Valid AUD Claim

I’m struggling to get access token.
What could be the correct ‘aud’ claim for valid iSHARE identifier of the server?
Cannot find anywhere in documentation.

Hi!

If you are trying to get an access token from the Scheme Owner, check out this part of the documentation. If you are trying to figure out the client_assertion, check out how iSHARE JWTs look.

You are probably looking for the party identifier of the Scheme Owner in this case: EU.EORI.NL000000000

Thank you.

I’m trying to get an access token from the Scheme Owner but I get:
{“error”: “invalid_client”}

What I did:

-Add x5c parameter to header that consist of last three blocks of certificate as array.
-Construct payload:
payload = {
“iss”: “Our Company Identifier”,
“sub”: “Our Company Identifier”,
“aud”: “EU.EORI.NL000000000”,
“jti”: “ae043e1-7f322sdf-ecc9182”,
“exp”: epoch+30,
“iat”: epoch
};
-Sign with private key using RS256 algorithm
-Get JWT.

Then:

Send post request to https://scheme.isharetest.net/connect/token

Post request body:
grant_type=client_credentials
scope=iSHARE
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion= JWT
client_id=Our Company Identifier

What could be the possible reason of invalid_client error?

Might have to do with the JWT Header. Could you try:
“alg”: “RS256”,
“typ”: “JWT”,
“x5c”: [ “your certificate string”]

I have created the following JWT just now as an example: This would be the client assertion that ABC Trucking (party_id = EU.EORI.NL000000001) would use if they request an access token from Scheme Owner (client_id = EU.EORI.NL000000000). You can decode it online at jwt.io to see the details.

