3. Authorization code flow

OpenID Connect defines three types of authentication flow to cater for different client types: the Authorization Code Flow, the Implicit Flow and the Hybrid Flow. The Authorization Code Flow is the most commonly used flow and is designed for use with web applications. It is the only flow currently supported by the Care Identity Authentication. This section is intended to provide a detailed guide to the flow as provided by the Care Identity Authentication OpenID Provider.

Should a Relying Party have a need to use a different client type they should contact [email protected] to discuss whether its use can be enabled.

Flow diagram

The diagram below illustrates a typical use of the Authorization Code Flow.

An Authorization Code Flow is typically initiated when the Relying Party's web application receives a request for a web page by an End-User for whom no session has been established.
In response the Relying Party creates an Authentication Request and returns a redirect to the End-User's browser causing the request to be directed to the Authorization Endpoint. The request will contain a list of the scopes of interest to the Relying Party and a Redirection URI to which the response should be returned.
The OpenID Provider authenticates the End-User using one of the methods available to it and obtains authorization from the End-user to provide the requested scopes to the identified Relying Party. The authentication may result in multiple flows between the OpenID Provider and End-User's browser. End-User consent to share the requested scopes is implied as a result of having signed the Terms and Conditions of Use for the Care Identity Authentication.
Once the End-User has been authenticated the OpenID Provider returns an Authorization Code to the Relying Party's web application using a redirect via the End-User's browser to the Redirection URI specified in the original request.
The Relying Party’s web application presents its Client Credentials to the Token Endpoint and exchanges the Authorization Code for an ID Token identifying the End-User and Access and Refresh Tokens granting access to the UserInfo endpoint.
The Relying Party's web application presents the Access Token obtained to the UserInfo Endpoint to obtain the user information requested via the scopes included in the original request.
The Relying Party's web application serves the web page requested by the End-User.

Authentication Request

Request

When a Relying Party requires that an End-User is authenticated they should cause a HTTP GET request to be sent from the End-User’s user agent to the OpenID Provider’s Authorization Endpoint. Communication with the Authorization Endpoint must utilize TLS.

The request may be generated either:

indirectly via a HTTP 302 redirect response, for example in response to a user attempting to access a protected resource) or
directly, for example as a result of a login button being hit

An example of each is given below:

Example indirect request

HTTP/1.1 302 Found
  Location: https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc/authorize?
    response_type=code
    &scope=openid%20profile
    &client_id=999999999999.apps.national
    &state=af0ifjsldkj
    &redirect_uri=https%3A%2F%2Fwww.nationalsupplier.nhs.net%2Fcallback

Example direct request

GET /openam/oauth2/realms/root/realms/oidc/authorize?
    response_type=code
    &scope=openid%20profile
    &client_id=999999999999.apps.national
    &state=af0ifjsldkj
    &redirect_uri=https%3A%2F%2Fwww.nationalsupplier.nhs.net%2Fcallback

Recommended parameters

The OpenID Connect Core Specification defines a number of mandatory and recommended parameters to use in the request. The minimum RECOMMENDED set is as follows:

Name	Description
scope	This is a space delimited list of the scopes requested by the client. It MUST contain the value openid and MAY contain other values e.g. profile. Unrecognised values will be ignored. See the Scopes and Claims section for further details.
response_type	This defines the processing flow to be used when forming the response. When using the Authorization Code Flow, this value MUST be code.
client_id	This MUST contain the client identifier assigned to the Relying Party during its registration with the Care Identity Authentication OpenID Provider.
redirect_uri	This is the URI to which the response should be sent. This MUST exactly match one of the Relying Party’s redirection URIs registered with the Care Identity Authentication OpenID Provider.
state	It is RECOMMENDED that Clients use this parameter to maintain state between the request and the callback. The parameter SHOULD be used for preventing cross-site request forgery (see the Authentication Successful Response section below for more detail on CSRF protection).

The Care Identity Authentication OpenID Provider supports the following optional parameters:

Name	Description
nonce	A string value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values.
prompt	A case sensitive string values that specifies whether the Authorization Server prompts the End-User for reauthentication. The values supported by the Care Identity Authentication are: none - The Authorization Server will not display any authentication or consent user interface pages, an error is returned if an End-User is not already authenticated. This can be used as a method to check for existing authentication. login - The Authorization Server will prompt the End-User for reauthentication. For further details on how the Care Identity Authentication OpenID Provider supports these values see the Session Management with OpenID Connect section.
acr_values	Requested Authentication Context Class Reference values. A string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request. This string is used by the Care Identity Authentication OpenID Provider to determine the mechanism to authenticate the user. For further details on how the Care Identity Authentication OpenID Provider supports these values see the ACR and AMR Values section.
max_age	This specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OpenID Provider. If the elapsed time is greater than this value the Care Identity Authentication Provider will attempt to actively re-authenticate the End-User.

