How do I generate bulk System Export Client Assertion?

I am trying to test Patient Export,by adding system/Group.$export to the scope.

Step1: Using postman, Register client using api http://:30080/oauth2/default/registration
I generated one jwks keyset is using the tool, https://mkjwk.org/; by giving following details
RSA- Key Use: Signature, Algorithm: RS384, Key-Id: SHA-256
Registration was successful using the generated key set.
Scope in the payload was specified as “scope”: “system/Group.$export”,

Step2:
In OpenEmr application, Enabled the registered Api client select.[Administration-Api Clients]

Step3
I tried to get the authorization token,by creating a JWT token, out of my jwks key set.
I used online tool, https://jwt.io/
In the tool, I used details as:

  • Algorithm as RS384
    Payload details given in generating jwt is below:
    “sub”: generated client Id from the response of registration api in STEP1
    “name”: client_name given in the registration api
  • Public key & Private key- Same public key and private key extracted from jwks key set.

Step 4: Invoked api http://:30080/oauth2/default/token from Postman
by passing parameter values as below

grant_type = client_credentials
client_assertion_type = urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion = generated JWT token in STEP3
scope = system/Group.$export
udap = 1

And the response I am getting is “Bad Request”
{
“error”: “invalid_client”,
“error_description”: “Client authentication failed”,
“message”: “Client authentication failed”
}

I also tried with RS256 and HS256 algorithm types while generating JWKS and JWT

Could someone please provide an example or steps on getting a successful token?

You are missing a number of options in your client assertion. You’ll want to look at the example in (openemr/CreateClientCredentialsAssertionCommand.php at bb44f27994c16aed37916584fa09a7c35148daf6 · openemr/openemr · GitHub)

Here is a process flow from HL7 that goes into detail on the process flow to send the client assertion (note we don’t support wildcard scopes so you will need to specify each of your scopes individually for the data you want to export).

At a minimum you will need to include the following scopes for a Group bulk data export operation:
“system*.$bulkdata-status system/Group.$export system/Patient.read system/Document.read”