Client_assertion

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFZ1RDQ0FtbWdBd0lCQWdJSU45VmlDRGkzQndzd0RRWUpLb1pJaHZjTkFRRUxCUUF3U0RFWk1CY0dBMVVFQXd3UWFWTklRVkpGVkdWemRFTkJYMVJNVXpFTk1Bc0dBMVVFQ3d3RVZHVnpkREVQTUEwR0ExVUVDZ3dHYVZOSVFWSkZNUXN3Q1FZRFZRUUdFd0pPVERBZUZ3MHhPVEF5TVRVeE1UUTJNVFZhRncweU1UQXlNVFF4TVRRMk1UVmFNRUl4RlRBVEJnTlZCQU1NREVGQ1F5QlVjblZqYTJsdVp6RWNNQm9HQTFVRUJSTVRSVlV1UlU5U1NTNU9UREF3TURBd01EQXdNVEVMTUFrR0ExVUVCaE1DVGt3d2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUMwTzRoVWhEK1ZvT0tWSVpTTk1OVGZ6YzBPMmtZaitaenBRRUFCWkd0UHR5MGtLUEplcDArbzV4c3RvdTFLK1V4dkhmeEVwSHhIR1RkdHFadWMyOExoVTRDZUNnb2VETURUK0NIUzNOb3NpRVNRTXdoL1paZVRjOS9lS0NvNTY5R0NuKzJYdFRpR1NwQlN3TVNXcU5IZ3BBWllLZEhyVC9rRU1JeVRLb2F1dWlLUThjVXA3b3c3bVp6LzlLK3FWM3M5TDAzMFc4SWF3TEpCSksvMmFwQXQ1amgxajQvbUY3ZjBxOHpoemhyQzh2MDFQTGxaZHVUempqQnJlN216K3lpL3ZsWXovZWFwMGVZVGpoeElhdHlWOUZGd2xtaTRGQzFDTmNNdExoOG5zaUpvZTVjQm0xM0xLYlFGdTNHWUg3Nm9lTFp2V3FiUGJwMTFteGxIYS9LZEFnTUJBQUdqZFRCek1Bd0dBMVVkRXdFQi93UUNNQUF3SHdZRFZSMGpCQmd3Rm9BVUZqem5JT25XbE84ZjVhTHh1UHkrNnQ4c040RXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUhBd0V3SFFZRFZSME9CQllFRkFQSCs4VXJZaVZMWGFLUFJHZmxrQStjdXNRN01BNEdBMVVkRHdFQi93UUVBd0lGb0RBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQWdFQVlsNXRXSDBZdFlTOUp5cXlsWkpXb21BNTVTaEtsbGFCUmN2cm82Q0h4bGxKV0hvMHFDOVpUTWN2Q3l3TXYxNFZKeVFkNmVGWnFjVnRPbHVHclJaQmtsSDlBYW5rb3ZwMkpMYXFjRDc5dDFDeXVYWm5JelRGbC9Ca01zRTZ3bEFKWFkvc2Fybm94ZWllalA0RS9FZi8wZXVJRnZCYUlDQ0YrS2QyV0pZYmJuMFd5MGRINDg0UUpiSHlNdFZmcjQyb0lwVU5WdUxTdTg0eUtZQWVtOUpCdVlUcDNZMEsyaGlFQVcvYk9LRHZ2SGV0VmY1ZnU2NnlmZWtEWDUzajNOS2lGSkNYUzJyS0lab0R1TUZ1eHBTeVZrUzJrYldrMSs1Sm95N3FPU05BTlJGUGxwSGNnekxRWnA4SHJndmhzbWhJdDFWVFZZa3l4Y2Q4cVhBbGh3cVZnT3E1TmdMeGtxdWw5aE5NR2lNN3NxK0g3M1EvRmk4aWY3Z1A4SVZBU3pRR3d1SGcyWjg3aWI2QTJ2b24wZlJKWnEzZkl1YkhveEk2M0FUd2ZjUks4NnkxNzJ4YkZFM1ZVMGR1TjF0STVaMFRDZzBHQUpZdEpwYm52ZXhJdDVsazVGSWs0VGh2UjBMOG1OTHkxRFVhMTFOK0VNeGtxYmZxbFR1ckI4WmczQ1kvUWFTS21YWTVDTVV3V2VFQlhSSGh5ZmtaUTVqUFBVSHJGYW95T1JYOHAxRXJZRGt0QjFLOW80am11RVZwQjMzY3ZnWUJFaUF5VjV6NDQyNkZ1VkNNYkhhRkRWN2lLVzllQmxYb3hlWm80WFg4K2pYeVNMNUdXOFh3TlJUSzVjNHZXMDJRM1ZKeVlWZTV1bWVzdHNLUStMUjhpQXpvVVNyZUsxOCtKa0FqQUpVPSJdfQ.eyJpc3MiOiJFVS5FT1JJLk5MMDAwMDAwMDAxIiwic3ViIjoiRVUuRU9SSS5OTDAwMDAwMDAwMSIsImp0aSI6IjUwMDg5ZmExNmY1YjRjY2ZiMDBhMTdjOWFkOTllNjM5IiwiaWF0IjoxNTUyNjQ0MzAxLCJuYmYiOjE1NTI2NDQzMDEsImV4cCI6MTU1MjY0NDMzMSwiYXVkIjoiRVUuRU9SSS5OTDAwMDAwMDAwMCJ9.ktAIVmqCRI7YH4MTcTwYyla0n9aTFSyEb5dyB90HGleC3ZULd5Tr1fVOeAe_-lBA_J-gqAHSxtQYvHSkYV9fkmlVB063N6A_fdFAtb36L4pNvXncw2noRZ4WKSC06DPZhjXOYgZW53U2ehzpCnyQqEASsLZvqBYtKbgW-gaHndxqwJiTZOWrvLEctf1dr5NTFlvODULWBRgR54cp7_iK0qep1tx_eWzSU-Ypnx7_gSE0lIUdc7TEtjxngIFeDKoIIofZ1StIigKg3LVmH6gs62CYU8ZK4eltKRQmPx_2JHIjL7clC1zz_eMP-8n_fLnar3wwhvj8nzSvWD8Wfy_9dw

At this page, Example of JWT header’s x5c parameter has 3 blocks of certificate.

However, at this page Example of JWT header’s x5c parameter has 1 block of certificate.

My header looks like this:

{
“alg”: “RS256”,
“typ”: “JWT”,
“x5c”: [
“2nd block of certificate”,
“3rd block of certificate”,
“4th block of certificate”
]
}

Client_assertion that you send me has 1 block of certificate string.

Can you be more specific for x5c parameter?

The “x5c” value for you should contain as the first element of that array your own certificate, i.e. the string that starts with

“MIIEgzCCAmugAwIBAgIIWV0mf7ygumAwDQYJKoZ…” (your certificate)

without linebreaks.