Should a Relying Party have a need to use an optional parameter not described above they should contact [email protected] to discuss whether its use can be enabled.

Authentication Successful Response

If the End-User is successfully authenticated the Care Identity Authentication OpenID Provider will return an Authorization Code to the Relying Party’s web application component. This is achieved by returning a HTTP 302 redirect request to the End User’s user agent requesting that the response is redirected to the redirection_uri specified in the Authorize Request.

The response will contain a code parameter and state parameter. The client must ignore unrecognized response parameters.

The code parameter holds the Authorization Code which is a string value which is opaque to the Relying Party. It can be presented to the Token Endpoint to obtain ID, Access and Refresh Tokens. The code is valid for 120 seconds and can only be used once.

The state parameter will hold the state value provided in the original Authorize Request.

The Relying Party must implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state (e.g. a hash of the session cookie used to authenticate the user-agent). The state parameter should be used for achieving this as described in the OAuth 2.0 Authorization Framework. Please see Security Considerations for more information

Example successful response

HTTP/1.1 302 Found
  Location: https://www.nationalsupplier.nhs.net/callback?
    code=4g4jJrMMV3DF8uO_kj-Ql3hmzUE
    &state=af0ifjsldkj

Authentication Error Response

If the Authorization Request fails the Care Identity Authentication OpenID Provider will return an error response to the Relying Party. As for a successful response this is achieved by returning a HTTP 302 redirect request to the End User’s user agent requesting that the response is redirected to the redirection_uri specified in the request.

The response will contain an error, error_description and state parameters.

Most error codes result from an invalid request format e.g. a response_type other than code. However the following error may occur as the result of a valid request:

Error	Meaning
interaction_required	This error is generated when an Authorization Request is made with the prompt=none parameter but the user is not currently authenticated.

If the Client Identifier or Redirection URI specified is invalid an error will be returned directly to the user agent. Similarly HTTP errors unrelated to OpenID Connect will be returned to the user agent using the appropriate HTTP status code.

Failure of the End-User to authenticate successfully e.g. failure to enter valid credentials will result in a response not being returned to the Relying Party.

Example error response

HTTP/1.1 302 Found
  Location: https://www.nationalsupplier.nhs.net/callback?
    error=unsupported_response_type
    &error_description=Response%20type%20is%20not%20supported
    &state=af0ifjsldkj

Token Request

Request

Once the Relying Party web application has received an Authorization Code it can request the Care Identity Authentication OpenID Provider to provide the associated ID, Access and Refresh tokens. It does this by sending a HTTP POST request over TLS directly to the Token Endpoint URI.

The following parameters must be sent using the "application/x-www-form-urlencoded" format with a character encoding of UTF-8 in the HTTP request entity-body:

Name	Description
grant_type	This must be set to authorization_code.
code	The authorization code received in response to the authentication request.
redirect_uri	The redirection URI supplied in the original authentication request. This value must be identical.
client_id	The Relying Party Client Identifier.

Example post request

POST /openam/oauth2/realms/root/realms/oidc/access_token HTTP/1.1
  Host: am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443
  Content-Type: application/x-www-form-urlencoded
   
  grant_type=authorization_code
  &code=4g4jJrMMV3DF8uO_kj-Ql3hmzUE
  &redirect_uri=https%3A%2F%2Fwww.nationalsupplier.nhs.net%2Fcallback
  &client_id=999999999999.apps.national
  &client_secret=50a6122b-6907-4a13-948e-f31d4c4714d5

Client Authentication

As part of the registration process the Relying Party and the Care Identity Authentication will have agreed a mechanism by which the Relying Party can be authenticated when making the token request. This is required to ensure that the request is genuine and that the tokens are not returned to a third party masquerading as the Relying Party.

Recommendation

Care Identity Authentication recommend clients use private_key_jwt authentication, with the public key(s) hosted as a jwks endpoint, due to its increased security and ability to seamlessly roll over to a new keypair without requiring a configuration change. Clients may start with client_secret in the DEV Simple OIDC realm, but should use private_key_jwt in the Healthcare realms.

