Getting 403 Unauthorised on PAR request

[henryallsuch]

We generated our keys before these changes:

https://github.com/oviva-ag/ehealthid-relying-party/pull/86/files

Having updated to the latest docker build and reconfiguring the env files to only pass in sig_jwks.json

We are getting this error back from the PAR request.

{"error":"unauthorized_client","error_description":"client certificate in tls handshake does not match any certificate in entity statement/signed_jwks"}

Do you have any idea how we could fix this? Or what could be causing the issue?

[thomasrichner-oviva]

Hey Adam,

There were some changes around mTLS due to changes in the Gematik IdP.

Mainly this is reg. the signature key configuration. You have two options:

1. Generate new keys and let Gematik now. Takes a bit of time but also resolves a few other limitations.
2. Adapt your existing key to also include x509 PEM formatted certificate for your key. I'd generate a new key and use that as reference on how to update you current key. This is a bit fiddly, but doesn't require any changes in the entity statements keys.

I'd recommend option 1 :)

[henryallsuch]

Thank you for your response and thank you for the latest updates.

I've updated to version v.0.15.1

Looking at the newly generated signing key, the only difference I see is the todo with the timestamps nbf and exp. When running the cli to generate the xml the public key is no different than the one we have submitted in the past.

All other keys seem to be now generated on the fly & self discovered.

The x509 cert seems to be included in the openid_relying_party signing key metadata, which is not submitted to Gematik.

Is there something I am missing?