To get an access token from the scheme owner on test network, it works if you only provide your own certificate. In general in iSHARE you correctly refer to

  • Signed JWTs MUST contain an array of the complete certificate chain that should be used for validating the JWT’s signature in the x5c header parameter up until an Issuing CA is listed from the iSHARE Trusted List (regarding the eIDAS Framework, with all individual CAs listed on the Trusted List, it is expected that this x5c Header only contains the client’s certificate)

I changed my x5c parameter as what you said.
Now my header looks like this:
{
“alg”: “RS256”,
“typ”: “JWT”,
“x5c”: [“MIIEgzCCAmugAwIBAgIIWV0mf7ygumAwDQYJKoZ…”]
}

But still i get {“error”: “invalid_client”}

Edit:

client_assertion

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFZ3pDQ0FtdWdBd0lCQWdJSVdWMG1mN3lndW1Bd0RRWUpLb1pJaHZjTkFRRUxCUUF3U0RFWk1CY0dBMVVFQXd3UWFWTklRVkpGVkdWemRFTkJYMVJNVXpFTk1Bc0dBMVVFQ3d3RVZHVnpkREVQTUEwR0ExVUVDZ3dHYVZOSVFWSkZNUXN3Q1FZRFZRUUdFd0pPVERBZUZ3MHhPVEF6TURjeE5ETXhNRGRhRncweU1UQXpNRFl4TkRNeE1EZGFNRVF4RnpBVkJnTlZCQU1NRGxOcGJYQnNlU0JFWld4cGRtVnlNUnd3R2dZRFZRUUZFeE5GVlM1RlQxSkpMazVNTURZMk9ESTJOelE0TVFzd0NRWURWUVFHRXdKT1REQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxrbzNMYTFZS1VyQWhrVVBqU2RFU2ZxK0tWalVNNXZPcjhqQ20xSXlOSHdUOVhYcys4NWp5Z0lnYjNjTld4VlpkTFY2R3ArODZRNWlETC9TL0JkdWNoVkdkYWJtQjhmVTA0MXFiWFZhUWNNR2xsV2JHMUo1ZDE3aTRwU1RZRGJlVDUrS0ZVN1EzWUU4L2Z2M2U5SENwUzE1Mzk5alBUeEcyTzRzUHk4eWhQeVJVRTJUZ2NsbkUxMnEzS0g4N3RMTURVdXp3SkdraFpYRndmc3JwS1RNOUp2c3djTHpEdi9jMk5qK0MrcXVzdUt2R0pMM3JiQXF4T2t6OXFhaHpHYmlTUFlLTDZUSWsvcGM5dlZ3bUVLcUR0a1B1T1FmQi9nOFJXZW8vdkpQSDRoOUVrVlVXNU1ZODQvRGJOaXZUbnl6TjEvODIzcXZQNm5SUGlVWm5oUFR4Y0NBd0VBQWFOMU1ITXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUVdQT2NnNmRhVTd4L2xvdkc0L0w3cTN5dzNnVEFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRBZEJnTlZIUTRFRmdRVWlzanJ4NVQxOXV5bk1MOUg1OHQ1c2JBbGVsMHdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQlljVE1yV1pkK0oxMnFXd0VkaVFXTWoyWHlaU3NvbzJoWWtsUkJBTSt5SkhKdTZTL3BzbmtzR25NeXJiU0QrNmxJeVFwVUFHcXJjQk1najV1WWVzWWlkTGxaM09FTjNkODQwSlBWbjVhZ1lUV3FnekcwT0RxQVQrT3pPdGJvSEY5dExibklPVk4zTitYQnJpaVhVR3BvbkRFK2hDZ3VPMndCbVRpVXVYUGtSekY5c2RwaUNQRm44Ulpma1pUdU9CMDZaamNjSTcrRXlKYWkyUTB4elJtOHhYUEllc0dpcVJ0ejJrU1ZjK3o4YzYxRVArSTUyb0NWbkZRNjN2cEpEdW11Y0pjSWUyNXVEOUNLK3JxV3h6djlHckdtcUNYV1BhbE82NytONDZLaGRINHNseThFekNEaGhDU1Bva3BYbC9FMkF0akRwWlRha2RyYTd6eFFpS2w1WGJWY3huZHdqYXJqUmtuUEUyd1BaTStHb2RHc3lwaXNCcjI5Snl1UytpMnpuSUVzcDJHUC9DaEZFaHVNR1ZCMVcvRmhFbmt3QXdERXB5cUcwNWFkOEFmTEJlaG1lQWVscW85aEVsbFNsUTFFVTR6NjNQRlFmSlUrRTQwSVA5RFl4bEVWZm9YS1N4MkUyNXRic29RSkZvZ3dMWFQzVXF2b29LWjRlR1VpbzVMRDBGbHI5TUtaNlM2LzZlUjVvbVpCdk8zaHI0cVdZSlVBRDRpK253THltV05PL2I1cEFhbmk3WDQ3WFRmd3h1NmR6RzdJckZXSHZDa3VtbHhaSzdxMDkxaG5HYlZheXN6NjFqV0FWV0J5Mm12NlE4akYyR3RRa0ZoTCtNNHFKaXJxYmhRRHdTVG1oWlcyZHFWS3NlN2E1NDhERGZHdDNxZjc5R0NzZFR3UTR3PT0iXX0.eyJpc3MiOiJFVS5FT1JJLk5MMDY2ODI2NzQ4Iiwic3ViIjoiRVUuRU9SSS5OTDA2NjgyNjc0OCIsImF1ZCI6IkVVLkVPUkkuTkwwMDAwMDAwMDAiLCJqdGkiOiJhZTA0M2UxLTdmMzIyc2RmLWVjYzkxODIiLCJleHAiOjE1NTI2NTQ5MjUxNzR9.Z3sYLKsPL-tO9Oy_NCHvNhvRUS78R9ToXH0R7pCrQ6I5NqodhbtSBb6QIt9CGVd0wpzfJH-hbSxT0Xyip6lk5n4-aoPzuT_f4641mxH7JU7nzOLPzWXlUgdA4y2NYD8F6sS1wSIJGUHSsqvz8W3ZBiXHKXCnmSLo_gAgXCt8ituTNuQK7-We3gi6Ur7Rs_W8MUdgARIpaI84DhK1MIyx2vEjBJanVS9jeFeq7A0LQa2t9G-m9d5o8bJRvIos3NoR7ROSoOaMjAPh88RAIhLI9KOKkaShOVfbPjd_7DTA655etf0Ld27wFK0IN3qZdZZKKKt-geuosuJfNgi5MGnbNw