Authentication Mechanisms

Method	Description
private_key_jwt	Authentication using a JWT signed with a private key owned by the Relying Party. The JWT must be sent as the value of a client_assertion parameter with a client_assertion_type parameter set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer. The public keys must be exposed as a jwks endpoint under the client's control. This is the recommended method of client authentication
client_secret_jwt	Authentication using a JWT created with a Hash-based Message Authentication Code (HMAC) calculated from a client secret used as a shared key. The JWT must be sent as the value of a client_assertion parameter with a client_assertion_type parameter set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
client_secret	Authentication using a shared secret in a client_secret parameter in the request body.

Authentication JWT

For both of the Private Key JWT and Client Secret JWT mechanisms the Relying Party must construct a JWT that must contain the following required Claim Values and may contain the following optional Claim Values:

Claim	Status	Description
iss	required	Issuer. This must contain the client_id of the Relying Party's Client.
sub	required	Subject. This must contain the client_id of the Relying Party's Client.
aud	required	Audience. A value that identifies the Care Identity Authentication Authorization Server as an intended audience. This value must exactly match the value of the Token Endpoint URI as given in the OpenID Provider Configuration Document (see the Discovery section for more details).
jti	required	JWT ID. A unique identifier for the token, which can be used to prevent reuse of the token. These tokens must only be used once.
exp	required	Expiration time on or after which the JWT MUST NOT be accepted for processing. This is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC. An expiry after 5 minutes is suggested.
iat	optional	Time at which the JWT was issued.

The JWT may contain other Claims. Any Claims used that are not understood will be ignored.

The authentication token must be sent as the value of the client_assertion parameter.

The value of the client_assertion_type parameter must be "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"

Private Key JWT

For Private Key JWT authentication the JWT is signed using a private key owned by the Relying Party.

The example below shows the use of a JWT signed with a private key to authenticate (in this example the JWT value has been abbreviated).

Example JWT with private key authentication

POST /openam/oauth2/realms/root/realms/oidc/access_token HTTP/1.1
  Host: am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443
  Content-Type: application/x-www-form-urlencoded
 
  grant_type=authorization_code&
  &code=4g4jJrMMV3DF8uO_kj-Ql3hmzUE
  &redirect_uri=https%3A%2F%2Fwww.nationalsupplier.nhs.net%2Fcallback
  &client_id=999999999999.apps.nationa
  &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
  &client_assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.a ... b.c ... d

The JWT is comprised of three Base64URL encoded elements separated by a . character. The first element is the token header. If we decode the value from the example above we get the JSON document object:

Example JSON document object

{
  "alg":"ES256",
  "kid":"16"
}

This specifies that the token has been signed with ECDSA utilising a P-256 curve and SHA-256 hash algorithm using the key identified by the string “16”. Decoding the second element would give the JSON object containing the claims about the Relying Party e.g. the client identifier, expiration date etc.

The Care Identity Authentication OpenID Provider advertises its supported signing algorithms via its OpenID Provider Configuration Document as described further in the Discovery section - for client authentication, these are listed in the "token_endpoint_auth_signing_alg_values_supported" value.

Further details on how the Relying Party is expected to use a JSON Web Key Set Endpoint to publish the details of the key associated with the kid are given in the Key Management section.

Client Secret JWT

For Client Secret JWT authentication the JWT is signed using an HMAC SHA algorithm, such as HMAC SHA-256. The HMAC (Hash-based Message Authentication Code) is calculated using the octets of the UTF-8 representation of the client_secret as the shared key.

Token Successful Response

If the request validation is successful the Care Identity Authentication OpenID Provider will return an HTTP 200 OK response including ID, Access and Refresh tokens as in the example below:

Example HTTP 200 OK response

HTTP/1.1 200 OK
  Content-Type: application/json
  Cache-Control: no-store
  Pragma: no-cache
 
