Quick intro
Once you have a signed authentication JWT, the client can request an access token.
Client access token
At runtime the client will need to obtain an access token in order to interact with the Provider Connect Australia. Such access tokens are issued by the PCA Identity and Access Manager, in accordance with the OAuth 2.0 Authorization Framework - RFC6749.
This specification describes requirements for requesting an access token through the use of an OAuth 2.0 client credentials flow, with a JWT assertion - RFC7523 as the client’s authentication mechanism. The exchange allows the client to authenticate itself to the PCA Identity and Access Manager and to request a short-lived access token in a single exchange.
To begin the exchange, the client shall use the Transport Layer Security (TLS) v1.2 - RFC5246 to authenticate the identity of the PCA Identity and Access Manager and to establish an encrypted, integrity-protected link for securing all exchanges between the client and the PCA Identity and Access Manager’s token endpoint. All exchanges described herein between the client and the PCA Identity and Access Manager shall be secured using TLS V1.2.
The client requests a new access token via HTTP POST to the PCA Identity and Access Manager’s token endpoint URL, using content-type application/x-www-form-urlencoded with the following body:
Parameter | Cardinality | Details |
---|---|---|
grant_type | Mandatory | Fixed value: client_credentials |
client_id | Mandatory | As obtained from client registration operation. |
client_assertion_type | Mandatory | Fixed value: urn:ietf:params:oauth:client-assertion-type:jwt-bearer |
client_assertion | Mandatory | Signed authentication JWT value (See Encode JWT) |
An example of a system requesting an access token is illustrated below:
Access token request
An example of a system requesting an access token is illustrated below:
POST /PcaAuthApi/v2/auth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Cache-Control: no-cache
Postman-Token: d8abed19-9b92-418b-a4e3-4887674a88dd
Host: bne-drp-trp.digitalhealth.gov.au
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 902
grant_type=client_credentials&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6ImF2S0Z1Yk00UzBZYmhIbFhrQU96eGFweHJ4MV9rZEY1S0F3d1VDRVdOcDQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiI5NDg0YWMzMC1jMDkzLTQ0YTgtYjIyMS1hMzM1OWM3ZjFlYjUiLCJzdWIiOiI5NDg0YWMzMC1jMDkzLTQ0YTgtYjIyMS1hMzM1OWM3ZjFlYjUiLCJhdWQiOiJodHRwczovL2JuZS1kcnAtdHJwLmRpZ2l0YWxoZWFsdGguZ292LmF1L1BjYUF1dGhBcGkvdjIvYXV0aC90b2tlbiIsImV4cCI6MTY0MjYzODUwMCwianRpIjoidHczbWloeHptbjhpIn0.Nw7TW3bJoH1o5gV_otEhKhMQjBIuw2NNQLQlojNtzxT91Du3W5oUNqaQFbUQ7Gfr3_6t4CoV0ReARLskFsF14dEs4GG5agdDCFmxNU9Tb1OYGqZ6dnfugnzvgrBE2LZsRN-mAmEtfW03F-8C6i9M7P1v09QSGhKgfqVW07PqTyjlqnIdu4X7-eJZ0SuHWr4K-HgWKjpnrwY0BCcsI2y3FgLMOb2q6s4DvbCc6LHI3DuD--9_VjF0WWrQlfyqCkjTvZo7XADola2H8FrfJOyYiFo_DxPIqX3GXPCGo3z6IQ1gD4GLs840Lyjoz08kMl-YmNKyOiNeFodwrVPBLEdzAQ&
client_id=9484ac30-c093-44a8-b221-a3359c7f1eb5
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
X-Frame-Options: DENY
Date: Thu, 20 Jan 2022 00:18:14 GMT
{
"access_token":"16.1642638194.874f1fac40c4413cab4bdcb822d251ba",
"token_type":"Bearer",
"expires_in":300
}
PCA Identity and Access Manager
If the access token request is valid and authorised, the PCA Identity and Access Manager shall issue an access token in response. The access token response shall be a JSON object with the following properties:
Parameter | Cardinality | Details |
---|---|---|
access_token | Mandatory | The access token issued by the PCA Identity and Access Manager in the form of a bearer token as described in section 3.2 of OAuth 2.0 Security – RFC6819 |
token_type | Mandatory | Fixed value: Bearer |
expires_in | Mandatory | The lifetime in seconds of the access token is 300, for a 5 minutes token lifetime. |
The response is bearer token that will enable the client to retrieve resources from, and publish to the PCA for a 5 minute time period. After which the client will need to obtain a new access token using the same operation.
Home | Back: Generate JWT | Next: Participation configuration