Excerpt |
---|
This page describes how the KL Gateway authenticate and authorize external systems sending data to the gateway. |
In the Gateway project, external systems are authenticated and authorized using “JWT client authentication“ and authorized using “OAuth 2.0 Token Exchange“.
...
Prerequisites
Authorization is done by exchanging a SAML Assertion from Kombit STS with the Authorization Server on the Gateway environment.
In order to obtain SAML Assertions, please refer to the following resources:
The integration requires an active service agreement in the Administration Module at ‘Serviceplatformen', between the vendor’s service consumer system (anvendersystem), and the data-owning organization regarding the Care Gateway service with entity id http://ehealth.sundhed.dk/service/CareGateway/1
.
The service agreement must include the ‘Care Delivery Reporter System’ system role.
Before exchange can take place, the client system’s public key must be registered in both 'Serviceplatformen' and in the KLG Authorization server.
Getting started
To get started with authorization for KLG complete the following checklist:
- Create client system (anvendersystem) in Serviceplatformen (See https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/2187362305/SAML+Assertion+to+JWT+Exchange#Prerequisites )
- Create a service agreement for Care Gateway with system role ‘Care Delivery Reporter System’
- Create a pull request at https://github.com/trifork/klg-docs with the public key of the registered client system
- Wait for confirmation that the key is registered in KLG
- Wait for service agreement approval
When the key is registered and the service agreement is approved the client system can get access tokens for KLG by following the procedure described in the following sections.
Note |
---|
Notice: Clients must give notice at least two weeks in advance for registration of new public keys in KLG. |
JWT Client Authentication
Prerequisites:
The system is in possession of a Public/Private key pair.
This is the same as the service consumer system’s certificate in 'Serviceplatformen'
The public key must be registered in Keycloak as well
The system has a client in Keycloak with a
client_id
.The systems system's Public Key is registered for the client.
In order to authenticateobtain access tokens from Keycloak, the system must provide a signed JWT (, i.e. JWS) on each access token request to Keycloak.
The system issues the JWS itself and signs it with its own private key.
See also jwt.io for a comprehensive list of software libraries for token signing.
The JWS must have the following fields in the header:
...
Code Block |
---|
{ "alg": "RS256", "kid": "rqjgLIDzVg8CYwfTYph00J4YLr6cXQVO7WXKtw7sY6w" } |
NOTE: The Key ID is the the base64url encoded, SHA-256
digest (HASH), of the encoded public key. See also https://ehealth-dk.atlassian.net/wiki/spaces/EDTW/pages/2187362305/SAML+Assertion+to+JWT+Exchange#Obtaining-the-kid-from-a-Public-key
The JWS must have the following fields in the body:
jti
: JWT ID - Unique identifier for this token.iss
: Issuer - Who created the token. ? (In this case, it is theclient_id
)sub
: Subject - Whom the token refers to. (In this case, it is also theclient_id
)aud
: Audience - What the token is intended for. (In this case, it is the keycloak realm info urlURL)iat
: Issued at - When the token was created. (seconds since UNIX epoch)exp
: Expiration time - When the token expires (seconds since UNIX epoch)nbf
: Not valid before - When the token validity starts (seconds since UNIX epoch)
Code Block |
---|
{ "jti": "93461fd9-a043-45e7-89c2-06757348377e", "iss": "eoj", "sub": "eoj", "aud": "https://saml.test001.ehealth.sundhed.dk/auth/realms/ehealth", "iat": 1638873738, "exp": 1638873748, "nbf": 1638873738 } |
NOTE: The JWS is single-use only.
Example:
Code Block |
---|
eyJhbGciOiJSUzI1NiIsImtpZCIgOiAicnFqZ0xJRHpWZzhDWXdmVFlwaDAwSj RZTHI2Y1hRVk83V1hLdHc3c1k2dyJ9.eyJleHAiOjE2Mzg4Nzk5MDcsIm5iZiI 6MTYzODg3OTg5NywiaWF0IjoxNjM4ODc5ODk3LCJqdGkiOiJiMTBjNWFmYi03M GZkLTQ2NGYtODc3Yy1kYWJiNzMzYTQwMjgiLCJpc3MiOiJlb2oiLCJhdWQiOiJ odHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZ WFsbXMvZWhlYWx0aCIsInN1YiI6ImVvaiJ9.SNwkVzMn1JhPPbAfT-4qym8OFS 3pebm3OWqfHc4YwNYAGSV6ih0mqKJtq6kmzATDWeyGEJRrhlM-6I5CV8bH77uZ UyPPBdamUpdtSOTvQGUDxxiIJFwzqVHF77TICjqc5_8n-g2drn27J9D7cwYRXy wFBDVPlqqZaWCoHipOoF0FSqMmOWvWHG152-jmeMX2GQxjRnfRd3xV0rcGZc2p mTzYvv4b9KHOSoVmnuXmh3MSMhQo9D8WtUCxakCIyKGEDtmQ4zi-5NSpJdcejf gii-g-XPhA8i4bZ7xc56_XhYQWs15JfyqV-wAnsnU-HQhQuiSO1rHLWYjk5B2q 2d0W8g |
...