  {
   "access_token": "XeFKw71aKiVMTAml8MNbk_ZLiqk",
   "refresh_token":"GujHL12JL2wk86xNdf1McD3nty4",
   "scope":"openid profile"
   "id_token":"eyJ0eXAiOiJKV1QiLCJraWQiOiJiL082T3ZWdjEreStXZ3JINVVpOVdUaW9MdDA9IiwiYWxnIjoiUlMyNTYifQ.ewogICJhdF9oYXNoIjogIjZUcEZsS3BRd1ZJT3RVTTZqcUJtWWciLAogICJzdWIiOiAiOTk5OTk5OTk5OTk5IiwKICAiYXVkaXRUcmFja2luZ0lkIjogImIwYzhiNWJhLWE0OWItNDhmYi1hZGJmLTVjYmU1NmUzM2YwZS0zMTY4MjgiLAogICJpc3MiOiAiaHR0cHM6Ly9hbS5uaHNkZXYucHRsLm5oc2QtZXNhLm5ldDo0NDMvb3BlbmFtL29hdXRoMi9yZWFsbXMvcm9vdC9yZWFsbXMvb2lkYyIsCiAgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsCiAgImF1ZCI6ICI5OTk5OTk5OTk5OTkuYXBwcy5uYXRpb25hbCIsCiAgImNfaGFzaCI6ICIxdjZ1WUdjUU55OW5mU05KUnRPRjB3IiwKICAiYWNyIjogIkFBTDFfVVNFUlBBU1MiLAogICJvcmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjogInQyRnJaVEREXzU2RUJGZThidDB0QVpuLWQ5ZyIsCiAgInNfaGFzaCI6ICJ4M1hudDFmdDVqRE5DcUVSTzlFQ1pnIiwKICAiYXpwIjogIjk5OTk5OTk5OTk5OS5hcHBzLm5hdGlvbmFsIiwKICAiYXV0aF90aW1lIjogMTU4OTgxNjQ4OCwKICAicmVhbG0iOiAiL29pZGMiLAogICJleHAiOiAxNTg5ODIwODQ0LAogICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLAogICJpYXQiOiAxNTg5ODE3MjQ0Cn0=.iMllAqigJ2o1Iep2o65P8xESjEtNCid4j4bUNfxDcYkuXEkCjXXJScpyL80CEK3oOYCDZXy6vRCcYRn2gkglJz4_QFnP2l8SnIKsUUgL99uWTPqC7Rjtk6l0mrehSRCWqp3lpPLSzyThx484cGjgptkd_UvV5mi77VjvmBs3yVBdvW_l0iQXbrvvIsCjoCikTvK90OAhnPwF5aq36xKttXrgysdFiwkwJzVdBv_OrUYwuO9MJTvScbiDJpZj7P_DZ1e8xrhuGDHt9SpLLCLy_Ewq5ZAlb7cA7QdxTu9C3GtBQm3O-KgUgfouHHzMvcJ-mtbWNJMF-ZKGdbC4Pi7A",
    "token_type":"Bearer",
    "expires_in":3600
  }

The response body will include the following parameters:

Name	Description
access_token	The Access Token which may be used to access the UserInfo endpoint. This is an opaque value.
token_type	Set to Bearer.
refresh_token	A Refresh Token which can be used to obtain a new Access Token.
expires_in	The lifetime in seconds of the Access Token. Set to 3600 for the Care Identity Authentication.
id_token	The Base64URL encoded ID Token. This is described further below.

ID Token

The ID Token is a security token that contains Claims about the authentication of an End-User by an Authorization Server. The ID Token is represented as a JWT as described in the JSON Web Token Specification and is signed using JWS as described in the JSON Web Signature Specification.

The ID Token is comprised of three Base64URL encoded elements separated by a . character. The first element is the JOSE (JSON Object Signing and Encryption) Header describing the signing algorithm used, the second element contains the Claims and the third the signature.

JWTs may be conveniently decoded for inspection using an online website such as https://jwt.io/.

If we decode the value from the example above we get the JOSE Header below:

Example JOSE Header

{
  "typ": "JWT",
  "kid": "b/O6OvVv1+y+WgrH5Ui9WTioLt0=",
  "alg": "RS256"
}

This specifies that the token has been signed with an RSA Signature utilising the SHA-256 hashing algorithm and the key identified by the string “b/O6OvVv1+y+WgrH5Ui9WTioLt0=”. Details on how the Relying Party may obtain the public key associated with kid are given in the Key Management section.

