We've bought an EV-validated SSL certificate from SectigoStore and used this to submit a JWK to IRS e-Services to get a new Client ID. However, the new Client ID does not seem to be usable - both the test + prod API endpoints return an error when trying to get an access token (https://api.alt.www4.irs.gov and https://api.www4.irs.gov).
The error is as follows:
{
“error_code”: “ESRV124",
“error_msg”: {
“error”: “access_denied”,
“error_description”: “The resource_owner denied access to resources”
}
}
A different Client ID that we had received after applying with a self-signed certificate works fine on the test API URL but not the prod one.
It's unclear what is wrong with the request we are making using the new Client ID value. I am curious if any of you have dealt with this before.
Here's is the general format of the HTTP request:
POST /auth/oauth/v2/token HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 1515
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Host: api.www4.irs.gov
User-Agent: HTTPie/3.2.1
grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer
&assertion=<user JWT value>
&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer
&client_assertion=<client JWT value>