XS SM MD LG XL XXL
Guide
DG-3061
Status
Active
Version
1.0
Created
Updated

Quick intro

Once you have a have a signed authentication JWT, the client can request an access token.

Client access token

At runtime the client will need to obtain an access token in order to interact with the Provider Connect Australia. Such access tokens are issued by the PCA Identity and Access Manager, in accordance with the OAuth 2.0 Authorization Framework - RFC6749.

This specification describes requirements for requesting an access token through the use of an OAuth 2.0 flow, with a JWT assertion - RFC7523 as the client’s authentication mechanism. The exchange allows the client to authenticate itself to the PCA Identity and Access Manager and to request a short-lived access token in a single exchange.

To begin the exchange, the client shall use the Transport Layer Security (TLS) v1.2 - RFC5246 to authenticate the identity of the PCA Identity and Access Manager and to establish an encrypted, integrity-protected link for securing all exchanges between the client and the PCA Identity and Access Manager’s token endpoint. All exchanges described herein between the client and the PCA Identity and Access Manager shall be secured using TLS V1.2.

System-based request

The ClientSystem requests a new access token via HTTP POST to the PCA Identity and Access Manager’s token endpoint URL, using content-type application/x-www-form-urlencoded with the following body:

ParameterCardinalityDetails
grant_typeMandatoryFixed value: client_credentials
client_idMandatoryAs obtained from register client operation.
client_assertion_typeMandatoryFixed value: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertionMandatorySigned authentication JWT value (See Encode JWT)

An example of a system-based client requesting an access token is illustrated below:

POST /PcaAuthApi/v2/auth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Cache-Control: no-cache
Postman-Token: d8abed19-9b92-418b-a4e3-4887674a88dd
Host: bne-drp-trp.digitalhealth.gov.au
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 902
  
grant_type=client_credentials&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6ImF2S0Z1Yk00UzBZYmhIbFhrQU96eGFweHJ4MV9rZEY1S0F3d1VDRVdOcDQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiI5NDg0YWMzMC1jMDkzLTQ0YTgtYjIyMS1hMzM1OWM3ZjFlYjUiLCJzdWIiOiI5NDg0YWMzMC1jMDkzLTQ0YTgtYjIyMS1hMzM1OWM3ZjFlYjUiLCJhdWQiOiJodHRwczovL2JuZS1kcnAtdHJwLmRpZ2l0YWxoZWFsdGguZ292LmF1L1BjYUF1dGhBcGkvdjIvYXV0aC90b2tlbiIsImV4cCI6MTY0MjYzODUwMCwianRpIjoidHczbWloeHptbjhpIn0.Nw7TW3bJoH1o5gV_otEhKhMQjBIuw2NNQLQlojNtzxT91Du3W5oUNqaQFbUQ7Gfr3_6t4CoV0ReARLskFsF14dEs4GG5agdDCFmxNU9Tb1OYGqZ6dnfugnzvgrBE2LZsRN-mAmEtfW03F-8C6i9M7P1v09QSGhKgfqVW07PqTyjlqnIdu4X7-eJZ0SuHWr4K-HgWKjpnrwY0BCcsI2y3FgLMOb2q6s4DvbCc6LHI3DuD--9_VjF0WWrQlfyqCkjTvZo7XADola2H8FrfJOyYiFo_DxPIqX3GXPCGo3z6IQ1gD4GLs840Lyjoz08kMl-YmNKyOiNeFodwrVPBLEdzAQ&
client_id=9484ac30-c093-44a8-b221-a3359c7f1eb5
  
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
X-Frame-Options: DENY
Date: Thu, 20 Jan 2022 00:18:14 GMT
  
{
"access_token":"16.1642638194.874f1fac40c4413cab4bdcb822d251ba",
"token_type":"Bearer",
"expires_in":300
}

System-based response

If the access token request is valid and authorised, the PCA Identity and Access Manager shall issue an access token in response. The access token response shall be a JSON object with the following properties:

ParameterCardinalityDetails
access_tokenMandatoryThe access token issued by the PCA Identity and Access Manager in the form of a bearer token as described in section 3.2 of OAuth 2.0 Security – RFC6819
token_typeMandatoryFixed value: Bearer
expires_inMandatoryThe lifetime in seconds of the access token is 300, for a 5 minutes token lifetime.

The scope of this access token corresponds to the relevant Authorisations of the ClientSystem as described in roles section of the Register client.

The response is a bearer token that lets the ClientSystem retrieve resources from, and publish to, the PCA for a 5-minute time period, after which the client will need to obtain a new access token using the same operation.

User-based request

The ClientSystem requests a new access token via HTTP POST to the PCA Identity and Access Manager’s token endpoint URL, using content-type application/x-www-form-urlencoded with the following body:

ParameterCardinalityDetails
grant_typeMandatoryFixed value: authorization_code
codeMandatoryThe authorization code provided by the PCA Identity and Access Manager
client_idMandatoryAs obtained from register client operation.
client_assertion_typeMandatoryFixed value: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertionMandatorySigned authentication JWT value (See Encode JWT)

User-based response

If the access token request is valid and authorised, the PCA Identity and Access Manager shall issue an access token in response. The access token response shall be a JSON object with the following properties:

ParameterCardinalityDetails
access_tokenMandatoryThe access token issued by the PCA Identity and Access Manager in the form of a bearer token as described in section 3.2 of OAuth 2.0 Security – RFC6819
token_typeMandatoryFixed value: Bearer
expires_inMandatoryThe lifetime of the access token is 300 seconds (5-minutes).

The scope of this access token corresponds to the relevant Authorisations of the PCAUser to which the authorization code was previously linked as described in get authorization code.

The response is a bearer token that lets the ClientSystem retrieve resources from, and publish to, the PCA for a 5-minute time period, after which the client will need to obtain a new access token using the same operation.

 Home | Back: Generate JWTNext: Participation configuration

Trade marks of the Australian Digital Health Agency: 
Provider Connect Australia™, Helping healthcare providers stay connected™

PCA logo
PCA logo

On this page