Obtaining the kid
from a Public key
Obtaining the kid
from a Public key is done in 3 steps. This is demonstrated with the following example, given a Public key:
Code Block |
---|
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkMADQev3CyPA12qOW0z2
I9LtqqCX+s6fpIjmfatIDqv2Hn0ohXZYRnbjo2gCjM3DtMZ+076Smdt/DVf0rzzT
rEO835hyVtH7yZBQL8NMyZm0UzzYocjF3Y/dc+zOcyjwTK0rYt4RbS70n9yJhl4f
pv5BMOoRQbVrSwpWYK/uhw3AAuiIWSNchN4it0K3ZO0EHvUw7RNGgGVW7vBGJuDy
Fh7DM7zr61tAmC5CJruYz4RMTTIFmQ2trP2rSIerLJJmrV0DGhx2Ku6jKGrsErR+
6hT6AYFQcEKOQDuyrMyY1+hZruQs53vkPRYH88ByuExTCkDiQOskvuP+cbx+6SHs
awIDAQAB
-----END PUBLIC KEY----- |
Step 1. Getting the encoded bytes.
The encoded bytes are obtained by removing the tags -----BEGIN PUBLIC KEY-----
and -----END PUBLIC KEY-----
, and all line separators. Then Base64 decode the resulting line as bytes. The hex representation of this applied to the above Public key is:
Code Block |
---|
30820122300d06092a864886f70d01010105000382010f003082010a02820101009
0c00341ebf70b23c0d76a8e5b4cf623d2edaaa097face9fa488e67dab480eabf61e
7d288576584676e3a368028ccdc3b4c67ed3be9299db7f0d57f4af3cd3ac43bcdf9
87256d1fbc990502fc34cc999b4533cd8a1c8c5dd8fdd73ecce7328f04cad2b62de
116d2ef49fdc89865e1fa6fe4130ea1141b56b4b0a5660afee870dc002e88859235
c84de22b742b764ed041ef530ed1346806556eef04626e0f2161ec333bcebeb5b40
982e4226bb98cf844c4d3205990dadacfdab4887ab2c9266ad5d031a1c762aeea32
86aec12b47eea14fa01815070428e403bb2accc98d7e859aee42ce77be43d1607f3
c072b84c530a40e240eb24bee3fe71bc7ee921ec6b0203010001 |
NOTE: line breaks are added for readability.
Step 2. Getting the SHA256 digest.
Apply the SHA256
algorithm to the bytes obtained in step 1 (not the hex string). In this example, the hex representation of the resulting bytes is:
Code Block |
---|
aea8e02c80f3560f026307d3629874d09e182ebe9c5d054eed65cab70eec63ac |
Step 3. Encoding the digest.
The last step is to apply base64url
encoding to the bytes obtained in step 2. The final result is then:
Code Block |
---|
rqjgLIDzVg8CYwfTYph00J4YLr6cXQVO7WXKtw7sY6w |
See example of using a tool for the calculation on https://github.com/trifork/klg-docs/issues/13
Given er PEM file, the following commands can be used to calculate the kid
Code Block | ||
---|---|---|
| ||
openssl x509 -in cert.pem -pubkey -noout | sed -e '/----.*PUBLIC KEY----\|^[[:space:]]*$/d' | tr -d '\n' | base64 -d | sha256sum -b | tr -d ' *-' | xxd -r -p | base64 | tr '/+' '_-' | tr -d '=' |
Requesting Access token with Token Exchange
...
Code Block | ||
---|---|---|
| ||
POST: https://saml.test001.ehealth.sundhed.dk/auth/realms/ehealth/protocol/openid-connect/token Headers: Accept=application/x-www-form-urlencoded Content-Type=application/x-www-form-urlencoded Body: client_id=eoj client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCIgOiAicnFqZ0xJRHpWZzhDWXdmVFlwaDAwSjRZTHI2Y1hRVk83V1hLdHc3c1k2dyJ9.eyJleHAiOjE2Mzg4ODI2NzMsIm5iZiI6MTYzODg4MjY2MywiaWF0IjoxNjM4ODgyNjYzLCJqdGkiOiI0MDk0YzNhYy03Mzc4LTQzZWQtODM3Ny05NjAzYjFmZjc2MGEiLCJpc3MiOiJlb2oiLCJhdWQiOiJodHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZWFsbXMvZWhlYWx0aCIsInN1YiI6ImVvaiJ9.eQ3kUUmlXGsBphFdH0LqhRAQzgMwkIdVxctM1Fw8J4H6OIq1ZVcEFmY67y-f8RMCHC_sSwZ2EWb1PKKoPHCVXwYAvJ4hWw0yXitN7i-GFW-s9iU9Wgem0I4g_JLaVoYqoGf_WaZXREbaN8MkzCYYz2ODrk15xR6J2hQlgiPMezSOtP0BDJCAly5x6gEFPI6gR1HMeNBjCmGzxh2nFtvkYiGrNjVR4rhcww6F9XqBCZhbIP9l691jAW77oRhTcd0fHdJ50gwOQebwCErV2_hdTSmImJLZIlUSQBNub9RDFoSVjnweZXqCnIrx53THlSGKyIETkG17ww6SamETekB4Mg grant_type=urn:ietf:params:oauth:grant-type:token-exchange subject_issuer=kobitkombit-sts subject_token_type=urn:ietf:params:oauth:token-type:saml2 subject_token=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48QXNzZXJ0aW9uIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzc0NTEyMzc2LWNlNmUtNDRlNy05NTVkLWNhZTUxMzQwNDQxMSIgSXNzdWVJbnN0YW50PSIyMDIxLTEyLTA4VDExOjQ4OjA4LjMyNloiIFZlcnNpb249IjIuMCI-PElzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI-aHR0cHM6Ly9zYW1sLmFkZ2FuZ3NzdHlyaW5nLmVrc3Rlcm50ZXN0LXN0b2V0dGVzeXN0ZW1lcm5lLmRrPC9Jc3N1ZXI-PFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI-PFNpZ25lZEluZm8-PENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxSZWZlcmVuY2UgVVJJPSIjXzc0NTEyMzc2LWNlNmUtNDRlNy05NTVkLWNhZTUxMzQwNDQxMSI-PFRyYW5zZm9ybXM-PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8-PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8-PERpZ2VzdFZhbHVlPkVvWFdCejlHdWE1NWo1L3pCTHpheFN5bGZvWENWY1ZmNG4wVVMxQ0F2amc9PC9EaWdlc3RWYWx1ZT48L1JlZmVyZW5jZT48L1NpZ25lZEluZm8-PFNpZ25hdHVyZVZhbHVlPlRXbDJJZTQwL004eXM3eCtrSGRvWHdUMVhRN1JDMjRHY2RlMUtyV0QzNmJDOCtNWWxiN2FoaWxJZDZMK2sxTnl3V3hnaXFnMUtoSEVDYTFmM1lnejVlQnVuOWJvb0t4eUhkcm5kYUF1bHlac0JNenJvTUt5RTdIand0NkhabTN1UW1LU2tCa2paTHVZcDIya2hEbGxSbXgvby9HYURVaS9Ha3hWcDZDa3dIV2dtODMyV28xOHpLdlFqNWhZUUVDZTUwMHRRNStsYUR5Q0FpSVp1U3lkbnE0Z1kyTGJEcVhjd2lWVHhKenRzOEc5YkpyVEZHelJVTkJsQ0NhWDlYcXJEZG1jTlZvOXBPTjdXYm82dGF4ejBZWWRWUUZSZW15TW9PY2RVWUZkVGRpdnNYcm50TUQ3UlFod25NSDlKY3Z1K3lKY3QvdGJPckhGTFcrcXBlMFUrZz09PC9TaWduYXR1cmVWYWx1ZT48S2V5SW5mbz48WDUwOURhdGE-PFg1MDlDZXJ0aWZpY2F0ZT5NSUlHSFRDQ0JRV2dBd0lCQWdJRVhnaVRDVEFOQmdrcWhraUc5dzBCQVFzRkFEQkFNUXN3Q1FZRFZRUUdFd0pFU3pFU01CQUdBMVVFQ2d3SlZGSlZVMVF5TkRBNE1SMHdHd1lEVlFRRERCUlVVbFZUVkRJME1EZ2dUME5GVXlCRFFTQkpWakFlRncweU1UQTJNRGd3TnpBM01ETmFGdzB5TkRBMk1EZ3dOekEyTXpWYU1JR1FNUXN3Q1FZRFZRUUdFd0pFU3pFak1DRUdBMVVFQ2d3YVMwOU5Ra2xVSUVFdlV5QXZMeUJEVmxJNk1UazBNelV3TnpVeFhEQWdCZ05WQkFVVEdVTldVam94T1RRek5UQTNOUzFHU1VRNk5qQTBPVEkzT0Rnd09BWURWUVFERERGMFpYTjBMV1ZyYzNSbGNtNHRZV1JuWVc1bmMzTjBlWEpwYm1jZ0tHWjFibXQwYVc5dWMyTmxjblJwWm1scllYUXBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW5FYlQyMjMwVEVDK1puQWdPV3dBYUJ0b1NqT3N6ZGFNQnhjbDFXQ0NmdjhSYzVORk1wMUZUNjhyZXhOOS9rMUdjVE5XUkVQTFNqRWg5UlV0UTVRSHJFRFVZRHYzZy9sTDJZU0thVnVZN1lpcU1uK0VpODF0Z0tXTzlONVAxVU5kZUxXMCs1RGpOU08rK0NDMzNCMEFFbFhYVkk5WWhRRm5TUjZxVFpzWVBRbnNEL0o2RkE0MVJNeWl6Zms1TUZtRnVyWW4wNm53OUNrVzNDdFk1VDMrRlU0cTU1Z0lPaXdTR3BsSG01ZW1lRkV5eE1rWHRRQmFvUlhwZ09lU3FKSjFyMkdZa0szZ2svMURHay9zMkNLYzF3UGxoaFU5dkpPVjBjTnl5Si93dlVzY1dqanJnVDVVZ0xYMk9LM2xaVWlRNzJXN0RNZ0V4T2NLVHhidktqUCtZd0lEQVFBQm80SUN6RENDQXNnd0RnWURWUjBQQVFIL0JBUURBZ080TUlHSkJnZ3JCZ0VGQlFjQkFRUjlNSHN3TlFZSUt3WUJCUVVITUFHR0tXaDBkSEE2THk5dlkzTndMbWxqWVRBMExuUnlkWE4wTWpRd09DNWpiMjB2Y21WemNHOXVaR1Z5TUVJR0NDc0dBUVVGQnpBQ2hqWm9kSFJ3T2k4dlppNWhhV0V1YVdOaE1EUXVkSEoxYzNReU5EQTRMbU52YlM5dlkyVnpMV2x6YzNWcGJtY3dOQzFqWVM1alpYSXdnZ0ZEQmdOVkhTQUVnZ0U2TUlJQk5qQ0NBVElHQ2lxQlVJRXBBUUVCQkFNd2dnRWlNQzhHQ0NzR0FRVUZCd0lCRmlOb2RIUndPaTh2ZDNkM0xuUnlkWE4wTWpRd09DNWpiMjB2Y21Wd2IzTnBkRzl5ZVRDQjdnWUlLd1lCQlFVSEFnSXdnZUV3RUJZSlZGSlZVMVF5TkRBNE1BTUNBUUVhZ2N4R2IzSWdZVzUyWlc1a1pXeHpaU0JoWmlCalpYSjBhV1pwYTJGMFpYUWdaK1pzWkdWeUlFOURSVk1nZG1sc2ErVnlMQ0JEVUZNZ2IyY2dUME5GVXlCRFVDd2daR1Z5SUd0aGJpQm9aVzUwWlhNZ1puSmhJSGQzZHk1MGNuVnpkREkwTURndVkyOXRMM0psY0c5emFYUnZjbmt1SUVKbGJlWnlheXdnWVhRZ1ZGSlZVMVF5TkRBNElHVm1kR1Z5SUhacGJHdmxjbVZ1WlNCb1lYSWdaWFFnWW1WbmN1WnVjMlYwSUdGdWMzWmhjaUJwWm5RdUlIQnliMlpsYzNOcGIyNWxiR3hsSUhCaGNuUmxjaTR3Z1pjR0ExVWRId1NCanpDQmpEQXVvQ3lnS29Zb2FIUjBjRG92TDJOeWJDNXBZMkV3TkM1MGNuVnpkREkwTURndVkyOXRMMmxqWVRBMExtTnliREJhb0ZpZ1ZxUlVNRkl4Q3pBSkJnTlZCQVlUQWtSTE1SSXdFQVlEVlFRS0RBbFVVbFZUVkRJME1EZ3hIVEFiQmdOVkJBTU1GRlJTVlZOVU1qUXdPQ0JQUTBWVElFTkJJRWxXTVJBd0RnWURWUVFEREFkRFVrd3pNRGd6TUI4R0ExVWRJd1FZTUJhQUZGeTdkV0lXTXBtcU5xQzRtdnR2cHd4ZjhBclZNQjBHQTFVZERnUVdCQlIyYlhWVWNXdDVpNHpPOUo5a3BCcnE1Zkp1ZkRBSkJnTlZIUk1FQWpBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlEwMTVSNTVaWis4M3crZVIvQ05mWng5eWtPS0hxZjcwYk9wTTl5dTdVeEcydGVBQUUrNHhBOFp0L0YvU1BidExieEFaTGtTQmV2bVg0b1ZWWXRObjZDMEhyUzhWL0d0NjVyUzdWeEVJL3ZCdHREMEVPT3Z3eEpQVzYxd000ZjVFWFk4NFhaUHpMOVVZM0VyamhEdnozVzZ0cnhZTnA1d1MxVjR4ODVTSThXQ2VzTlhqcnlNSHBoUGFrSzI1MklPVFh2dXliR05qeVZ3UUwzREdJOWkvRGNPeHpJUGkwQ2FCbEJFVlVUdmdnUjlFN3Y0UC9ZcHh2UXlyZXJxdEVmeThQSUovYTJseXNDeW9NZWVnMFRUcTVBNTFCSzI1U2xXem8wbXV5Sjd0Ykt1UkxrUGZHdHVTcTh1R2ZCQlZ5b3VObDQvbkgwUURvVTltSERQMTdnU1paPC9YNTA5Q2VydGlmaWNhdGU-PC9YNTA5RGF0YT48L0tleUluZm8-PC9TaWduYXR1cmU-PFN1YmplY3Q-PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0Olg1MDlTdWJqZWN0TmFtZSI-U0VSSUFMTlVNQkVSPUNWUjoxOTQzNTA3NS1GSUQ6Mzc2NzE1MzMgKyBDTj1rb21iaXQtc3AtdC1kZW1vLXNlcnYgKGZ1bmt0aW9uc2NlcnRpZmlrYXQpLCBPPUtPTUJJVCBBL1MgLy8gQ1ZSOjE5NDM1MDc1LCBDPURLPC9OYW1lSUQ-PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206aG9sZGVyLW9mLWtleSI-PFN1YmplY3RDb25maXJtYXRpb25EYXRhIHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBOb3RCZWZvcmU9IjIwMjEtMTItMDhUMTE6NDg6MDguMzI2WiIgTm90T25PckFmdGVyPSIyMDIxLTEyLTA4VDE5OjQ4OjA4LjMyMloiIFJlY2lwaWVudD0iaHR0cDovL2RlbW8ucHJvZC1zZXJ2aWNlcGxhdGZvcm1lbi5kay9zZXJ2aWNlL0RlbW9TZXJ2aWNlLzEiIGE6dHlwZT0iS2V5SW5mb0NvbmZpcm1hdGlvbkRhdGFUeXBlIj48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI-PFg1MDlEYXRhPjxYNTA5Q2VydGlmaWNhdGU-TUlJR0lEQ0NCUWlnQXdJQkFnSUVXNnh6ZERBTkJna3Foa2lHOXcwQkFRc0ZBREJJTVFzd0NRWURWUVFHRXdKRVN6RVNNQkFHQTFVRUNnd0pWRkpWVTFReU5EQTRNU1V3SXdZRFZRUUREQnhVVWxWVFZESTBNRGdnVTNsemRHVnRkR1Z6ZENCWVdFbEpJRU5CTUI0WERURTVNRGt4T1RFeU1UWXdPRm9YRFRJeU1Ea3hPVEV5TVRVeE1Gb3dnWW94Q3pBSkJnTlZCQVlUQWtSTE1TTXdJUVlEVlFRS0RCcExUMDFDU1ZRZ1FTOVRJQzh2SUVOV1Vqb3hPVFF6TlRBM05URldNQ0FHQTFVRUJSTVpRMVpTT2pFNU5ETTFNRGMxTFVaSlJEb3pOelkzTVRVek16QXlCZ05WQkFNTUsydHZiV0pwZEMxemNDMTBMV1JsYlc4dGMyVnlkaUFvWm5WdWEzUnBiMjV6WTJWeWRHbG1hV3RoZENrd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNRd0FOQjYvY0xJOERYYW81YlRQWWowdTJxb0pmNnpwK2tpT1o5cTBnT3EvWWVmU2lGZGxoR2R1T2phQUtNemNPMHhuN1R2cEtaMjM4TlYvU3ZQTk9zUTd6Zm1ISlcwZnZKa0ZBdncwekptYlJUUE5paHlNWGRqOTF6N001ektQQk1yU3RpM2hGdEx2U2YzSW1HWGgrbS9rRXc2aEZCdFd0TENsWmdyKzZIRGNBQzZJaFpJMXlFM2lLM1FyZGs3UVFlOVREdEUwYUFaVmJ1OEVZbTRQSVdIc016dk92clcwQ1lMa0ltdTVqUGhFeE5NZ1daRGEycy9hdEloNnNza21hdFhRTWFISFlxN3FNb2F1d1N0SDdxRlBvQmdWQndRbzVBTzdLc3pKalg2Rm11NUN6bmUrUTlGZ2Z6d0hLNFRGTUtRT0pBNnlTKzQvNXh2SDdwSWV4ckFnTUJBQUdqZ2dMTk1JSUN5VEFPQmdOVkhROEJBZjhFQkFNQ0E3Z3dnWmNHQ0NzR0FRVUZCd0VCQklHS01JR0hNRHdHQ0NzR0FRVUZCekFCaGpCb2RIUndPaTh2YjJOemNDNXplWE4wWlcxMFpYTjBNakl1ZEhKMWMzUXlOREE0TG1OdmJTOXlaWE53YjI1a1pYSXdSd1lJS3dZQkJRVUhNQUtHTzJoMGRIQTZMeTltTG1GcFlTNXplWE4wWlcxMFpYTjBNakl1ZEhKMWMzUXlOREE0TG1OdmJTOXplWE4wWlcxMFpYTjBNakl0WTJFdVkyVnlNSUlCSUFZRFZSMGdCSUlCRnpDQ0FSTXdnZ0VQQmcwckJnRUVBWUgwVVFJRUJnUUNNSUg5TUM4R0NDc0dBUVVGQndJQkZpTm9kSFJ3T2k4dmQzZDNMblJ5ZFhOME1qUXdPQzVqYjIwdmNtVndiM05wZEc5eWVUQ0J5UVlJS3dZQkJRVUhBZ0l3Z2J3d0RCWUZSR0Z1U1VRd0F3SUJBUnFCcTBSaGJrbEVJSFJsYzNRZ1kyVnlkR2xtYVd0aGRHVnlJR1p5WVNCa1pXNXVaU0JEUVNCMVpITjBaV1JsY3lCMWJtUmxjaUJQU1VRZ01TNHpMall1TVM0MExqRXVNekV6TVRNdU1pNDBMall1TkM0eUxpQkVZVzVKUkNCMFpYTjBJR05sY25ScFptbGpZWFJsY3lCbWNtOXRJSFJvYVhNZ1EwRWdZWEpsSUdsemMzVmxaQ0IxYm1SbGNpQlBTVVFnTVM0ekxqWXVNUzQwTGpFdU16RXpNVE11TWk0MExqWXVOQzR5TGpDQnJRWURWUjBmQklHbE1JR2lNRDJnTzZBNWhqZG9kSFJ3T2k4dlkzSnNMbk41YzNSbGJYUmxjM1F5TWk1MGNuVnpkREkwTURndVkyOXRMM041YzNSbGJYUmxjM1F5TWpFdVkzSnNNR0dnWDZCZHBGc3dXVEVMTUFrR0ExVUVCaE1DUkVzeEVqQVFCZ05WQkFvTUNWUlNWVk5VTWpRd09ERWxNQ01HQTFVRUF3d2NWRkpWVTFReU5EQTRJRk41YzNSbGJYUmxjM1FnV0ZoSlNTQkRRVEVQTUEwR0ExVUVBd3dHUTFKTU1UZ3dNQjhHQTFVZEl3UVlNQmFBRkt1b0FVUVpzTE5EbWRyNmZNelNBQmdENXp5L01CMEdBMVVkRGdRV0JCVE1QZWE5QWZCeWJlUkZTVjdtVUtaZndXMEFkekFKQmdOVkhSTUVBakFBTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBUUIzL3d6amM4T2VsVk5MTHV1UGNRanJxN3p0VFdwb1ZCZnJNaGtheWMyeDQ2d2VOeDZQTWVObTNTdHZJYkcyeTIxb3RBTWhVK0hnanpmZ3NZTEpVMFBFTEdycnp2OHRDLytHMnNHbnJDSVgrNU1zUHg0eURpWlJBNFlrc2pLd0hGT0xHOWFwbVRvV1BHNVhzZTRjeHZzNFViSFd6V2lra3krcVl4RXVybjY1NkVseDVYNkF1S00rK1FHQi9KSXBDa0t0ZlhSSzduODFNV3dqT2JDMlI5TXI5VlZQd1VFNllna2pTZU1nTDFUNUd5MHNuaXp2THkxbmpnMHk5eHhwUTZLVWNHaU1pVFZJSzRlczdqSkxVQ0VIeURhSEFXbDBnQ0tQYk1pcjE5bExyK1Z3Ym5WellhdDVUaGRzNkJXT0I0aThHN2RwQ0QzK3Y5MGFKSVE1dDA8L1g1MDlDZXJ0aWZpY2F0ZT48L1g1MDlEYXRhPjwvS2V5SW5mbz48L1N1YmplY3RDb25maXJtYXRpb25EYXRhPjwvU3ViamVjdENvbmZpcm1hdGlvbj48L1N1YmplY3Q-PENvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDIxLTEyLTA4VDExOjQ4OjA4LjMyMloiIE5vdE9uT3JBZnRlcj0iMjAyMS0xMi0wOFQxOTo0ODowOC4zMjJaIj48QXVkaWVuY2VSZXN0cmljdGlvbj48QXVkaWVuY2U-aHR0cDovL2RlbW8ucHJvZC1zZXJ2aWNlcGxhdGZvcm1lbi5kay9zZXJ2aWNlL0RlbW9TZXJ2aWNlLzE8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM-PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9ImRrOmdvdjpzYW1sOmF0dHJpYnV0ZTpDdnJOdW1iZXJJZGVudGlmaWVyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48QXR0cmlidXRlVmFsdWU-MjkxODk4NDY8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjxBdHRyaWJ1dGUgTmFtZT0iZGs6Z292OnNhbWw6YXR0cmlidXRlOkFzc3VyYW5jZUxldmVsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48QXR0cmlidXRlVmFsdWU-MzwvQXR0cmlidXRlVmFsdWU-PC9BdHRyaWJ1dGU-PEF0dHJpYnV0ZSBOYW1lPSJkazpnb3Y6c2FtbDphdHRyaWJ1dGU6U3BlY1ZlciIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI-PEF0dHJpYnV0ZVZhbHVlPkRLLVNBTUwtMi4wPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9ImRrOmdvdjpzYW1sOmF0dHJpYnV0ZTpLb21iaXRTcGVjVmVyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48QXR0cmlidXRlVmFsdWU-MS4wPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9ImRrOmdvdjpzYW1sOmF0dHJpYnV0ZTpQcml2aWxlZ2VzX2ludGVybWVkaWF0ZSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI-PEF0dHJpYnV0ZVZhbHVlPlBEOTRiV3dnZG1WeWMybHZiajBpTVM0d0lpQmxibU52WkdsdVp6MGlWVlJHTFRnaVB6NDhZbkJ3T2xCeWFYWnBiR1ZuWlV4cGMzUWdlRzFzYm5NNlluQndQU0pvZEhSd09pOHZhWFJ6ZEM1a2F5OXZhVzl6WVcxc0wySmhjMmxqWDNCeWFYWnBiR1ZuWlY5d2NtOW1hV3hsSWlCNGJXeHVjenA0YzJrOUltaDBkSEE2THk5M2QzY3Vkek11YjNKbkx6SXdNREV2V0UxTVUyTm9aVzFoTFdsdWMzUmhibU5sSWo0OFVISnBkbWxzWldkbFIzSnZkWEFnVTJOdmNHVTlJblZ5Ympwa2F6cG5iM1k2YzJGdGJEcGpkbkpPZFcxaVpYSkpaR1Z1ZEdsbWFXVnlPakk1TVRnNU9EUTJJajQ4VUhKcGRtbHNaV2RsUG1oMGRIQTZMeTl6WlhKMmFXTmxjR3hoZEdadmNtMWxiaTV3Y205a0xYTmxjblpwWTJWd2JHRjBabTl5YldWdUxtUnJMM0p2YkdWekwzTmxjblpwWTJWemVYTjBaVzF5YjJ4bEwyUjFiVzE1THpFOEwxQnlhWFpwYkdWblpUNDhMMUJ5YVhacGJHVm5aVWR5YjNWd1Bqd3ZZbkJ3T2xCeWFYWnBiR1ZuWlV4cGMzUSs8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjwvQXR0cmlidXRlU3RhdGVtZW50PjxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjEtMTItMDhUMTE6NDg6MDguMzIyWiI-PEF1dGhuQ29udGV4dD48QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6WDUwOTwvQXV0aG5Db250ZXh0Q2xhc3NSZWY-PC9BdXRobkNvbnRleHQ-PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj4 |
...
NOTE: Remember that the JWS is single-use.
Example:
Code Block | ||
---|---|---|
| ||
POST: https://saml.test001.ehealth.sundhed.dk/auth/realms/ehealth/protocol/openid-connect/token Headers: Accept=application/x-www-form-urlencoded Content-Type=application/x-www-form-urlencoded Body: client_id=eoj client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCIgOiAicnFqZ0xJRHpWZzhDWXdmVFlwaDAwSjRZTHI2Y1hRVk83V1hLdHc3c1k2dyJ9.eyJleHAiOjE2Mzg4ODI2NzMsIm5iZiI6MTYzODg4MjY2MywiaWF0IjoxNjM4ODgyNjYzLCJqdGkiOiJmYzI0NTc3NC02N2M2LTRmYmYtOTk5YS02MTZmZTE3MDUxNjYiLCJpc3MiOiJlb2oiLCJhdWQiOiJodHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZWFsbXMvZWhlYWx0aCIsInN1YiI6ImVvaiJ9.GUA34KZX1CONjJ9gXx2TAI1dq-vooYNOfUYB32AKK1GhFJeBUAhUiVaaGBzB5sk9DuBEyQQbT7yoOXbl2joStrj2QPYVtFO06XMlp5iqrb8eQdkWexMg3ZpLP7YV1HDGWrSEksV0liQpVs35OmhJDivkKuHf63n-fpqcKLHiGpkUrwrxycXHeG6Lv846fxrn3eiJVB_ywKNjgST8nPZr9uFpiATsX-Vrx5r6LtYyg6hN6AD8bJamOuJ2txem41DoVTgeAuqNaDZxradLc8GiaVmXdSuPM-_KH41bUwfOTA6jbMdgsJNo6lzYJdoxRub5ld-D33WaeRvtRFWBLElwHQ grant_type=refresh_token refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyMGRlOTdiOC1jMGU3LTQ4MTktYWVhZi1iYjgxMmI2ZjI4NjIifQ.eyJleHAiOjE2Mzg4ODQ0NjMsImlhdCI6MTYzODg4MjY2MywianRpIjoiZTI2ZTk5NjEtZDE0My00MTA1LTkwY2MtN2UwNTMwODNmMmNjIiwiaXNzIjoiaHR0cHM6Ly9zYW1sLnRlc3QwMDEuZWhlYWx0aC5zdW5kaGVkLmRrL2F1dGgvcmVhbG1zL2VoZWFsdGgiLCJhdWQiOiJodHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZWFsbXMvZWhlYWx0aCIsInN1YiI6ImZlMzZiZDRhLWY1MDAtNDExMC04YWRiLWJlNWQzMTIyNmRmNiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJlb2oiLCJzZXNzaW9uX3N0YXRlIjoiYzM0NzgxYzAtZThiZS00NGVjLWFlYjUtMjViYjVlMDRlOGRkIiwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwic2lkIjoiYzM0NzgxYzAtZThiZS00NGVjLWFlYjUtMjViYjVlMDRlOGRkIn0.O3pcwZvYU8WTPLsx1ODfRHzGYRenXd8dcixmK7f5dfs |
...