In the Gateway project, external systems are authenticated and authorized using “JWT client authentication“ and “OAuth 2.0 Token Exchange“.

JWT Client Authentication

Prerequisites:

The system is in possession of a Public/Private key pair.
The system has a client in Keycloak.
The systems Public Key is registered for the client.

In order to authenticate, the system must provide a signed JWT (, i.e. JWS) on each access token request to Keycloak.

The system issues the JWS itself and signs it with its own private key.

The JWS must have the following fields in the header:

alg: Signature Algorithm
kid: Key ID

{
  "alg": "RS256",
  "kid": "rqjgLIDzVg8CYwfTYph00J4YLr6cXQVO7WXKtw7sY6w"
}

NOTE: The Key ID is the SHA-256 digest of the encoded public key.

The JWS must have the following fields in the body:

jti: JWT ID - Unique identifier for this token.
iss: Issuer - Who created the token. (In this case it is the client)
sub: Subject - Whom the token refers to. (In this case it is also the client)
aud: Audience - What the token is intended for. (In this case it is the keycloak realm info url)
iat: Issued at - When the token was created. (seconds since UNIX epoch)
exp: Expiration time - When the token expires (seconds since UNIX epoch)
nbf: Not valid before - When the token validity starts (seconds since UNIX epoch)

{
  "jti": "93461fd9-a043-45e7-89c2-06757348377e",
  "iss": "eoj",
  "sub": "eoj",
  "aud": "https://saml.test001.ehealth.sundhed.dk/auth/realms/ehealth",
  "iat": 1638873738,
  "exp": 1638873748,
  "nbf": 1638873738
}

NOTE: The JWS is single use only.

Example:

eyJhbGciOiJSUzI1NiIsImtpZCIgOiAicnFqZ0xJRHpWZzhDWXdmVFlwaDAwSj
RZTHI2Y1hRVk83V1hLdHc3c1k2dyJ9.eyJleHAiOjE2Mzg4Nzk5MDcsIm5iZiI
6MTYzODg3OTg5NywiaWF0IjoxNjM4ODc5ODk3LCJqdGkiOiJiMTBjNWFmYi03M
GZkLTQ2NGYtODc3Yy1kYWJiNzMzYTQwMjgiLCJpc3MiOiJlb2oiLCJhdWQiOiJ
odHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZ
WFsbXMvZWhlYWx0aCIsInN1YiI6ImVvaiJ9.SNwkVzMn1JhPPbAfT-4qym8OFS
3pebm3OWqfHc4YwNYAGSV6ih0mqKJtq6kmzATDWeyGEJRrhlM-6I5CV8bH77uZ
UyPPBdamUpdtSOTvQGUDxxiIJFwzqVHF77TICjqc5_8n-g2drn27J9D7cwYRXy
wFBDVPlqqZaWCoHipOoF0FSqMmOWvWHG152-jmeMX2GQxjRnfRd3xV0rcGZc2p
mTzYvv4b9KHOSoVmnuXmh3MSMhQo9D8WtUCxakCIyKGEDtmQ4zi-5NSpJdcejf
gii-g-XPhA8i4bZ7xc56_XhYQWs15JfyqV-wAnsnU-HQhQuiSO1rHLWYjk5B2q
2d0W8g

Requesting Access token with Token Exchange

The token exchange request is an HTTP POST request with content-type application/x-www-form-urlencoded

Body Parameters:

client_id: The id of the requesting client.
client_assertion_type: Always urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
client_assertion: The JWS described in the previous section.
grant_type: Always urn:ietf:params:oauth:grant-type:token-exchange.
subject_issuer: The ID of the subject token issuer e.g. kombit-sts.
subject_token_type: Always urn:ietf:params:oauth:token-type:saml2.
subject_token: The Base64url encoded SAML Assertion issued by subject_issuer

The response is a standard OAuth 2.0 access token response with content-type application/json

Response Fields:

access_token: The access token used for authentication on the FUT platform.
expires_in: The time to live of the access token in seconds
refresh_token: The refresh token used for requesting new access tokens
refresh_expires_in:The time to live of the refresh token in seconds

Example

Request:

