ID DG-3061 Type Guide Version 1.0 Status Active Created date 02/06/2023 Updated date 05/06/2023 This is the current version. Quick introOnce you have a have a signed authentication JWT, the client can request an access token.Client access tokenAt runtime the client will need to obtain an access token in order to interact with the Provider Connect Australia. Such access tokens are issued by the PCA™ Identity and Access Manager, in accordance with the OAuth 2.0 Authorization Framework - RFC6749.This specification describes requirements for requesting an access token through the use of an OAuth 2.0 flow, with a JWT assertion - RFC7523 as the client’s authentication mechanism. The exchange allows the client to authenticate itself to the PCA™ Identity and Access Manager and to request a short-lived access token in a single exchange.To begin the exchange, the client shall use the Transport Layer Security (TLS) v1.2 - RFC5246 to authenticate the identity of the PCA™ Identity and Access Manager and to establish an encrypted, integrity-protected link for securing all exchanges between the client and the PCA™ Identity and Access Manager’s token endpoint. All exchanges described herein between the client and the PCA™ Identity and Access Manager shall be secured using TLS V1.2.System-based requestThe ClientSystem requests a new access token via HTTP POST to the PCA Identity and Access Manager’s token endpoint URL, using content-type application/x-www-form-urlencoded with the following body:ParameterCardinalityDetailsgrant_typeMandatoryFixed value: client_credentialsclient_idMandatoryAs obtained from register client operation.client_assertion_typeMandatoryFixed value: urn:ietf:params:oauth:client-assertion-type:jwt-bearerclient_assertionMandatorySigned authentication JWT value (See Encode JWT)An example of a system-based client requesting an access token is illustrated below:POST /PcaAuthApi/v2/auth/token HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: PostmanRuntime/7.29.0 Accept: */* Cache-Control: no-cache Postman-Token: d8abed19-9b92-418b-a4e3-4887674a88dd Host: bne-drp-trp.digitalhealth.gov.au Accept-Encoding: gzip, deflate, br Connection: keep-alive Content-Length: 902 grant_type=client_credentials& client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer& client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6ImF2S0Z1Yk00UzBZYmhIbFhrQU96eGFweHJ4MV9rZEY1S0F3d1VDRVdOcDQiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiI5NDg0YWMzMC1jMDkzLTQ0YTgtYjIyMS1hMzM1OWM3ZjFlYjUiLCJzdWIiOiI5NDg0YWMzMC1jMDkzLTQ0YTgtYjIyMS1hMzM1OWM3ZjFlYjUiLCJhdWQiOiJodHRwczovL2JuZS1kcnAtdHJwLmRpZ2l0YWxoZWFsdGguZ292LmF1L1BjYUF1dGhBcGkvdjIvYXV0aC90b2tlbiIsImV4cCI6MTY0MjYzODUwMCwianRpIjoidHczbWloeHptbjhpIn0.Nw7TW3bJoH1o5gV_otEhKhMQjBIuw2NNQLQlojNtzxT91Du3W5oUNqaQFbUQ7Gfr3_6t4CoV0ReARLskFsF14dEs4GG5agdDCFmxNU9Tb1OYGqZ6dnfugnzvgrBE2LZsRN-mAmEtfW03F-8C6i9M7P1v09QSGhKgfqVW07PqTyjlqnIdu4X7-eJZ0SuHWr4K-HgWKjpnrwY0BCcsI2y3FgLMOb2q6s4DvbCc6LHI3DuD--9_VjF0WWrQlfyqCkjTvZo7XADola2H8FrfJOyYiFo_DxPIqX3GXPCGo3z6IQ1gD4GLs840Lyjoz08kMl-YmNKyOiNeFodwrVPBLEdzAQ& client_id=9484ac30-c093-44a8-b221-a3359c7f1eb5 HTTP/1.1 200 OK Transfer-Encoding: chunked Content-Type: application/json; charset=utf-8 X-Frame-Options: DENY Date: Thu, 20 Jan 2022 00:18:14 GMT { "access_token":"16.1642638194.874f1fac40c4413cab4bdcb822d251ba", "token_type":"Bearer", "expires_in":300 }System-based responseIf the access token request is valid and authorised, the PCA™ Identity and Access Manager shall issue an access token in response. The access token response shall be a JSON object with the following properties:ParameterCardinalityDetailsaccess_tokenMandatoryThe access token issued by the PCA Identity and Access Manager in the form of a bearer token as described in section 3.2 of OAuth 2.0 Security – RFC6819token_typeMandatoryFixed value: Bearerexpires_inMandatoryThe lifetime in seconds of the access token is 300, for a 5 minutes token lifetime.The scope of this access token corresponds to the relevant Authorisations of the ClientSystem as described in roles section of the Register client.The response is a bearer token that lets the ClientSystem retrieve resources from, and publish to, the PCA™ for a 5-minute time period, after which the client will need to obtain a new access token using the same operation.User-based requestThe ClientSystem requests a new access token via HTTP POST to the PCA™ Identity and Access Manager’s token endpoint URL, using content-type application/x-www-form-urlencoded with the following body:ParameterCardinalityDetailsgrant_typeMandatoryFixed value: authorization_codecodeMandatoryThe authorization code provided by the PCA™ Identity and Access Managerclient_idMandatoryAs obtained from register client operation.client_assertion_typeMandatoryFixed value: urn:ietf:params:oauth:client-assertion-type:jwt-bearerclient_assertionMandatorySigned authentication JWT value (See Encode JWT)User-based responseIf the access token request is valid and authorised, the PCA Identity and Access Manager shall issue an access token in response. The access token response shall be a JSON object with the following properties:ParameterCardinalityDetailsaccess_tokenMandatoryThe access token issued by the PCA™ Identity and Access Manager in the form of a bearer token as described in section 3.2 of OAuth 2.0 Security – RFC6819token_typeMandatoryFixed value: Bearerexpires_inMandatoryThe lifetime of the access token is 300 seconds (5-minutes).The scope of this access token corresponds to the relevant Authorisations of the PCAUser to which the authorization code was previously linked as described in get authorization code.The response is a bearer token that lets the ClientSystem retrieve resources from, and publish to, the PCA™ for a 5-minute time period, after which the client will need to obtain a new access token using the same operation. Home | Back: Generate JWT | Next: Participation configuration