6. Signatures

Depending on the transport through which the messages are sent, the integrity of the message might not be guaranteed and the originator of the message might not be authenticated. To mitigate these risks, ID Token, UserInfo Response and Client Authentication JWT values can utilize JSON Web Signature as described in the JSON Web Signature Specification.

The NHS CIS2 Authentication OpenID Provider advertises its supported signing algorithms via its OpenID Provider Configuration Document are described further in the Discovery section. Its public keys are advertised via a JSON Web Key Set Endpoint, Relying Parties wishing to validate signatures generated by the NHS CIS2 Authentication MUST be able to use the endpoint as described in the Key Management section.

NHS CIS2 Authentication will use a RS256 algorithm to sign JWTs unless specifically requested to do otherwise.

Client Authentication by private_key_jwt

Relying Parties wishing to use signed Client Authentication JWTs MUST declare their signing algorithms as part of the registration process. Relying Parties wishing to use a private key to sign the JWT MUST provide a JSON Web Key Set Endpoint as described in the Key Management section.

1. Registration
2. Discovery
3. Authorization code flow
4. Scopes and claims
5. ACR and AMR values
6. Signatures
7. Key management
8. Security considerations
9. Session management
10. Role selection