OK, the x5c looks fine, but there are two minor errors in the Payload:

  • “exp” should be in seconds since epoch, it is now in milliseconds
  • “iat” was missing

You have now

{
  "iss": "EU.EORI.NL066826748",
  "sub": "EU.EORI.NL066826748",
  "aud": "EU.EORI.NL000000000",
  "jti": "ae043e1-7f322sdf-ecc9182",
  "exp": 1552654925174
}

Which should be

{
  "iss": "EU.EORI.NL066826748",
  "sub": "EU.EORI.NL066826748",
  "aud": "EU.EORI.NL000000000",
  "jti": "ae043e1-7f322sdf-ecc9182",
  "exp": 1552654925,
  "iat": 1552654895
}

Actually I have ‘iat’ claim but after signing, that claim is dissapears.
I found that, NodeJS JWT module has ‘noTimestamp’ option and I disabled that option.
Now my payload looks like you told me.

But still no chance, invalid_client error

Could you post the client_assertion again?

Updated client_assertion

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1YyI6WyJNSUlFZ3pDQ0FtdWdBd0lCQWdJSVdWMG1mN3lndW1Bd0RRWUpLb1pJaHZjTkFRRUxCUUF3U0RFWk1CY0dBMVVFQXd3UWFWTklRVkpGVkdWemRFTkJYMVJNVXpFTk1Bc0dBMVVFQ3d3RVZHVnpkREVQTUEwR0ExVUVDZ3dHYVZOSVFWSkZNUXN3Q1FZRFZRUUdFd0pPVERBZUZ3MHhPVEF6TURjeE5ETXhNRGRhRncweU1UQXpNRFl4TkRNeE1EZGFNRVF4RnpBVkJnTlZCQU1NRGxOcGJYQnNlU0JFWld4cGRtVnlNUnd3R2dZRFZRUUZFeE5GVlM1RlQxSkpMazVNTURZMk9ESTJOelE0TVFzd0NRWURWUVFHRXdKT1REQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUxrbzNMYTFZS1VyQWhrVVBqU2RFU2ZxK0tWalVNNXZPcjhqQ20xSXlOSHdUOVhYcys4NWp5Z0lnYjNjTld4VlpkTFY2R3ArODZRNWlETC9TL0JkdWNoVkdkYWJtQjhmVTA0MXFiWFZhUWNNR2xsV2JHMUo1ZDE3aTRwU1RZRGJlVDUrS0ZVN1EzWUU4L2Z2M2U5SENwUzE1Mzk5alBUeEcyTzRzUHk4eWhQeVJVRTJUZ2NsbkUxMnEzS0g4N3RMTURVdXp3SkdraFpYRndmc3JwS1RNOUp2c3djTHpEdi9jMk5qK0MrcXVzdUt2R0pMM3JiQXF4T2t6OXFhaHpHYmlTUFlLTDZUSWsvcGM5dlZ3bUVLcUR0a1B1T1FmQi9nOFJXZW8vdkpQSDRoOUVrVlVXNU1ZODQvRGJOaXZUbnl6TjEvODIzcXZQNm5SUGlVWm5oUFR4Y0NBd0VBQWFOMU1ITXdEQVlEVlIwVEFRSC9CQUl3QURBZkJnTlZIU01FR0RBV2dCUVdQT2NnNmRhVTd4L2xvdkc0L0w3cTN5dzNnVEFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRBZEJnTlZIUTRFRmdRVWlzanJ4NVQxOXV5bk1MOUg1OHQ1c2JBbGVsMHdEZ1lEVlIwUEFRSC9CQVFEQWdXZ01BMEdDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQlljVE1yV1pkK0oxMnFXd0VkaVFXTWoyWHlaU3NvbzJoWWtsUkJBTSt5SkhKdTZTL3BzbmtzR25NeXJiU0QrNmxJeVFwVUFHcXJjQk1najV1WWVzWWlkTGxaM09FTjNkODQwSlBWbjVhZ1lUV3FnekcwT0RxQVQrT3pPdGJvSEY5dExibklPVk4zTitYQnJpaVhVR3BvbkRFK2hDZ3VPMndCbVRpVXVYUGtSekY5c2RwaUNQRm44Ulpma1pUdU9CMDZaamNjSTcrRXlKYWkyUTB4elJtOHhYUEllc0dpcVJ0ejJrU1ZjK3o4YzYxRVArSTUyb0NWbkZRNjN2cEpEdW11Y0pjSWUyNXVEOUNLK3JxV3h6djlHckdtcUNYV1BhbE82NytONDZLaGRINHNseThFekNEaGhDU1Bva3BYbC9FMkF0akRwWlRha2RyYTd6eFFpS2w1WGJWY3huZHdqYXJqUmtuUEUyd1BaTStHb2RHc3lwaXNCcjI5Snl1UytpMnpuSUVzcDJHUC9DaEZFaHVNR1ZCMVcvRmhFbmt3QXdERXB5cUcwNWFkOEFmTEJlaG1lQWVscW85aEVsbFNsUTFFVTR6NjNQRlFmSlUrRTQwSVA5RFl4bEVWZm9YS1N4MkUyNXRic29RSkZvZ3dMWFQzVXF2b29LWjRlR1VpbzVMRDBGbHI5TUtaNlM2LzZlUjVvbVpCdk8zaHI0cVdZSlVBRDRpK253THltV05PL2I1cEFhbmk3WDQ3WFRmd3h1NmR6RzdJckZXSHZDa3VtbHhaSzdxMDkxaG5HYlZheXN6NjFqV0FWV0J5Mm12NlE4akYyR3RRa0ZoTCtNNHFKaXJxYmhRRHdTVG1oWlcyZHFWS3NlN2E1NDhERGZHdDNxZjc5R0NzZFR3UTR3PT0iXX0.eyJpc3MiOiJFVS5FT1JJLk5MMDY2ODI2NzQ4Iiwic3ViIjoiRVUuRU9SSS5OTDA2NjgyNjc0OCIsImF1ZCI6IkVVLkVPUkkuTkwwMDAwMDAwMDAiLCJqdGkiOiJmZ2RzNTMzLWRmMjM0NWRmLWVjc2QxODIiLCJleHAiOjE1NTI2NTgwNDcsImlhdCI6MTU1MjY1ODAxN30.FGAOpXFQIAdodqgDZl6qqVh_cbXod7EmZLYXv3dUA_EiCAeFWd_xoP7aEH9Znn5ecq8m0TqDWll0qVTeGKh4BGFxy-4W4qeNfx_g_7uBtwhvtV1-oM0OFUU902znLb4lx9PLvwQ5GEUbkulfZDaTQaMxXedF0nUmxGtIrWsNOfU6wbBsZZlzFabOE17TzDxVJVdKiMflB3dj4B0M04_or5nXyQz7pc3H9ajk8VuXSamFkcz4B7ivNlb3W2pzjCfYo_omYEuPC8iHLlDZtfnwqBls474MCmineYo0ttZ4rAvmPpk63uAyuhXJ2BWDUOvPur1AERr6pmaS88kitzj0Kw