POST: https://saml.test001.ehealth.sundhed.dk/auth/realms/ehealth/protocol/openid-connect/token
Headers: 
    Accept=application/x-www-form-urlencoded
    Content-Type=application/x-www-form-urlencoded
Body: 
    client_id=eoj
    client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
    client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCIgOiAicnFqZ0xJRHpWZzhDWXdmVFlwaDAwSjRZTHI2Y1hRVk83V1hLdHc3c1k2dyJ9.eyJleHAiOjE2Mzg4ODI2NzMsIm5iZiI6MTYzODg4MjY2MywiaWF0IjoxNjM4ODgyNjYzLCJqdGkiOiI0MDk0YzNhYy03Mzc4LTQzZWQtODM3Ny05NjAzYjFmZjc2MGEiLCJpc3MiOiJlb2oiLCJhdWQiOiJodHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZWFsbXMvZWhlYWx0aCIsInN1YiI6ImVvaiJ9.eQ3kUUmlXGsBphFdH0LqhRAQzgMwkIdVxctM1Fw8J4H6OIq1ZVcEFmY67y-f8RMCHC_sSwZ2EWb1PKKoPHCVXwYAvJ4hWw0yXitN7i-GFW-s9iU9Wgem0I4g_JLaVoYqoGf_WaZXREbaN8MkzCYYz2ODrk15xR6J2hQlgiPMezSOtP0BDJCAly5x6gEFPI6gR1HMeNBjCmGzxh2nFtvkYiGrNjVR4rhcww6F9XqBCZhbIP9l691jAW77oRhTcd0fHdJ50gwOQebwCErV2_hdTSmImJLZIlUSQBNub9RDFoSVjnweZXqCnIrx53THlSGKyIETkG17ww6SamETekB4Mg
    grant_type=urn:ietf:params:oauth:grant-type:token-exchange
    subject_issuer=kobit-sts
    subject_token_type=urn:ietf:params:oauth:token-type:saml2
    subject_token=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48QXNzZXJ0aW9uIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzc0NTEyMzc2LWNlNmUtNDRlNy05NTVkLWNhZTUxMzQwNDQxMSIgSXNzdWVJbnN0YW50PSIyMDIxLTEyLTA4VDExOjQ4OjA4LjMyNloiIFZlcnNpb249IjIuMCI-PElzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI-aHR0cHM6Ly9zYW1sLmFkZ2FuZ3NzdHlyaW5nLmVrc3Rlcm50ZXN0LXN0b2V0dGVzeXN0ZW1lcm5lLmRrPC9Jc3N1ZXI-PFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI-PFNpZ25lZEluZm8-PENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxSZWZlcmVuY2UgVVJJPSIjXzc0NTEyMzc2LWNlNmUtNDRlNy05NTVkLWNhZTUxMzQwNDQxMSI-PFRyYW5zZm9ybXM-PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8-PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8-PERpZ2VzdFZhbHVlPkVvWFdCejlHdWE1NWo1L3pCTHpheFN5bGZvWENWY1ZmNG4wVVMxQ0F2amc9PC9EaWdlc3RWYWx1ZT48L1JlZmVyZW5jZT48L1NpZ25lZEluZm8-PFNpZ25hdHVyZVZhbHVlPlRXbDJJZTQwL004eXM3eCtrSGRvWHdUMVhRN1JDMjRHY2RlMUtyV0QzNmJDOCtNWWxiN2FoaWxJZDZMK2sxTnl3V3hnaXFnMUtoSEVDYTFmM1lnejVlQnVuOWJvb0t4eUhkcm5kYUF1bHlac0JNenJvTUt5RTdIand0NkhabTN1UW1LU2tCa2paTHVZcDIya2hEbGxSbXgvby9HYURVaS9Ha3hWcDZDa3dIV2dtODMyV28xOHpLdlFqNWhZUUVDZTUwMHRRNStsYUR5Q0FpSVp1U3lkbnE0Z1kyTGJEcVhjd2lWVHhKenRzOEc5YkpyVEZHelJVTkJsQ0NhWDlYcXJEZG1jTlZvOXBPTjdXYm82dGF4ejBZWWRWUUZSZW15TW9PY2RVWUZkVGRpdnNYcm50TUQ3UlFod25NSDlKY3Z1K3lKY3QvdGJPckhGTFcrcXBlMFUrZz09PC9TaWduYXR1cmVWYWx1ZT48S2V5SW5mbz48WDUwOURhdGE-PFg1MDlDZXJ0aWZpY2F0ZT5NSUlHSFRDQ0JRV2dBd0lCQWdJRVhnaVRDVEFOQmdrcWhraUc5dzBCQVFzRkFEQkFNUXN3Q1FZRFZRUUdFd0pFU3pFU01CQUdBMVVFQ2d3SlZGSlZVMVF5TkRBNE1SMHdHd1lEVlFRRERCUlVVbFZUVkRJME1EZ2dUME5GVXlCRFFTQkpWakFlRncweU1UQTJNRGd3TnpBM01ETmFGdzB5TkRBMk1EZ3dOekEyTXpWYU1JR1FNUXN3Q1FZRFZRUUdFd0pFU3pFak1DRUdBMVVFQ2d3YVMwOU5Ra2xVSUVFdlV5QXZMeUJEVmxJNk1UazBNelV3TnpVeFhEQWdCZ05WQkFVVEdVTldVam94T1RRek5UQTNOUzFHU1VRNk5qQTBPVEkzT0Rnd09BWURWUVFERERGMFpYTjBMV1ZyYzNSbGNtNHRZV1JuWVc1bmMzTjBlWEpwYm1jZ0tHWjFibXQwYVc5dWMyTmxjblJwWm1scllYUXBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW5FYlQyMjMwVEVDK1puQWdPV3dBYUJ0b1NqT3N6ZGFNQnhjbDFXQ0NmdjhSYzVORk1wMUZUNjhyZXhOOS9rMUdjVE5XUkVQTFNqRWg5UlV0UTVRSHJFRFVZRHYzZy9sTDJZU0thVnVZN1lpcU1uK0VpODF0Z0tXTzlONVAxVU5kZUxXMCs1RGpOU08rK0NDMzNCMEFFbFhYVkk5WWhRRm5TUjZxVFpzWVBRbnNEL0o2RkE0MVJNeWl6Zms1TUZtRnVyWW4wNm53OUNrVzNDdFk1VDMrRlU0cTU1Z0lPaXdTR3BsSG01ZW1lRkV5eE1rWHRRQmFvUlhwZ09lU3FKSjFyMkdZa0szZ2svMURHay9zMkNLYzF3UGxoaFU5dkpPVjBjTnl5Si93dlVzY1dqanJnVDVVZ0xYMk9LM2xaVWlRNzJXN0RNZ0V4T2NLVHhidktqUCtZd0lEQVFBQm80SUN6RENDQXNnd0RnWURWUjBQQVFIL0JBUURBZ080TUlHSkJnZ3JCZ0VGQlFjQkFRUjlNSHN3TlFZSUt3WUJCUVVITUFHR0tXaDBkSEE2THk5dlkzTndMbWxqWVRBMExuUnlkWE4wTWpRd09DNWpiMjB2Y21WemNHOXVaR1Z5TUVJR0NDc0dBUVVGQnpBQ2hqWm9kSFJ3T2k4dlppNWhhV0V1YVdOaE1EUXVkSEoxYzNReU5EQTRMbU52YlM5dlkyVnpMV2x6YzNWcGJtY3dOQzFqWVM1alpYSXdnZ0ZEQmdOVkhTQUVnZ0U2TUlJQk5qQ0NBVElHQ2lxQlVJRXBBUUVCQkFNd2dnRWlNQzhHQ0NzR0FRVUZCd0lCRmlOb2RIUndPaTh2ZDNkM0xuUnlkWE4wTWpRd09DNWpiMjB2Y21Wd2IzTnBkRzl5ZVRDQjdnWUlLd1lCQlFVSEFnSXdnZUV3RUJZSlZGSlZVMVF5TkRBNE1BTUNBUUVhZ2N4R2IzSWdZVzUyWlc1a1pXeHpaU0JoWmlCalpYSjBhV1pwYTJGMFpYUWdaK1pzWkdWeUlFOURSVk1nZG1sc2ErVnlMQ0JEVUZNZ2IyY2dUME5GVXlCRFVDd2daR1Z5SUd0aGJpQm9aVzUwWlhNZ1puSmhJSGQzZHk1MGNuVnpkREkwTURndVkyOXRMM0psY0c5emFYUnZjbmt1SUVKbGJlWnlheXdnWVhRZ1ZGSlZVMVF5TkRBNElHVm1kR1Z5SUhacGJHdmxjbVZ1WlNCb1lYSWdaWFFnWW1WbmN1WnVjMlYwSUdGdWMzWmhjaUJwWm5RdUlIQnliMlpsYzNOcGIyNWxiR3hsSUhCaGNuUmxjaTR3Z1pjR0ExVWRId1NCanpDQmpEQXVvQ3lnS29Zb2FIUjBjRG92TDJOeWJDNXBZMkV3TkM1MGNuVnpkREkwTURndVkyOXRMMmxqWVRBMExtTnliREJhb0ZpZ1ZxUlVNRkl4Q3pBSkJnTlZCQVlUQWtSTE1SSXdFQVlEVlFRS0RBbFVVbFZUVkRJME1EZ3hIVEFiQmdOVkJBTU1GRlJTVlZOVU1qUXdPQ0JQUTBWVElFTkJJRWxXTVJBd0RnWURWUVFEREFkRFVrd3pNRGd6TUI4R0ExVWRJd1FZTUJhQUZGeTdkV0lXTXBtcU5xQzRtdnR2cHd4ZjhBclZNQjBHQTFVZERnUVdCQlIyYlhWVWNXdDVpNHpPOUo5a3BCcnE1Zkp1ZkRBSkJnTlZIUk1FQWpBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlEwMTVSNTVaWis4M3crZVIvQ05mWng5eWtPS0hxZjcwYk9wTTl5dTdVeEcydGVBQUUrNHhBOFp0L0YvU1BidExieEFaTGtTQmV2bVg0b1ZWWXRObjZDMEhyUzhWL0d0NjVyUzdWeEVJL3ZCdHREMEVPT3Z3eEpQVzYxd000ZjVFWFk4NFhaUHpMOVVZM0VyamhEdnozVzZ0cnhZTnA1d1MxVjR4ODVTSThXQ2VzTlhqcnlNSHBoUGFrSzI1MklPVFh2dXliR05qeVZ3UUwzREdJOWkvRGNPeHpJUGkwQ2FCbEJFVlVUdmdnUjlFN3Y0UC9ZcHh2UXlyZXJxdEVmeThQSUovYTJseXNDeW9NZWVnMFRUcTVBNTFCSzI1U2xXem8wbXV5Sjd0Ykt1UkxrUGZHdHVTcTh1R2ZCQlZ5b3VObDQvbkgwUURvVTltSERQMTdnU1paPC9YNTA5Q2VydGlmaWNhdGU-PC9YNTA5RGF0YT48L0tleUluZm8-PC9TaWduYXR1cmU-PFN1YmplY3Q-PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0Olg1MDlTdWJqZWN0TmFtZSI-U0VSSUFMTlVNQkVSPUNWUjoxOTQzNTA3NS1GSUQ6Mzc2NzE1MzMgKyBDTj1rb21iaXQtc3AtdC1kZW1vLXNlcnYgKGZ1bmt0aW9uc2NlcnRpZmlrYXQpLCBPPUtPTUJJVCBBL1MgLy8gQ1ZSOjE5NDM1MDc1LCBDPURLPC9OYW1lSUQ-PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206aG9sZGVyLW9mLWtleSI-PFN1YmplY3RDb25maXJtYXRpb25EYXRhIHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBOb3RCZWZvcmU9IjIwMjEtMTItMDhUMTE6NDg6MDguMzI2WiIgTm90T25PckFmdGVyPSIyMDIxLTEyLTA4VDE5OjQ4OjA4LjMyMloiIFJlY2lwaWVudD0iaHR0cDovL2RlbW8ucHJvZC1zZXJ2aWNlcGxhdGZvcm1lbi5kay9zZXJ2aWNlL0RlbW9TZXJ2aWNlLzEiIGE6dHlwZT0iS2V5SW5mb0NvbmZpcm1hdGlvbkRhdGFUeXBlIj48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI-PFg1MDlEYXRhPjxYNTA5Q2VydGlmaWNhdGU-TUlJR0lEQ0NCUWlnQXdJQkFnSUVXNnh6ZERBTkJna3Foa2lHOXcwQkFRc0ZBREJJTVFzd0NRWURWUVFHRXdKRVN6RVNNQkFHQTFVRUNnd0pWRkpWVTFReU5EQTRNU1V3SXdZRFZRUUREQnhVVWxWVFZESTBNRGdnVTNsemRHVnRkR1Z6ZENCWVdFbEpJRU5CTUI0WERURTVNRGt4T1RFeU1UWXdPRm9YRFRJeU1Ea3hPVEV5TVRVeE1Gb3dnWW94Q3pBSkJnTlZCQVlUQWtSTE1TTXdJUVlEVlFRS0RCcExUMDFDU1ZRZ1FTOVRJQzh2SUVOV1Vqb3hPVFF6TlRBM05URldNQ0FHQTFVRUJSTVpRMVpTT2pFNU5ETTFNRGMxTFVaSlJEb3pOelkzTVRVek16QXlCZ05WQkFNTUsydHZiV0pwZEMxemNDMTBMV1JsYlc4dGMyVnlkaUFvWm5WdWEzUnBiMjV6WTJWeWRHbG1hV3RoZENrd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNRd0FOQjYvY0xJOERYYW81YlRQWWowdTJxb0pmNnpwK2tpT1o5cTBnT3EvWWVmU2lGZGxoR2R1T2phQUtNemNPMHhuN1R2cEtaMjM4TlYvU3ZQTk9zUTd6Zm1ISlcwZnZKa0ZBdncwekptYlJUUE5paHlNWGRqOTF6N001ektQQk1yU3RpM2hGdEx2U2YzSW1HWGgrbS9rRXc2aEZCdFd0TENsWmdyKzZIRGNBQzZJaFpJMXlFM2lLM1FyZGs3UVFlOVREdEUwYUFaVmJ1OEVZbTRQSVdIc016dk92clcwQ1lMa0ltdTVqUGhFeE5NZ1daRGEycy9hdEloNnNza21hdFhRTWFISFlxN3FNb2F1d1N0SDdxRlBvQmdWQndRbzVBTzdLc3pKalg2Rm11NUN6bmUrUTlGZ2Z6d0hLNFRGTUtRT0pBNnlTKzQvNXh2SDdwSWV4ckFnTUJBQUdqZ2dMTk1JSUN5VEFPQmdOVkhROEJBZjhFQkFNQ0E3Z3dnWmNHQ0NzR0FRVUZCd0VCQklHS01JR0hNRHdHQ0NzR0FRVUZCekFCaGpCb2RIUndPaTh2YjJOemNDNXplWE4wWlcxMFpYTjBNakl1ZEhKMWMzUXlOREE0TG1OdmJTOXlaWE53YjI1a1pYSXdSd1lJS3dZQkJRVUhNQUtHTzJoMGRIQTZMeTltTG1GcFlTNXplWE4wWlcxMFpYTjBNakl1ZEhKMWMzUXlOREE0TG1OdmJTOXplWE4wWlcxMFpYTjBNakl0WTJFdVkyVnlNSUlCSUFZRFZSMGdCSUlCRnpDQ0FSTXdnZ0VQQmcwckJnRUVBWUgwVVFJRUJnUUNNSUg5TUM4R0NDc0dBUVVGQndJQkZpTm9kSFJ3T2k4dmQzZDNMblJ5ZFhOME1qUXdPQzVqYjIwdmNtVndiM05wZEc5eWVUQ0J5UVlJS3dZQkJRVUhBZ0l3Z2J3d0RCWUZSR0Z1U1VRd0F3SUJBUnFCcTBSaGJrbEVJSFJsYzNRZ1kyVnlkR2xtYVd0aGRHVnlJR1p5WVNCa1pXNXVaU0JEUVNCMVpITjBaV1JsY3lCMWJtUmxjaUJQU1VRZ01TNHpMall1TVM0MExqRXVNekV6TVRNdU1pNDBMall1TkM0eUxpQkVZVzVKUkNCMFpYTjBJR05sY25ScFptbGpZWFJsY3lCbWNtOXRJSFJvYVhNZ1EwRWdZWEpsSUdsemMzVmxaQ0IxYm1SbGNpQlBTVVFnTVM0ekxqWXVNUzQwTGpFdU16RXpNVE11TWk0MExqWXVOQzR5TGpDQnJRWURWUjBmQklHbE1JR2lNRDJnTzZBNWhqZG9kSFJ3T2k4dlkzSnNMbk41YzNSbGJYUmxjM1F5TWk1MGNuVnpkREkwTURndVkyOXRMM041YzNSbGJYUmxjM1F5TWpFdVkzSnNNR0dnWDZCZHBGc3dXVEVMTUFrR0ExVUVCaE1DUkVzeEVqQVFCZ05WQkFvTUNWUlNWVk5VTWpRd09ERWxNQ01HQTFVRUF3d2NWRkpWVTFReU5EQTRJRk41YzNSbGJYUmxjM1FnV0ZoSlNTQkRRVEVQTUEwR0ExVUVBd3dHUTFKTU1UZ3dNQjhHQTFVZEl3UVlNQmFBRkt1b0FVUVpzTE5EbWRyNmZNelNBQmdENXp5L01CMEdBMVVkRGdRV0JCVE1QZWE5QWZCeWJlUkZTVjdtVUtaZndXMEFkekFKQmdOVkhSTUVBakFBTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBUUIzL3d6amM4T2VsVk5MTHV1UGNRanJxN3p0VFdwb1ZCZnJNaGtheWMyeDQ2d2VOeDZQTWVObTNTdHZJYkcyeTIxb3RBTWhVK0hnanpmZ3NZTEpVMFBFTEdycnp2OHRDLytHMnNHbnJDSVgrNU1zUHg0eURpWlJBNFlrc2pLd0hGT0xHOWFwbVRvV1BHNVhzZTRjeHZzNFViSFd6V2lra3krcVl4RXVybjY1NkVseDVYNkF1S00rK1FHQi9KSXBDa0t0ZlhSSzduODFNV3dqT2JDMlI5TXI5VlZQd1VFNllna2pTZU1nTDFUNUd5MHNuaXp2THkxbmpnMHk5eHhwUTZLVWNHaU1pVFZJSzRlczdqSkxVQ0VIeURhSEFXbDBnQ0tQYk1pcjE5bExyK1Z3Ym5WellhdDVUaGRzNkJXT0I0aThHN2RwQ0QzK3Y5MGFKSVE1dDA8L1g1MDlDZXJ0aWZpY2F0ZT48L1g1MDlEYXRhPjwvS2V5SW5mbz48L1N1YmplY3RDb25maXJtYXRpb25EYXRhPjwvU3ViamVjdENvbmZpcm1hdGlvbj48L1N1YmplY3Q-PENvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDIxLTEyLTA4VDExOjQ4OjA4LjMyMloiIE5vdE9uT3JBZnRlcj0iMjAyMS0xMi0wOFQxOTo0ODowOC4zMjJaIj48QXVkaWVuY2VSZXN0cmljdGlvbj48QXVkaWVuY2U-aHR0cDovL2RlbW8ucHJvZC1zZXJ2aWNlcGxhdGZvcm1lbi5kay9zZXJ2aWNlL0RlbW9TZXJ2aWNlLzE8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM-PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9ImRrOmdvdjpzYW1sOmF0dHJpYnV0ZTpDdnJOdW1iZXJJZGVudGlmaWVyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48QXR0cmlidXRlVmFsdWU-MjkxODk4NDY8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjxBdHRyaWJ1dGUgTmFtZT0iZGs6Z292OnNhbWw6YXR0cmlidXRlOkFzc3VyYW5jZUxldmVsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48QXR0cmlidXRlVmFsdWU-MzwvQXR0cmlidXRlVmFsdWU-PC9BdHRyaWJ1dGU-PEF0dHJpYnV0ZSBOYW1lPSJkazpnb3Y6c2FtbDphdHRyaWJ1dGU6U3BlY1ZlciIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI-PEF0dHJpYnV0ZVZhbHVlPkRLLVNBTUwtMi4wPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9ImRrOmdvdjpzYW1sOmF0dHJpYnV0ZTpLb21iaXRTcGVjVmVyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48QXR0cmlidXRlVmFsdWU-MS4wPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9ImRrOmdvdjpzYW1sOmF0dHJpYnV0ZTpQcml2aWxlZ2VzX2ludGVybWVkaWF0ZSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI-PEF0dHJpYnV0ZVZhbHVlPlBEOTRiV3dnZG1WeWMybHZiajBpTVM0d0lpQmxibU52WkdsdVp6MGlWVlJHTFRnaVB6NDhZbkJ3T2xCeWFYWnBiR1ZuWlV4cGMzUWdlRzFzYm5NNlluQndQU0pvZEhSd09pOHZhWFJ6ZEM1a2F5OXZhVzl6WVcxc0wySmhjMmxqWDNCeWFYWnBiR1ZuWlY5d2NtOW1hV3hsSWlCNGJXeHVjenA0YzJrOUltaDBkSEE2THk5M2QzY3Vkek11YjNKbkx6SXdNREV2V0UxTVUyTm9aVzFoTFdsdWMzUmhibU5sSWo0OFVISnBkbWxzWldkbFIzSnZkWEFnVTJOdmNHVTlJblZ5Ympwa2F6cG5iM1k2YzJGdGJEcGpkbkpPZFcxaVpYSkpaR1Z1ZEdsbWFXVnlPakk1TVRnNU9EUTJJajQ4VUhKcGRtbHNaV2RsUG1oMGRIQTZMeTl6WlhKMmFXTmxjR3hoZEdadmNtMWxiaTV3Y205a0xYTmxjblpwWTJWd2JHRjBabTl5YldWdUxtUnJMM0p2YkdWekwzTmxjblpwWTJWemVYTjBaVzF5YjJ4bEwyUjFiVzE1THpFOEwxQnlhWFpwYkdWblpUNDhMMUJ5YVhacGJHVm5aVWR5YjNWd1Bqd3ZZbkJ3T2xCeWFYWnBiR1ZuWlV4cGMzUSs8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjwvQXR0cmlidXRlU3RhdGVtZW50PjxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjEtMTItMDhUMTE6NDg6MDguMzIyWiI-PEF1dGhuQ29udGV4dD48QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6WDUwOTwvQXV0aG5Db250ZXh0Q2xhc3NSZWY-PC9BdXRobkNvbnRleHQ-PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj4

Response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJwNi16RFFwSXVyVGxJWGVWeUZwTlZ1cVpud1B2WUdiVzhxOHB1TkhLQ21jIn0.eyJleHAiOjE2Mzg4ODAxOTcsImlhdCI6MTYzODg3OTg5NywianRpIjoiNTU3NzA0OWQtNGViNS00ZjRjLWIyMTQtMDgwNjNlMWRkYTFlIiwiaXNzIjoiaHR0cHM6Ly9zYW1sLnRlc3QwMDEuZWhlYWx0aC5zdW5kaGVkLmRrL2F1dGgvcmVhbG1zL2VoZWFsdGgiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZmUzNmJkNGEtZjUwMC00MTEwLThhZGItYmU1ZDMxMjI2ZGY2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZW9qIiwic2Vzc2lvbl9zdGF0ZSI6IjllMDU2N2UwLTk1ZWItNGIxOS05NjQxLTBmNjE4ZjFhNmViNiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImRlZmF1bHQtcm9sZXMtZWhlYWx0aCJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6IjllMDU2N2UwLTk1ZWItNGIxOS05NjQxLTBmNjE4ZjFhNmViNiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiYnBwIjoiPD94bWwgdmVyc2lvbj1cIjEuMFwiIGVuY29kaW5nPVwiVVRGLThcIj8-PGJwcDpQcml2aWxlZ2VMaXN0IHhtbG5zOmJwcD1cImh0dHA6Ly9pdHN0LmRrL29pb3NhbWwvYmFzaWNfcHJpdmlsZWdlX3Byb2ZpbGVcIiB4bWxuczp4c2k9XCJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZVwiPjxQcml2aWxlZ2VHcm91cCBTY29wZT1cInVybjpkazpnb3Y6c2FtbDpjdnJOdW1iZXJJZGVudGlmaWVyOjI5MTg5ODQ2XCI-PFByaXZpbGVnZT5odHRwOi8vc2VydmljZXBsYXRmb3JtZW4ucHJvZC1zZXJ2aWNlcGxhdGZvcm1lbi5kay9yb2xlcy9zZXJ2aWNlc3lzdGVtcm9sZS9kdW1teS8xPC9Qcml2aWxlZ2U-PC9Qcml2aWxlZ2VHcm91cD48L2JwcDpQcml2aWxlZ2VMaXN0PiIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcmlhbG51bWJlcj1jdnI6MTk0MzUwNzUtZmlkOjM3NjcxNTMzICsgY249a29tYml0LXNwLXQtZGVtby1zZXJ2IChmdW5rdGlvbnNjZXJ0aWZpa2F0KSwgbz1rb21iaXQgYS9zIC8vIGN2cjoxOTQzNTA3NSwgYz1kayIsImN2ciI6IjI5MTg5ODQ2In0.Tov5xlwX9bS-bPPJ73g0P5Lq89H5xFx5_HD2K20b3B_Ij4EzSBSJuM6M1CXFJzmG_zxAS2qylT3K8Oq7RUnqJHUw1wJsjq6HQWdoCrLOQgVI-LVMM6ZSHXZF1kZwUalGZBOJMMeoII4bnE1ZQ7wMdzPuoGWiu9v523jlAJvxeM59K-UvNATlOUr4F1bCEMabo45XYXVLxXQ4Tkg8utEuEmUZwl5J2eJnbMBoc6iAa99m5CuSLlM0GT7_QSyq8CN8yCn9LWG4cxrdqgqL5Wf3kwVE1pS_sUqinR6rHPt5Y6mnAYFER2Gk5em4pBrochxZLApRRjsPGf-asLpoM5DA5A",
  "expires_in": 300,
  "refresh_expires_in": 1800,
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyMGRlOTdiOC1jMGU3LTQ4MTktYWVhZi1iYjgxMmI2ZjI4NjIifQ.eyJleHAiOjE2Mzg4ODE2OTcsImlhdCI6MTYzODg3OTg5NywianRpIjoiZTRiZmU4YzQtNThjNy00MDBiLWI0MjYtOTM0MWE0ZjRlMDkwIiwiaXNzIjoiaHR0cHM6Ly9zYW1sLnRlc3QwMDEuZWhlYWx0aC5zdW5kaGVkLmRrL2F1dGgvcmVhbG1zL2VoZWFsdGgiLCJhdWQiOiJodHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZWFsbXMvZWhlYWx0aCIsInN1YiI6ImZlMzZiZDRhLWY1MDAtNDExMC04YWRiLWJlNWQzMTIyNmRmNiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJlb2oiLCJzZXNzaW9uX3N0YXRlIjoiOWUwNTY3ZTAtOTVlYi00YjE5LTk2NDEtMGY2MThmMWE2ZWI2Iiwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwic2lkIjoiOWUwNTY3ZTAtOTVlYi00YjE5LTk2NDEtMGY2MThmMWE2ZWI2In0.rysjXEeHUgxjrOI5bYyPB9A8l3N5yD_UoxzkQsPqGFc",
  "token_type": "Bearer",
  "not-before-policy": 0,
  "session_state": "9e0567e0-95eb-4b19-9641-0f618f1a6eb6",
  "scope": "profile email"
}

Requesting Access token with Refresh Token

Using a refresh token is like the initial token exchange request an HTTP POST request with content-type application/x-www-form-urlencoded

Body Parameters:

client_id: The id of the requesting client.
client_assertion_type: Always urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
client_assertion: The JWS described in the previous section.
grant_type: Always refresh_token.
refresh_token: A valid refresh token acquired by a previous access token request.

NOTE: Remember that the JWS is single use.

Example:

POST: https://saml.test001.ehealth.sundhed.dk/auth/realms/ehealth/protocol/openid-connect/token
Headers: 
    Accept=application/x-www-form-urlencoded
    Content-Type=application/x-www-form-urlencoded
Body: 
    client_id=eoj
    client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
    client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCIgOiAicnFqZ0xJRHpWZzhDWXdmVFlwaDAwSjRZTHI2Y1hRVk83V1hLdHc3c1k2dyJ9.eyJleHAiOjE2Mzg4ODI2NzMsIm5iZiI6MTYzODg4MjY2MywiaWF0IjoxNjM4ODgyNjYzLCJqdGkiOiJmYzI0NTc3NC02N2M2LTRmYmYtOTk5YS02MTZmZTE3MDUxNjYiLCJpc3MiOiJlb2oiLCJhdWQiOiJodHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZWFsbXMvZWhlYWx0aCIsInN1YiI6ImVvaiJ9.GUA34KZX1CONjJ9gXx2TAI1dq-vooYNOfUYB32AKK1GhFJeBUAhUiVaaGBzB5sk9DuBEyQQbT7yoOXbl2joStrj2QPYVtFO06XMlp5iqrb8eQdkWexMg3ZpLP7YV1HDGWrSEksV0liQpVs35OmhJDivkKuHf63n-fpqcKLHiGpkUrwrxycXHeG6Lv846fxrn3eiJVB_ywKNjgST8nPZr9uFpiATsX-Vrx5r6LtYyg6hN6AD8bJamOuJ2txem41DoVTgeAuqNaDZxradLc8GiaVmXdSuPM-_KH41bUwfOTA6jbMdgsJNo6lzYJdoxRub5ld-D33WaeRvtRFWBLElwHQ
    grant_type=refresh_token
    refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyMGRlOTdiOC1jMGU3LTQ4MTktYWVhZi1iYjgxMmI2ZjI4NjIifQ.eyJleHAiOjE2Mzg4ODQ0NjMsImlhdCI6MTYzODg4MjY2MywianRpIjoiZTI2ZTk5NjEtZDE0My00MTA1LTkwY2MtN2UwNTMwODNmMmNjIiwiaXNzIjoiaHR0cHM6Ly9zYW1sLnRlc3QwMDEuZWhlYWx0aC5zdW5kaGVkLmRrL2F1dGgvcmVhbG1zL2VoZWFsdGgiLCJhdWQiOiJodHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZWFsbXMvZWhlYWx0aCIsInN1YiI6ImZlMzZiZDRhLWY1MDAtNDExMC04YWRiLWJlNWQzMTIyNmRmNiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJlb2oiLCJzZXNzaW9uX3N0YXRlIjoiYzM0NzgxYzAtZThiZS00NGVjLWFlYjUtMjViYjVlMDRlOGRkIiwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwic2lkIjoiYzM0NzgxYzAtZThiZS00NGVjLWFlYjUtMjViYjVlMDRlOGRkIn0.O3pcwZvYU8WTPLsx1ODfRHzGYRenXd8dcixmK7f5dfs

SAML Assertion to JWT Exchange

JWT Client Authentication

Requesting Access token with Token Exchange

Requesting Access token with Refresh Token