2. Discovery
Configuration information
Relying Parties can obtain configuration information about a NHS CIS2 Authentication OpenID Provider by accessing the OpenID Provider Configuration Document at one of the well known endpoints listed below:
Dev OIDC
GET https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/oidc/.well-known/openid-configuration
Dev Healthcare
GET https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/.well-known/openid-configuration
Int Healthcare
GET https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/.well-known/openid-configuration
Live Healthcare
GET https://am.nhsidentity.spineservices.nhs.uk/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/.well-known/openid-configuration
Notable claims
The OpenID Provider Configuration Document contains the following notable items:
| Claims | Description |
|---|---|
| issuer | This is the OpenID Provider's Issuer Identifier which is a case sensitive URL which will be returned in the ID Token created by the OpenID Provider. |
| scopes_supported | This is the list of Scopes supported by the OpenID Provider. For further information on the scopes provided by NHS CIS2 Authentication see the Scopes and Claims section. |
| acr_values_supported | This is the list of Authentication Context Class References supported by the OpenID Provider. An ACR corresponds to a supported authentication mechanism. For further details see the ACR and AMR Values section. |
| authorization_endpoint | This is the URL of the OpenID Provider's OAuth 2.0 Authorization Endpoint to which Authentication Requests should be submitted. |
| token_endpoint | This is the URL of the OpenID Provider's OAuth 2.0 Token Endpoint at which an Authorization Code can be exchanged for an ID Token and Access Token. |
| userinfo_endpoint | This is the URL of the OpenID Provider's OAuth 2.0 Userinfo Endpoint at which Claims about an End-User can be obtained using an Access Token. |
| jwks_uri | This is the URL of the OpenID Provider's JSON Web Key Set document. This contains the signing key(s) to be used by the Relying Party uses to validate signatures. See the key management section for further details. |
OpenID Provider Configuration Document
The response is a JSON document containing a set of Claims about the OpenID Provider's configuration, including all necessary endpoints and public key location information.
Response JSON document
{
"request_parameter_supported":true,
"claims_parameter_supported":false,
"introspection_endpoint":"https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc/introspect",
"check_session_iframe":"https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc/connect/checkSession",
"scopes_supported":[
"orgaccess",
"universalaccess",
"openid",
"nationalrbacaccess",
"profile",
"professionalmemberships",
"nhsperson",
"odscodes",
"organisationalmemberships",
"associatedorgs",
"email"
],
"issuer":"https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc",
"id_token_encryption_enc_values_supported":[
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"acr_values_supported":[
"AAL1_USERPASS"
],
"userinfo_encryption_enc_values_supported":[
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"authorization_endpoint":"https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc/authorize",
"request_object_encryption_enc_values_supported":[
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"rcs_request_encryption_alg_values_supported":[
"RSA-OAEP",
"RSA-OAEP-256",
"A128KW",
"RSA1_5",
"A256KW",
"dir",
"A192KW"
],
"claims_supported":[
"nhsid_useruid",
"mail",
"gdc_id",
"gmp_id",
"consultant_id",
"primary_org",
"nhsid_org_roles",
"gmc_id",
"title",
"given_name",
"uid",
"rcn_id",
"nhsid_user_orgs",
"nhsid_nrbac_roles",
"nmc_id",
"name",
"idassurancelevel",
"odscodes",
"org_access",
"nhsid_uni_roles",
"family_name",
"gphc_id",
"gdp_id"
],
"userinfo_signing_alg_values_supported":[
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512"
],
"rcs_request_signing_alg_values_supported":[
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512"
],
"token_endpoint_auth_methods_supported":[
"client_secret_post",
"private_key_jwt",
"self_signed_tls_client_auth",
"tls_client_auth",
"none",
"client_secret_basic"
],
"tls_client_certificate_bound_access_tokens":true,
"token_endpoint":"https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc/access_token",
"response_types_supported":[
"code token id_token",
"code",
"code id_token",
"device_code",
"id_token",
"code token",
"none",
"token",
"token id_token"
],
"request_uri_parameter_supported":true,
"rcs_response_encryption_enc_values_supported":[
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"userinfo_encryption_alg_values_supported":[
"RSA-OAEP",
"RSA-OAEP-256",
"A128KW",
"A256KW",
"RSA1_5",
"dir",
"A192KW"
],
"grant_types_supported":[
"refresh_token",
"authorization_code"
],
"end_session_endpoint":"https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc/connect/endSession",
"rcs_request_encryption_enc_values_supported":[
"A256GCM",
"A192GCM",
"A128GCM",
"A128CBC-HS256",
"A192CBC-HS384",
"A256CBC-HS512"
],
"version":"3.0",
"rcs_response_encryption_alg_values_supported":[
"RSA-OAEP",
"RSA-OAEP-256",
"A128KW",
"A256KW",
"RSA1_5",
"dir",
"A192KW"
],
"userinfo_endpoint":"https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc/userinfo",
"token_endpoint_auth_signing_alg_values_supported":[
"PS384",
"ES384",
"RS384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512",
"PS256",
"PS512",
"RS512"
],
"require_request_uri_registration":true,
"id_token_encryption_alg_values_supported":[
"RSA-OAEP",
"RSA-OAEP-256",
"A128KW",
"A256KW",
"RSA1_5",
"dir",
"A192KW"
],
"jwks_uri":"https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc/connect/jwk_uri",
"subject_types_supported":[
"public"
],
"id_token_signing_alg_values_supported":[
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512"
],
"registration_endpoint":"https://am.nhsdev.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/oidc/register",
"request_object_signing_alg_values_supported":[
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512"
],
"request_object_encryption_alg_values_supported":[
"RSA-OAEP",
"RSA-OAEP-256",
"A128KW",
"A256KW",
"RSA1_5",
"dir",
"A192KW"
],
"rcs_response_signing_alg_values_supported":[
"ES384",
"HS256",
"HS512",
"ES256",
"RS256",
"HS384",
"ES512"
]
}
Firewall configuration
In all environments, all of the CIS2 Authentication endpoints use dynamic IP addresses which may change on a regular basis. You should ensure any firewall rules or other security measures allow access via the domain name and the current set of IPs in use and do not rely on a static IP list.
CIS2 Authentication uses a content delivery network (CDN) in front of our endpoints which can cause issues if incorrectly configured proxies are used between an application and the CIS2 Authentication endpoints. Note that a proxy may legitimately be used to funnel requests over a private (HSCN) network or as a security boundary.
The CDN requires that the proxy supports both the HTTP host header and also SNI as part of the TLS handshake in order to correctly respond. Proxies solely relying on the IP address and not providing these values will see an error being returned.
An example NGINX configuration is as follows (please adjust to meet your requirements):
Example NGINX configuration
proxy_ssl_name "am.nhsidentity.spineservices.nhs.uk";
proxy_ssl_server_name on;
proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_session_reuse off;
All chapters
Last edited: 21 August 2024 9:12 am