Quick intro
Once you have a have a signed authentication JWT, the client can request an access token.
Client access token
At runtime the client will need to obtain an access token in order to interact with the Provider Connect Australia. Such access tokens are issued by the PCA™ Identity and Access Manager, in accordance with the OAuth 2.0 Authorization Framework - RFC6749.
This specification describes requirements for requesting an access token through the use of an OAuth 2.0 flow, with a JWT assertion - RFC7523 as the client’s authentication mechanism. The exchange allows the client to authenticate itself to the PCA™ Identity and Access Manager and to request a short-lived access token in a single exchange.
To begin the exchange, the client shall use the Transport Layer Security (TLS) v1.2 - RFC5246 to authenticate the identity of the PCA™ Identity and Access Manager and to establish an encrypted, integrity-protected link for securing all exchanges between the client and the PCA™ Identity and Access Manager’s token endpoint. All exchanges described herein between the client and the PCA™ Identity and Access Manager shall be secured using TLS V1.2.
System-based request
The ClientSystem requests a new access token via HTTP POST to the PCA Identity and Access Manager’s token endpoint URL, using content-type application/x-www-form-urlencoded with the following body:
| Parameter | Cardinality | Details |
|---|---|---|
| grant_type | Mandatory | Fixed value: client_credentials |
| client_id | Mandatory | As obtained from register client operation. |
| client_assertion_type | Mandatory | Fixed value: urn:ietf:params:oauth:client-assertion-type:jwt-bearer |
| client_assertion | Mandatory | Signed authentication JWT value (See Encode JWT) |
An example of a system-based client requesting an access token is illustrated below:
POST /PcaAuthApi/v2/auth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Cache-Control: no-cache
Postman-Token: d8abed19-9b92-418b-a4e3-4887674a88dd
Host: bne-drp-trp.digitalhealth.gov.au
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 902
grant_type=client_credentials&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6ImF2S0Z1Yk00UzBZYmhIbFhrQU96eGFweHJ4MV9rZEY1S0F3d1VDRVdOcDQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiI5NDg0YWMzMC1jMDkzLTQ0YTgtYjIyMS1hMzM1OWM3ZjFlYjUiLCJzdWIiOiI5NDg0YWMzMC1jMDkzLTQ0YTgtYjIyMS1hMzM1OWM3ZjFlYjUiLCJhdWQiOiJodHRwczovL2JuZS1kcnAtdHJwLmRpZ2l0YWxoZWFsdGguZ292LmF1L1BjYUF1dGhBcGkvdjIvYXV0aC90b2tlbiIsImV4cCI6MTY0MjYzODUwMCwianRpIjoidHczbWloeHptbjhpIn0.Nw7TW3bJoH1o5gV_otEhKhMQjBIuw2NNQLQlojNtzxT91Du3W5oUNqaQFbUQ7Gfr3_6t4CoV0ReARLskFsF14dEs4GG5agdDCFmxNU9Tb1OYGqZ6dnfugnzvgrBE2LZsRN-mAmEtfW03F-8C6i9M7P1v09QSGhKgfqVW07PqTyjlqnIdu4X7-eJZ0SuHWr4K-HgWKjpnrwY0BCcsI2y3FgLMOb2q6s4DvbCc6LHI3DuD--9_VjF0WWrQlfyqCkjTvZo7XADola2H8FrfJOyYiFo_DxPIqX3GXPCGo3z6IQ1gD4GLs840Lyjoz08kMl-YmNKyOiNeFodwrVPBLEdzAQ&
client_id=9484ac30-c093-44a8-b221-a3359c7f1eb5
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
X-Frame-Options: DENY
Date: Thu, 20 Jan 2022 00:18:14 GMT
{
"access_token":"16.1642638194.874f1fac40c4413cab4bdcb822d251ba",
"token_type":"Bearer",
"expires_in":300
}System-based response
If the access token request is valid and authorised, the PCA™ Identity and Access Manager shall issue an access token in response. The access token response shall be a JSON object with the following properties:
| Parameter | Cardinality | Details |
|---|---|---|
| access_token | Mandatory | The access token issued by the PCA Identity and Access Manager in the form of a bearer token as described in section 3.2 of OAuth 2.0 Security – RFC6819 |
| token_type | Mandatory | Fixed value: Bearer |
| expires_in | Mandatory | The lifetime in seconds of the access token is 300, for a 5 minutes token lifetime. |
The scope of this access token corresponds to the relevant Authorisations of the ClientSystem as described in roles section of the Register client.
The response is a bearer token that lets the ClientSystem retrieve resources from, and publish to, the PCA™ for a 5-minute time period, after which the client will need to obtain a new access token using the same operation.
User-based request
The ClientSystem requests a new access token via HTTP POST to the PCA™ Identity and Access Manager’s token endpoint URL, using content-type application/x-www-form-urlencoded with the following body:
| Parameter | Cardinality | Details |
|---|---|---|
| grant_type | Mandatory | Fixed value: authorization_code |
| code | Mandatory | The authorization code provided by the PCA™ Identity and Access Manager |
| client_id | Mandatory | As obtained from register client operation. |
| client_assertion_type | Mandatory | Fixed value: urn:ietf:params:oauth:client-assertion-type:jwt-bearer |
| client_assertion | Mandatory | Signed authentication JWT value (See Encode JWT) |
User-based response
If the access token request is valid and authorised, the PCA Identity and Access Manager shall issue an access token in response. The access token response shall be a JSON object with the following properties:
| Parameter | Cardinality | Details |
|---|---|---|
| access_token | Mandatory | The access token issued by the PCA™ Identity and Access Manager in the form of a bearer token as described in section 3.2 of OAuth 2.0 Security – RFC6819 |
| token_type | Mandatory | Fixed value: Bearer |
| expires_in | Mandatory | The lifetime of the access token is 300 seconds (5-minutes). |
The scope of this access token corresponds to the relevant Authorisations of the PCAUser to which the authorization code was previously linked as described in get authorization code.
The response is a bearer token that lets the ClientSystem retrieve resources from, and publish to, the PCA™ for a 5-minute time period, after which the client will need to obtain a new access token using the same operation.
Home | Back: Generate JWT | Next: Participation configuration