Decoding the second element gives us the JSON object containing the Claims about the authentication of an End-User. For example:

Example authentication claims about an end-user

{
  "at_hash": "6TpFlKpQwVIOtUM6jqBmYg",
  "sub": "999999999999",
  "auditTrackingId": "b0c8b5ba-a49b-48fb-adbf-5cbe56e33f0e-316828",
  "iss": "https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc",
  "tokenName": "id_token",
  "aud": "999999999999.apps.national",
  "c_hash": "1v6uYGcQNy9nfSNJRtOF0w",
  "acr": "AAL1_USERPASS",
  "org.forgerock.openidconnect.ops": "t2FrZTDD_56EBFe8bt0tAZn-d9g",
  "s_hash": "x3Xnt1ft5jDNCqERO9ECZg",
  "azp": "999999999999.apps.national",
  "auth_time": 1589816488,
  "realm": "/oidc",
  "exp": 1589820844,
  "tokenType": "JWTToken",
  "iat": 1589817244, 
  "sid": "330bc4641e7e0c8c5acb3e98b096cf08edeb6ba6fc1fcc254233099cb12ac119",
  "selected_roleid": "656006137102",
  "id_assurance_level": "3",
  "authentication_assurance_level":"3"
}

The third element is the signature over the JSON object. Details on how this signature is created and on how to validate it can be found in the JSON Web Signature Specification.

The ID Token contains the following Claims of interest.

Claim	Description
iss	The Care Identity Authentication OpenID Provider's Issue identifier as specified in the OpenID Provider Configuration Document.
sub	A unique identifier for the End-User. See the Scopes and Claims section for more details.
aud	The Client Identifier of the Relying Party.
exp	The time on or after which the ID Token must not be accepted for processing. This is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC. The Care Identity Authentication's ID Tokens are set to expire after 1 hour.
iat	The time at which the JWT was issued. This is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
auth_time	The time at which the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
nonce	String value used to associate a Client session with an ID Token, and to mitigate replay attacks. If this value provided in Authentication Request this value is passed through unmodified.
acr	The Authentication Context Class Reference for the authentication event. For details of the use of acr values with the Care Identity Authentication see the ACR and AMR Values section.
amr	The Authentication Methods Reference for the authentication event. For details of the use of amr values with Care Identity Authentication see the ACR and AMR Values section.
at_hash	A hash of the associated Access Token. For further detail on the use of this value see the Access Token Validation section below. The at_hash value is a case sensitive string.
sid	An optional session identifier e.g. 330bc4641e7e0c8c5acb3e98b096cf08edeb6ba6fc1fcc254233099cb12ac119 (this will initially only be present for Smartcard authentications - see the Session Management section) Note that this value is solely for use with Back Channel Logout and should not be assumed to be cross-referenced to any other session identifiers in Care Identity Authentication.
selected_roleid	An optional value indicating the 12 digit unique identifier for the National RBAC Role Profile (roleProfileCode) that the user (optionally) selected in the Identity Agent when authenticating with Smartcard. Because this must have been selected in the IA from one of the available National RBAC Role Profile values for this user, this value will correspond to one of the nhsid_rbac_roles.person_roleid values from the UserInfo Claims, so further information about the role profile can be determined from the corresponding claim.
id_assurance_level	The level of assurance performed on the End-User's identity. This is a string value which can take one of the following values: 0, 1, 2 or 3. These values correspond to Identity Assurance Levels as defined in the NIST Digital Identity Guidelines for Enrollment and Identity Proofing Requirements. An assurance level of IAL3 gives a very high level of assurance of the End-User's identity including checks such as physical presence for identity proofing and verification of identifying attributes by a trained and authorized individual. Relying Parties SHOULD validate that this claim has a value appropriate for their use case. For access to national clinical systems the id_assurance_level MUST be 3.
authentication_assurance_level	The level of assurance of the authentication process. This value MUST be checked to ensure that an appropriate level of authentication has taken place. (This check replaces the ACR prefix check for AAL3*)

Any Claims contained in the ID Token other than those listed in the table above MUST be ignored by the Relying Party.

ID Token Validation

Relying Parties must validate the ID Token in the Token Response in the following manner:

The the value of the iss Claim must exactly match the Issuer Identifier for the Care Identity Authentication OpenID Provider as specified in the OpenID Provider Configuration Document.
The aud Claim must contain the Relying Party's Client identifier.
If the ID Token is received via direct communication between the Client and the Token Endpoint, then TLS server validation may be used to validate the issuer in place of checking the token signature (see the TLS Requirements section). The Client must validate the signature of all other ID Tokens according to JSON Web Signature Specification using the algorithm specified in the JWT alg header parameter. The Client must use the keys provided by the Care Identity Authentication OpenID Provider as described in the Key Management section.
The current time must be before the time represented by the exp Claim.
If a nonce value was sent in the Authentication Request, a nonce Claim will be present and its value must be checked to verify that it is the same value as the one that was sent in the Authentication Request. The Relying Party should check the nonce value for replay attacks.
If the acr Claim was requested, the Replying Party should check that the asserted Claim Value is appropriate. For further details on the Care Identity Authentication's support for acr values see the ACR and AMR Values section.
The Relying Party should check the auth_time Claim value and request re-authentication if it determines too much time has elapsed since the last End-User authentication. For further guidance see the Session Management section.

Access Token Validation

Relying Parties may validate the integrity of the Access Token using the value of the at_hash Claim. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value, where the hash algorithm used is the hash algorithm used in the alg parameter of the ID Token's JOSE Header. The alg value for the Care identity Authentication OpenID Provider is RS256 so to obtain the value hash the access_token value with SHA-256, then take the left-most 128 bits and base64url encode them.

Access Token use with Spine RESTful APIs

Note that the Access Token returned from the Care Identity Authentication OpenID Provider is only for use with the Care Identity Authentication UserInfo Endpoint as described in the sections below.

Relying Parties wishing to use the Spine RESTful APIs must also obtain an Access Token from the API Platform as described at the following location API Platform - Security and Authorisation.

For applications wishing to use both Care Identity Authentication and a User-restricted RESTful API it is recommended to use the separate authentication and authorisation model described at API Platform - Separate Authenticate and Authorisation.

Token Error Response

If the Token Request is invalid or unauthorized an HTTP 400 response will be returned as in the following example:

Example HTTP 400 response

HTTP/1.1 400 Bad Request
  Content-Type: application/json
  Cache-Control: no-store
  Pragma: no-cache
 
{
  "error_description":"The provided access grant is invalid, expired, or revoked.",
  "error":"invalid_grant"
}

UserInfo Request

The Care Identity Authentication OpenID provider's ID Token only contains Claims about the authentication event and the identity of the End-User. Other information about the End-User can be requested by including additional Scopes in the authentication request (as in the example request above which includes the standard profile scope) and by presenting the Access Token from the Token Response to the UserInfo endpoint.

The Relying Party sends the UserInfo Request using either HTTP GET or HTTP POST. The Access Token obtained from an OpenID Connect Authentication Request must be sent as a Bearer Token.

It is recommended that the request use the HTTP GET method and the Access Token be sent using the Authorization header field as in the example below:

Example HTTP GET using Authorization header

GET /openam/oauth2/realms/root/realms/oidc/userinfo
  Authorization: Bearer XeFKw71aKiVMTAml8MNbk_ZLiqk

UserInfo Response

The userinfo claims will be returned in a HTTP 200 OK response as in the example below:

Example HTTP 200 OK response

HTTP/1.1 200 OK
  Content-Type: application/json
 
  {
   "sub": "999999999999",
   "name": "Smith Jane Ms",
   "given_name": "Jane",
   "family_name": "Smith"
  }

The userinfo claims will always include a sub Claim. This must be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values must not be used.

The Relying Party should authenticate the OpenID Provider either by checking the TLS certificate (see the TLS Requirements section) or by validating the signature of the JWT if provided. For details on how to obtain a signed UserInfo Response see the next section.

More details of the Scopes and Claims that may be obtained via the UserInfo Endpoint can be found in the Scopes and Claims section.

Signed UserInfo Response

During registration the Relying Party MAY request that the UserInfo Response is signed in which case the response will contain iss and aud claims. The Relying Party SHOULD validate that both the iss value matches the Care Identity Authentication OpenID Provider’s Issuer Identifier and the aud claim matches the Relying Party's Client Identifier.

The Relying Party SHOULD validate the signature according to the JSON Web Signature Specification.

UserInfo Error Response

When a request fails, the UserInfo resource server will respond using the appropriate HTTP status code (typically, 400, 401, 403, or 405) and include an error code in the response.

The response will contain an error parameter and an error_description.

Example error response

HTTP/1.1 401 Unauthorized
  Content-Type: application/json
 
{
  "error_description":"The access token provided is expired, revoked, malformed, or invalid for other reasons.",
  "error":"invalid_token"
}

Refresh Token Use

It is anticipated that Relying Parties will only require access to the UserInfo Endpoint at the time of the original End-User authentication. This should only happen once as part of a Relying Party authentication journey and the Access Token can be used immediately, then discarded. In Care Identity Authentication, there should be no other need to retrieve the User Info after this point in time.

Therefore the use of the Refresh Token to obtain a new Access Token is not recommended.

Clients wanting to use the Refresh Token are requested to contact [email protected] to discuss their use case further.

All chapters

Last edited: 5 February 2024 12:11 pm