Epic BackendService app not returning auth_token

Hi, we are trying to create a backend service app so we can integrate
with Epic’s FHIR API, and we have been following the backend service
documentation from the epic docs ( Documentation - Epic on FHIR ), and haven’t been able to make it
The response we get is
“error”: “invalid_client”,
“error_description”: null

The request we are making is a POST to /interconnect-fhir-oauth/oauth2/token, with:
“grant_type”: “client_credentials”,
“client_assertion_type”: “urn:ietf:params:oauth:client-assertion-type:jwt-bearer”,
“client_assertion”: <>

And the JWT has the following data:
“typ”: “JWT”,
“alg”: “HS256”
“iss”: <>,
“sub”: <>,
“aud”: “https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token”,
“exp”: <<now + 5 minutes (in seconds) >>, // example: 1678818868
“iat”: <<now (in seconds) >>, // example: 1678818508
“jti”: <>, // example: “6ddyAYN5bHwpDlO3LPW9h4BJLpppJYSB”
“alg”: “HS256”

And we are encrypting it with our private and public key.

Is there something we are missing/doing wrong? In the App window in Epic’s Developer App manager, we have setted up localhost as the non production JWK set url.

Have you reached out to open@epic.com? (That’s their preferred support mechanism.)

Yes I have, and they replied to see at their troubleshooting page (Documentation - Epic on FHIR) which I did, but it didn’t help.

@Light-it a few things stand out at first glance:

  1. HS256 is the wrong algorithm. You should be using RS384.
  2. The algorithm only goes in the JWT header, not in the body.
  3. Your iat and exp values are separated by more than 5 min. exp can’t be more than 5 min in the future, and there can’t be more than a 5-min difference in the times.
  4. If you are using a JWK set URL, your header needs to include the kid.