XS SM MD LG XL XXL
Guide
DG-3061
Status
Active
Version
1.0
Created
Updated

Quick intro

Once you have a signed authentication JWT, the client can request an access token.

Client access token

At runtime the client will need to obtain an access token in order to interact with the Provider Connect Australia. Such access tokens are issued by the PCA Identity and Access Manager, in accordance with the OAuth 2.0 Authorization Framework - RFC6749.

This specification describes requirements for requesting an access token through the use of an OAuth 2.0 client credentials flow, with a JWT assertion - RFC7523 as the client’s authentication mechanism. The exchange allows the client to authenticate itself to the PCA Identity and Access Manager and to request a short-lived access token in a single exchange.

To begin the exchange, the client shall use the Transport Layer Security (TLS) v1.2 - RFC5246 to authenticate the identity of the PCA Identity and Access Manager and to establish an encrypted, integrity-protected link for securing all exchanges between the client and the PCA Identity and Access Manager’s token endpoint. All exchanges described herein between the client and the PCA Identity and Access Manager shall be secured using TLS V1.2.

The client requests a new access token via HTTP POST to the PCA Identity and Access Manager’s token endpoint URL, using content-type application/x-www-form-urlencoded with the following body:

ParameterCardinalityDetails
grant_typeMandatoryFixed value: client_credentials
client_idMandatoryAs obtained from client registration operation.
client_assertion_typeMandatoryFixed value: urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertionMandatorySigned authentication JWT value (See Encode JWT)

An example of a system requesting an access token is illustrated below:

Access token request

An example of a system requesting an access token is illustrated below:

POST /PcaAuthApi/v2/auth/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Cache-Control: no-cache
Postman-Token: d8abed19-9b92-418b-a4e3-4887674a88dd
Host: bne-drp-trp.digitalhealth.gov.au
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 902
  
grant_type=client_credentials&
client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&
client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6ImF2S0Z1Yk00UzBZYmhIbFhrQU96eGFweHJ4MV9rZEY1S0F3d1VDRVdOcDQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiI5NDg0YWMzMC1jMDkzLTQ0YTgtYjIyMS1hMzM1OWM3ZjFlYjUiLCJzdWIiOiI5NDg0YWMzMC1jMDkzLTQ0YTgtYjIyMS1hMzM1OWM3ZjFlYjUiLCJhdWQiOiJodHRwczovL2JuZS1kcnAtdHJwLmRpZ2l0YWxoZWFsdGguZ292LmF1L1BjYUF1dGhBcGkvdjIvYXV0aC90b2tlbiIsImV4cCI6MTY0MjYzODUwMCwianRpIjoidHczbWloeHptbjhpIn0.Nw7TW3bJoH1o5gV_otEhKhMQjBIuw2NNQLQlojNtzxT91Du3W5oUNqaQFbUQ7Gfr3_6t4CoV0ReARLskFsF14dEs4GG5agdDCFmxNU9Tb1OYGqZ6dnfugnzvgrBE2LZsRN-mAmEtfW03F-8C6i9M7P1v09QSGhKgfqVW07PqTyjlqnIdu4X7-eJZ0SuHWr4K-HgWKjpnrwY0BCcsI2y3FgLMOb2q6s4DvbCc6LHI3DuD--9_VjF0WWrQlfyqCkjTvZo7XADola2H8FrfJOyYiFo_DxPIqX3GXPCGo3z6IQ1gD4GLs840Lyjoz08kMl-YmNKyOiNeFodwrVPBLEdzAQ&
client_id=9484ac30-c093-44a8-b221-a3359c7f1eb5
  
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/json; charset=utf-8
X-Frame-Options: DENY
Date: Thu, 20 Jan 2022 00:18:14 GMT
  
{
"access_token":"16.1642638194.874f1fac40c4413cab4bdcb822d251ba",
"token_type":"Bearer",
"expires_in":300
}

PCA Identity and Access Manager

If the access token request is valid and authorised, the PCA Identity and Access Manager shall issue an access token in response. The access token response shall be a JSON object with the following properties:

ParameterCardinalityDetails
access_tokenMandatoryThe access token issued by the PCA Identity and Access Manager in the form of a bearer token as described in section 3.2 of OAuth 2.0 Security – RFC6819
token_typeMandatoryFixed value: Bearer
expires_inMandatoryThe lifetime in seconds of the access token is 300, for a 5 minutes token lifetime.

The response is bearer token that will enable the client to retrieve resources from, and publish to the PCA for a 5 minute time period. After which the client will need to obtain a new access token using the same operation.

 Home | Back: Generate JWTNext: Participation configuration