhq-pwh4P5-wyuXMpEf2R1PERXsUZfGWx0ATL6UNOKbLuwwFDAXVNvb8GkKXng626ql9LCAYDxWU13BQqvkDG0i5QcMOOTE773pBlmKSsKa6yNyQYhhuMEaSxPDOfQ2Vscsjim6pHXp4ecwDuiziFEsp0SHhw"}]}

view this post on Zulip Ricardo Quintano (Jan 10 2022 at 16:03):

Thank you very much @Josh Mandel - Now we can get observations from the FHIR server! :)

view this post on Zulip Josh Mandel (Jan 10 2022 at 16:08):

Thanks for the details here -- sounds like a problem in our JWKS URL resolution + in our error reporting (but glad you are un-stuck for now).

view this post on Zulip Josh Mandel (Jan 10 2022 at 16:08):

I'll debug

view this post on Zulip Josh Mandel (Jan 10 2022 at 16:19):

Can you let me know where your JWKS is hosted? I'm guessing it may be a CORS issue, since it's fetched from the Launcher's browser UI at setup time.

view this post on Zulip Josh Mandel (Jan 10 2022 at 16:58):

Also: I've added more client-facing error logs to the launcher, so the reports will include a stack trace into our reference implementation. Should help with debugging issues as they come up during the connectathon.

view this post on Zulip Ricardo Quintano (Jan 10 2022 at 18:18):

The JWKS is hosted as a method in our app.
http://localhost:8080/jwks.json ---> generates/returns the JWKS
http://localhost:8080/smart/launch ---> launches the app.

view this post on Zulip Josh Mandel (Jan 10 2022 at 21:39):

Ah, so if you're only hosting locally you'll need to paste in a JWKS because... your localhost web server won't be visible to the SMART Launcher backend

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -