Skip to main content

3. Authorization code flow

Page contents

OpenID Connect defines three types of authentication flow to cater for different client types: the Authorization Code Flow, the Implicit Flow and the Hybrid Flow. The Authorization Code Flow is the most commonly used flow and is designed for use with web applications. It is the only flow currently supported by NHS CIS2 Authentication. This section is intended to provide a detailed guide to the flow as provided by NHS CIS2 Authentication OpenID Provider.

Should a Relying Party have a need to use a different client type they should contact [email protected] to discuss whether its use can be enabled.

Flow diagram

The diagram below illustrates a typical use of the Authorization Code Flow.

A typical use of the Authorization Code Flow

  1. An Authorization Code Flow is typically initiated when the Relying Party's web application receives a request for a web page by an End-User for whom no session has been established.
  2. In response the Relying Party creates an Authentication Request and returns a redirect to the End-User's browser causing the request to be directed to the Authorization Endpoint. The request will contain a list of the scopes of interest to the Relying Party and a Redirection URI to which the response should be returned.
  3. The OpenID Provider authenticates the End-User using one of the methods available to it and obtains authorization from the End-user to provide the requested scopes to the identified Relying Party. The authentication may result in multiple flows between the OpenID Provider and End-User's browser. End-User consent to share the requested scopes is implied as a result of having signed the Terms and Conditions of Use for NHS CIS2 Authentication.
  4. Once the End-User has been authenticated the OpenID Provider returns an Authorization Code to the Relying Party's web application using a redirect via the End-User's browser to the Redirection URI specified in the original request.
  5. The Relying Party’s web application presents its Client Credentials to the Token Endpoint and exchanges the Authorization Code for an ID Token identifying the End-User and Access and Refresh Tokens granting access to the UserInfo endpoint.
  6. The Relying Party's web application presents the Access Token obtained to the UserInfo Endpoint to obtain the user information requested via the scopes included in the original request.
  7. The Relying Party's web application serves the web page requested by the End-User.

Authentication Request

Request

When a Relying Party requires that an End-User is authenticated they should cause a HTTP GET request to be sent from the End-User’s user agent to the OpenID Provider’s Authorization Endpoint. Communication with the Authorization Endpoint must utilize TLS.

The request may be generated either:

  • indirectly via a HTTP 302 redirect response, for example in response to a user attempting to access a protected resource) or
  • directly, for example as a result of a login button being hit

 An example of each is given below:

Example indirect request

HTTP/1.1 302 Found
  Location: https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc/authorize?
    response_type=code
    &scope=openid%20profile
    &client_id=999999999999.apps.national
    &state=af0ifjsldkj
    &redirect_uri=https%3A%2F%2Fwww.nationalsupplier.nhs.net%2Fcallback

Example direct request

GET /openam/oauth2/realms/root/realms/oidc/authorize?
    response_type=code
    &scope=openid%20profile
    &client_id=999999999999.apps.national
    &state=af0ifjsldkj
    &redirect_uri=https%3A%2F%2Fwww.nationalsupplier.nhs.net%2Fcallback

Authentication Successful Response

If the End-User is successfully authenticated the NHS CIS2 Authentication OpenID Provider will return an Authorization Code to the Relying Party’s web application component. This is achieved by returning a HTTP 302 redirect request to the End User’s user agent requesting that the response is redirected to the redirection_uri specified in the Authorize Request.

The response will contain a code parameter and state parameter. The client must ignore unrecognized response parameters.

The code parameter holds the Authorization Code which is a string value which is opaque to the Relying Party. It can be presented to the Token Endpoint to obtain ID, Access and Refresh Tokens. The code is valid for 120 seconds and can only be used once.

The state parameter will hold the state value provided in the original Authorize Request.

The Relying Party must implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state (e.g. a hash of the session cookie used to authenticate the user-agent). The state parameter should be used for achieving this as described in the OAuth 2.0 Authorization Framework. Please see Security Considerations for more information

Example successful response

HTTP/1.1 302 Found
  Location: https://www.nationalsupplier.nhs.net/callback?
    code=4g4jJrMMV3DF8uO_kj-Ql3hmzUE
    &state=af0ifjsldkj

Authentication Error Response

If the Authorization Request fails the NHS CIS2 Authentication OpenID Provider will return an error response to the Relying Party. As for a successful response this is achieved by returning a HTTP 302 redirect request to the End User’s user agent requesting that the response is redirected to the redirection_uri specified in the request.

The response will contain an error, error_description and state parameters. 

Most error codes result from an invalid request format e.g. a response_type other than code. However the following error may occur as the result of a valid request:

Error Meaning
interaction_required     This error is generated when an Authorization Request is made with the prompt=none parameter but the user is not currently authenticated.

 

If the Client Identifier or Redirection URI specified is invalid an error will be returned directly to the user agent. Similarly HTTP errors unrelated to OpenID Connect will be returned to the user agent using the appropriate HTTP status code.

Failure of the End-User to authenticate successfully e.g. failure to enter valid credentials will result in a response not being returned to the Relying Party.

Example error response

HTTP/1.1 302 Found
  Location: https://www.nationalsupplier.nhs.net/callback?
    error=unsupported_response_type
    &error_description=Response%20type%20is%20not%20supported
    &state=af0ifjsldkj

Token Request

Request

Once the Relying Party web application has received an Authorization Code it can request the NHS CIS2 Authentication OpenID Provider to provide the associated ID, Access and Refresh tokens. It does this by sending a HTTP POST request over TLS directly to the Token Endpoint URI.

The following parameters must be sent using the "application/x-www-form-urlencoded" format with a character encoding of UTF-8 in the HTTP request entity-body:

Name Description
grant_type This must be set to authorization_code.
code The authorization code received in response to the authentication request.
redirect_uri The redirection URI supplied in the original authentication request. This value must be identical.
client_id The Relying Party Client Identifier.

Example post request

POST /openam/oauth2/realms/root/realms/oidc/access_token HTTP/1.1
  Host: am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443
  Content-Type: application/x-www-form-urlencoded
   
  grant_type=authorization_code
  &code=4g4jJrMMV3DF8uO_kj-Ql3hmzUE
  &redirect_uri=https%3A%2F%2Fwww.nationalsupplier.nhs.net%2Fcallback
  &client_id=999999999999.apps.national
  &client_secret=50a6122b-6907-4a13-948e-f31d4c4714d5

Client Authentication

As part of the registration process the Relying Party and the NHS CIS2 Authentication will have agreed a mechanism by which the Relying Party can be authenticated when making the token request. This is required to ensure that the request is genuine and that the tokens are not returned to a third party masquerading as the Relying Party.

Recommendation

NHS CIS2 Authentication recommend clients use private_key_jwt authentication, with the public key(s) hosted as a jwks endpoint, due to its increased security and ability to seamlessly roll over to a new keypair without requiring a configuration change. Clients may start with client_secret in the DEV Simple OIDC realm, but should use private_key_jwt in the Healthcare realms. 

Authentication Mechanisms

Method Description
private_key_jwt Authentication using a JWT signed with a private key owned by the Relying Party. The JWT must be sent as the value of a client_assertion parameter with a client_assertion_type parameter set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer. The public keys must be exposed as a jwks endpoint under the client's control. This is the recommended method of client authentication
client_secret_jwt Authentication using a JWT created with a Hash-based Message Authentication Code (HMAC) calculated from a client secret used as a shared key. The JWT must be sent as the value of a client_assertion parameter with a client_assertion_type parameter set to urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
client_secret Authentication using a shared secret in a client_secret parameter in the request body. 

Authentication JWT

For both of the Private Key JWT and Client Secret JWT mechanisms the Relying Party must construct a JWT that must contain the following required Claim Values and may contain the following optional Claim Values:

Claim Status Description
iss required Issuer. This must contain the client_id of the Relying Party's Client.
sub required Subject. This must contain the client_id of the Relying Party's Client.
aud required Audience. A value that identifies the NHS CIS2 Authentication Authorization Server as an intended audience. This value must exactly match the value of the Token Endpoint URI as given in the OpenID Provider Configuration Document (see the Discovery section for more details).
jti required JWT ID. A unique identifier for the token, which can be used to prevent reuse of the token. These tokens must only be used once.
exp required Expiration time on or after which the JWT MUST NOT be accepted for processing. This is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC. An expiry after 5 minutes is suggested. 
iat optional Time at which the JWT was issued.

The JWT may contain other Claims. Any Claims used that are not understood will be ignored.

The authentication token must be sent as the value of the client_assertion parameter.

The value of the client_assertion_type parameter must be "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"

Private Key JWT

For Private Key JWT authentication the JWT is signed using a private key owned by the Relying Party.

The example below shows the use of a JWT signed with a private key to authenticate (in this example the JWT value has been abbreviated).

Example JWT with private key authentication

POST /openam/oauth2/realms/root/realms/oidc/access_token HTTP/1.1
  Host: am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443
  Content-Type: application/x-www-form-urlencoded
 
  grant_type=authorization_code&
  &code=4g4jJrMMV3DF8uO_kj-Ql3hmzUE
  &redirect_uri=https%3A%2F%2Fwww.nationalsupplier.nhs.net%2Fcallback
  &client_id=999999999999.apps.nationa
  &client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
  &client_assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.a ... b.c ... d

The JWT is comprised of three Base64URL encoded elements separated by a . character. The first element is the token header. If we decode the value from the example above we get the JSON document object:

Example JSON document object

{
  "alg":"ES256",
  "kid":"16"
}

This specifies that the token has been signed with ECDSA utilising a P-256 curve and SHA-256 hash algorithm using the key identified by the string “16”.  Decoding the second element would give the JSON object containing the claims about the Relying Party e.g. the client identifier, expiration date etc.

The NHS CIS2 Authentication OpenID Provider advertises its supported signing algorithms via its OpenID Provider Configuration Document as described further in the Discovery section - for client authentication, these are listed in the "token_endpoint_auth_signing_alg_values_supported" value.

Further details on how the Relying Party is expected to use a JSON Web Key Set Endpoint to publish the details of the key associated with the kid are given in the Key Management section. 

Client Secret JWT

For Client Secret JWT authentication the JWT is signed using an HMAC SHA algorithm, such as HMAC SHA-256. The HMAC (Hash-based Message Authentication Code) is calculated using the octets of the UTF-8 representation of the client_secret as the shared key.

Token Successful Response

If the request validation is successful the NHS CIS2 Authentication OpenID Provider will return an HTTP 200 OK response including ID, Access and Refresh tokens as in the example below:

Example HTTP 200 OK response

HTTP/1.1 200 OK
  Content-Type: application/json
  Cache-Control: no-store
  Pragma: no-cache
 
  {
   "access_token": "XeFKw71aKiVMTAml8MNbk_ZLiqk",
   "refresh_token":"GujHL12JL2wk86xNdf1McD3nty4",
   "scope":"openid profile"
   "id_token":"eyJ0eXAiOiJKV1QiLCJraWQiOiJiL082T3ZWdjEreStXZ3JINVVpOVdUaW9MdDA9IiwiYWxnIjoiUlMyNTYifQ.ewogICJhdF9oYXNoIjogIjZUcEZsS3BRd1ZJT3RVTTZqcUJtWWciLAogICJzdWIiOiAiOTk5OTk5OTk5OTk5IiwKICAiYXVkaXRUcmFja2luZ0lkIjogImIwYzhiNWJhLWE0OWItNDhmYi1hZGJmLTVjYmU1NmUzM2YwZS0zMTY4MjgiLAogICJpc3MiOiAiaHR0cHM6Ly9hbS5uaHNkZXYucHRsLm5oc2QtZXNhLm5ldDo0NDMvb3BlbmFtL29hdXRoMi9yZWFsbXMvcm9vdC9yZWFsbXMvb2lkYyIsCiAgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsCiAgImF1ZCI6ICI5OTk5OTk5OTk5OTkuYXBwcy5uYXRpb25hbCIsCiAgImNfaGFzaCI6ICIxdjZ1WUdjUU55OW5mU05KUnRPRjB3IiwKICAiYWNyIjogIkFBTDFfVVNFUlBBU1MiLAogICJvcmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjogInQyRnJaVEREXzU2RUJGZThidDB0QVpuLWQ5ZyIsCiAgInNfaGFzaCI6ICJ4M1hudDFmdDVqRE5DcUVSTzlFQ1pnIiwKICAiYXpwIjogIjk5OTk5OTk5OTk5OS5hcHBzLm5hdGlvbmFsIiwKICAiYXV0aF90aW1lIjogMTU4OTgxNjQ4OCwKICAicmVhbG0iOiAiL29pZGMiLAogICJleHAiOiAxNTg5ODIwODQ0LAogICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLAogICJpYXQiOiAxNTg5ODE3MjQ0Cn0=.iMllAqigJ2o1Iep2o65P8xESjEtNCid4j4bUNfxDcYkuXEkCjXXJScpyL80CEK3oOYCDZXy6vRCcYRn2gkglJz4_QFnP2l8SnIKsUUgL99uWTPqC7Rjtk6l0mrehSRCWqp3lpPLSzyThx484cGjgptkd_UvV5mi77VjvmBs3yVBdvW_l0iQXbrvvIsCjoCikTvK90OAhnPwF5aq36xKttXrgysdFiwkwJzVdBv_OrUYwuO9MJTvScbiDJpZj7P_DZ1e8xrhuGDHt9SpLLCLy_Ewq5ZAlb7cA7QdxTu9C3GtBQm3O-KgUgfouHHzMvcJ-mtbWNJMF-ZKGdbC4Pi7A",
    "token_type":"Bearer",
    "expires_in":3600
  }

The response body will include the following parameters:

Name

Description
access_token The Access Token which may be used to access the UserInfo endpoint. This is an opaque value.
token_type Set to Bearer.
refresh_token A Refresh Token which can be used to obtain a new Access Token.
expires_in The lifetime in seconds of the Access Token. Set to 3600 for NHS CIS2 Authentication.
id_token The Base64URL encoded ID Token. This is described further below.

ID Token

The ID Token is a security token that contains Claims about the authentication of an End-User by an Authorization Server. The ID Token is represented as a JWT as described in the JSON Web Token Specification and is signed using JWS as described in the JSON Web Signature Specification

The ID Token is comprised of three Base64URL encoded elements separated by a . character. The first element is the JOSE (JSON Object Signing and Encryption) Header describing the signing algorithm used, the second element contains the Claims and the third the signature.

JWTs may be conveniently decoded for inspection using an online website such as https://jwt.io/.

If we decode the value from the example above we get the JOSE Header below:

Example JOSE Header

{
  "typ": "JWT",
  "kid": "b/O6OvVv1+y+WgrH5Ui9WTioLt0=",
  "alg": "RS256"
}

This specifies that the token has been signed with an RSA Signature utilising the SHA-256 hashing algorithm and the key identified by the string “b/O6OvVv1+y+WgrH5Ui9WTioLt0=”. Details on how the Relying Party may obtain the public key associated with kid are given in the Key Management section.

Decoding the second element gives us the JSON object containing the Claims about the authentication of an End-User. For example:

Example authentication claims about an end-user

{
  "at_hash": "6TpFlKpQwVIOtUM6jqBmYg",
  "sub": "999999999999",
  "auditTrackingId": "b0c8b5ba-a49b-48fb-adbf-5cbe56e33f0e-316828",
  "iss": "https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc",
  "tokenName": "id_token",
  "aud": "999999999999.apps.national",
  "c_hash": "1v6uYGcQNy9nfSNJRtOF0w",
  "acr": "AAL1_USERPASS",
  "org.forgerock.openidconnect.ops": "t2FrZTDD_56EBFe8bt0tAZn-d9g",
  "s_hash": "x3Xnt1ft5jDNCqERO9ECZg",
  "azp": "999999999999.apps.national",
  "auth_time": 1589816488,
  "realm": "/oidc",
  "exp": 1589820844,
  "tokenType": "JWTToken",
  "iat": 1589817244, 
  "sid": "330bc4641e7e0c8c5acb3e98b096cf08edeb6ba6fc1fcc254233099cb12ac119",
  "selected_roleid": "656006137102",
  "id_assurance_level": "3",
  "authentication_assurance_level":"3"
}

The third element is the signature over the JSON object. Details on how this signature is created and on how to validate it can be found in the  JSON Web Signature Specification.

The ID Token contains the following Claims of interest.

Claim Description
iss The NHS CIS2 Authentication OpenID Provider's Issue identifier as specified in the OpenID Provider Configuration Document.
sub A unique identifier for the End-User. See the Scopes and Claims section for more details.
aud The Client Identifier of the Relying Party.
exp The time on or after which the ID Token must not be accepted for processing. This is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC. The NHS CIS2 Authentication ID Tokens are set to expire after 1 hour.
iat The time at which the JWT was issued. This is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
auth_time The time at which the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.
nonce String value used to associate a Client session with an ID Token, and to mitigate replay attacks. If this value provided in Authentication Request this value is passed through unmodified.
acr The Authentication Context Class Reference for the authentication event. For details of the use of acr values with NHS CIS2 Authentication see the ACR and AMR Values section.
amr The Authentication Methods Reference for the authentication event.  For details of the use of amr values with NHS CIS2 Authentication see the ACR and AMR Values  section.
at_hash A hash of the associated Access Token. For further detail on the use of this value see the Access Token Validation section below.  The at_hash value is a case sensitive string.
sid An optional session identifier e.g. 330bc4641e7e0c8c5acb3e98b096cf08edeb6ba6fc1fcc254233099cb12ac119 (this will initially only be present for Smartcard authentications - see the Session Management section)
Note that this value is solely for use with Back Channel Logout and should not be assumed to be cross-referenced to any other session identifiers in NHS CIS2 Authentication.
selected_roleid An optional value indicating the 12 digit unique identifier for the National RBAC Role Profile (roleProfileCode) that the user (optionally) selected. This value will correspond to one of the nhsid_rbac_roles.person_roleid values from the UserInfo Claims, so further information about the role profile can be determined from the corresponding claim. How the role selection is performed varies depending on the authentication method and for a smartcard the version of the Identity Agent installed, please see Role Selection for more details. Role selection isn't limited to smartcards and all authentication methods are capable of requiring the user to choose a role.
id_assurance_level The level of assurance performed on the End-User's identity. This is a string value which can take one of the following values: 0, 1, 2 or 3. These values correspond to Identity Assurance Levels as defined in the NIST Digital Identity Guidelines for Enrollment and Identity Proofing Requirements. An assurance level of IAL3 gives a very high level of assurance of the End-User's identity including checks such as physical presence for identity proofing and verification of identifying attributes by a trained and authorized individual. Relying Parties SHOULD validate that this claim has a value appropriate for their use case. For access to national clinical systems the id_assurance_level MUST be 3.

authentication_assurance

_level 

 The level of assurance of the authentication process. This value MUST be checked to ensure that an appropriate level of authentication has taken place. 
(This check replaces the ACR prefix check for AAL3*)

 

Any Claims contained in the ID Token other than those listed in the table above MUST be ignored by the Relying Party.

ID Token Validation

Relying Parties must validate the ID Token in the Token Response in the following manner:

  1. The the value of the iss Claim must exactly match the Issuer Identifier for the NHS CIS2 Authentication OpenID Provider as specified in the OpenID Provider Configuration Document.
  2. The aud Claim must contain the Relying Party's Client identifier.
  3. If the ID Token is received via direct communication between the Client and the Token Endpoint, then TLS server validation may be used to validate the issuer in place of checking the token signature (see the TLS Requirements section). The Client must validate the signature of all other ID Tokens according to  JSON Web Signature Specification using the algorithm specified in the JWT alg header parameter. The Client must use the keys provided by the NHS CIS2 Authentication OpenID Provider as described in the Key Management section. 
  4. The current time must be before the time represented by the exp Claim.
  5. If a nonce value was sent in the Authentication Request, a nonce Claim will be present and its value must be checked to verify that it is the same value as the one that was sent in the Authentication Request. The Relying Party should check the nonce value for replay attacks. 
  6. If the acr Claim was requested, the Replying Party should check that the asserted Claim Value is appropriate. For further details on NHS CIS2 Authentication's support for acr values see the ACR and AMR Values section.
  7. The Relying Party should check the auth_time Claim value and request re-authentication if it determines too much time has elapsed since the last End-User authentication. For further guidance see the Session Management section.

Access Token Validation

Relying Parties may validate the integrity of the Access Token using the value of the at_hash Claim. Its value is the base64url encoding of the left-most half of the hash of the octets of the ASCII representation of the access_token value, where the hash algorithm used is the hash algorithm used in the alg parameter of the ID Token's JOSE Header. The alg value for the NHS CIS2 Authentication OpenID Provider is RS256 so to obtain the value hash the access_token value with SHA-256, then take the left-most 128 bits and base64url encode them.

Access Token use with Spine RESTful APIs

Note that the Access Token returned from the NHS CIS2 Authentication OpenID Provider is only for use with the NHS CIS2 Authentication UserInfo Endpoint as described in the sections below.

Relying Parties wishing to use the Spine RESTful APIs must also obtain an Access Token from the API Platform as described at the following location API Platform - Security and Authorisation.

For applications wishing to use both NHS CIS2 Authentication and a User-restricted RESTful API it is recommended to use the separate authentication and authorisation model described at API Platform - Separate Authenticate and Authorisation.

Token Error Response

If the Token Request is invalid or unauthorized an HTTP 400 response will be returned as in the following example:

Example HTTP 400 response

HTTP/1.1 400 Bad Request
  Content-Type: application/json
  Cache-Control: no-store
  Pragma: no-cache
 
{
  "error_description":"The provided access grant is invalid, expired, or revoked.",
  "error":"invalid_grant"
}

UserInfo Request

The NHS CIS2 Authentication OpenID provider's ID Token only contains Claims about the authentication event and the identity of the End-User. Other information about the End-User can be requested by including additional Scopes in the authentication request (as in the example request above which includes the standard profile scope) and by presenting the Access Token from the Token Response to the UserInfo endpoint.

The Relying Party sends the UserInfo Request using either HTTP GET or HTTP POST. The Access Token obtained from an OpenID Connect Authentication Request must be sent as a Bearer Token.

It is recommended that the request use the HTTP GET method and the Access Token be sent using the Authorization header field as in the example below:

Example HTTP GET using Authorization header

GET /openam/oauth2/realms/root/realms/oidc/userinfo
  Authorization: Bearer XeFKw71aKiVMTAml8MNbk_ZLiqk

UserInfo Response

The userinfo claims will be returned in a HTTP 200 OK response as in the example below:

Example HTTP 200 OK response

HTTP/1.1 200 OK
  Content-Type: application/json
 
  {
   "sub": "999999999999",
   "name": "Smith Jane Ms",
   "given_name": "Jane",
   "family_name": "Smith"
  }

The userinfo claims will always include a sub Claim. This must be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values must not be used.

The Relying Party should authenticate the OpenID Provider either by checking the TLS certificate (see the TLS Requirements section) or by validating the signature of the JWT if provided. For details on how to obtain a signed UserInfo Response see the next section.

More details of the Scopes and Claims that may be obtained via the UserInfo Endpoint can be found in the Scopes and Claims section.

Signed UserInfo Response

During registration the Relying Party MAY request that the UserInfo Response is signed in which case the response will contain iss and aud claims. The Relying Party SHOULD validate that both the iss value matches the NHS CIS2 Authentication OpenID Provider’s Issuer Identifier and the aud claim matches the Relying Party's Client Identifier. 

The Relying Party SHOULD validate the signature according to the JSON Web Signature Specification.

UserInfo Error Response

When a request fails, the UserInfo resource server will respond using the appropriate HTTP status code (typically, 400, 401, 403, or 405) and include an error code in the response.

The response will contain an error parameter and an error_description.

Example error response

HTTP/1.1 401 Unauthorized
  Content-Type: application/json
 
{
  "error_description":"The access token provided is expired, revoked, malformed, or invalid for other reasons.",
  "error":"invalid_token"
}

Refresh Token Use

It is anticipated that Relying Parties will only require access to the UserInfo Endpoint at the time of the original End-User authentication. This should only happen once as part of a Relying Party authentication journey and the Access Token can be used immediately, then discarded. In NHS CIS2 Authentication, there should be no other need to retrieve the User Info after this point in time. 

Therefore the use of the Refresh Token to obtain a new Access Token is not recommended.

Clients wanting to use the Refresh Token are requested to contact [email protected] to discuss their use case further.

Firewall configuration

In all environments, all of the CIS2 Authentication endpoints use dynamic IP addresses which may change on a regular basis. You MUST ensure any firewall rules or other security measures allow access via the domain name and the current set of IPs in use and do not rely on a static IP list.

CIS2 Authentication uses a content delivery network (CDN) in front of our endpoints which can cause issues if incorrectly configured proxies are used between an application and the CIS2 Authentication endpoints. Note that a proxy may legitimately be used to funnel requests over a private (HSCN) network or as a security boundary.

The CDN requires that the proxy supports both the HTTP host header and also SNI as part of the TLS handshake in order to correctly respond. Proxies solely relying on the IP address and not providing these values will see an error being returned.

An example NGINX configuration is as follows (please adjust to meet your requirements):

Example NGINX configuration

proxy_ssl_name "am.nhsidentity.spineservices.nhs.uk";
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_session_reuse off;

Last edited: 4 March 2025 3:37 pm