Use this pattern when:
- accessing a user-restricted RESTful API
- the end user is a healthcare professional
- you want a simpler integration
In this pattern, authentication and authorisation are done together. Authentication is done by NHS Identity but we co-ordinate that under the covers behind our OAuth2.0 authorisation server. Your application only needs to be registered with the API Platform, not NHS Identity.
The following diagram illustrates the pattern:
The following sequence diagram shows how the various components interact:
- The end user launches the calling application.
- The calling application redirects the user's browser to our OAuth2.0 authorisation endpoint (/oauth/authorize).
- The user signs in to their NHS Identity account (using a smartcard and PIN, or thumbprint reader, or other method).
- Our authorization server redirects control back to the calling application, with an authorisation code.
- The calling application calls our OAuth2.0 token endpoint (/oauth/token), with the authorisation code, and receives an access token and an ID token in return.
- Time passes, until the user needs to access a user-restricted API.
- The calling application calls the user-restricted API, including the access token.