In the Gateway project, external systems are authenticated and authorized using “JWT client authentication“ and “OAuth 2.0 Token Exchange“.

JWT Client Authentication

Prerequisites:

The system is in possession of a Public/Private key pair.
The system has a client in Keycloak.
The systems Public Key is registered for the client.

In order to obtain access tokens from Keycloak, the system must provide a signed JWT (i.e. JWS) on each access token request to Keycloak.

The system issues the JWS itself and signs it with its own private key.

See also jwt.io for a comprehensive list of software libraries for token signing.

The JWS must have the following fields in the header:

alg: Signature Algorithm
kid: Key ID

{
  "alg": "RS256",
  "kid": "rqjgLIDzVg8CYwfTYph00J4YLr6cXQVO7WXKtw7sY6w"
}

NOTE: The Key ID is the base64url encoded, SHA-256 digest (HASH),of the encoded public key. See also "Obtaining the kid from a Public key"

The JWS must have the following fields in the body:

jti: JWT ID - Unique identifier for this token.
iss: Issuer - Who created the token. (In this case it is the client)
sub: Subject - Whom the token refers to. (In this case it is also the client)
aud: Audience - What the token is intended for. (In this case it is the keycloak realm info url)
iat: Issued at - When the token was created. (seconds since UNIX epoch)
exp: Expiration time - When the token expires (seconds since UNIX epoch)
nbf: Not valid before - When the token validity starts (seconds since UNIX epoch)

{
  "jti": "93461fd9-a043-45e7-89c2-06757348377e",
  "iss": "eoj",
  "sub": "eoj",
  "aud": "https://saml.test001.ehealth.sundhed.dk/auth/realms/ehealth",
  "iat": 1638873738,
  "exp": 1638873748,
  "nbf": 1638873738
}

NOTE: The JWS is single use only.

Example:

eyJhbGciOiJSUzI1NiIsImtpZCIgOiAicnFqZ0xJRHpWZzhDWXdmVFlwaDAwSj
RZTHI2Y1hRVk83V1hLdHc3c1k2dyJ9.eyJleHAiOjE2Mzg4Nzk5MDcsIm5iZiI
6MTYzODg3OTg5NywiaWF0IjoxNjM4ODc5ODk3LCJqdGkiOiJiMTBjNWFmYi03M
GZkLTQ2NGYtODc3Yy1kYWJiNzMzYTQwMjgiLCJpc3MiOiJlb2oiLCJhdWQiOiJ
odHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZ
WFsbXMvZWhlYWx0aCIsInN1YiI6ImVvaiJ9.SNwkVzMn1JhPPbAfT-4qym8OFS
3pebm3OWqfHc4YwNYAGSV6ih0mqKJtq6kmzATDWeyGEJRrhlM-6I5CV8bH77uZ
UyPPBdamUpdtSOTvQGUDxxiIJFwzqVHF77TICjqc5_8n-g2drn27J9D7cwYRXy
wFBDVPlqqZaWCoHipOoF0FSqMmOWvWHG152-jmeMX2GQxjRnfRd3xV0rcGZc2p
mTzYvv4b9KHOSoVmnuXmh3MSMhQo9D8WtUCxakCIyKGEDtmQ4zi-5NSpJdcejf
gii-g-XPhA8i4bZ7xc56_XhYQWs15JfyqV-wAnsnU-HQhQuiSO1rHLWYjk5B2q
2d0W8g

Obtaining the `kid` from a Public key

Obtaining the kid from a Public key is done in 3 steps. This is demonstrated with the following example, given a Public key:

Step 1. Getting the encoded bytes.

The encoded bytes are obtained by removing the tags -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----, and all line separators. Then Base64 decode the resulting line as bytes. The hex representation of this applied to above Public key is:

30820122300d06092a864886f70d01010105000382010f003082010a02820101009
0c00341ebf70b23c0d76a8e5b4cf623d2edaaa097face9fa488e67dab480eabf61e
7d288576584676e3a368028ccdc3b4c67ed3be9299db7f0d57f4af3cd3ac43bcdf9
87256d1fbc990502fc34cc999b4533cd8a1c8c5dd8fdd73ecce7328f04cad2b62de
116d2ef49fdc89865e1fa6fe4130ea1141b56b4b0a5660afee870dc002e88859235
c84de22b742b764ed041ef530ed1346806556eef04626e0f2161ec333bcebeb5b40
982e4226bb98cf844c4d3205990dadacfdab4887ab2c9266ad5d031a1c762aeea32
86aec12b47eea14fa01815070428e403bb2accc98d7e859aee42ce77be43d1607f3
c072b84c530a40e240eb24bee3fe71bc7ee921ec6b0203010001

NOTE: line breaks are added for readability.

Step 2. Getting the SHA256 digest.

Apply the SHA256 algorithm to the bytes obtained in step 1 (not the hex string). In this example, the hex representation of the resulting bytes is:

aea8e02c80f3560f026307d3629874d09e182ebe9c5d054eed65cab70eec63ac

Step 3. Encoding the digest.

The last step is to apply base64url encoding to the bytes obtained in step 2. The final result is then:

rqjgLIDzVg8CYwfTYph00J4YLr6cXQVO7WXKtw7sY6w

Requesting Access token with Token Exchange

The token exchange request is an HTTP POST request with content-type application/x-www-form-urlencoded

Body Parameters:

client_id: The id of the requesting client.
client_assertion_type: Always urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
client_assertion: The JWS described in the previous section.
grant_type: Always urn:ietf:params:oauth:grant-type:token-exchange.
subject_issuer: The ID of the subject token issuer e.g. kombit-sts.
subject_token_type: Always urn:ietf:params:oauth:token-type:saml2.
subject_token: The Base64url encoded SAML Assertion issued by subject_issuer

The response is a standard OAuth 2.0 access token response with content-type application/json

Response Fields:

access_token: The access token used for authentication on the FUT platform.
expires_in: The time to live of the access token in seconds
refresh_token: The refresh token used for requesting new access tokens
refresh_expires_in:The time to live of the refresh token in seconds

Example

Request:

POST: https://saml.test001.ehealth.sundhed.dk/auth/realms/ehealth/protocol/openid-connect/token
Headers: 
    Accept=application/x-www-form-urlencoded
    Content-Type=application/x-www-form-urlencoded
Body: 
    client_id=eoj
    client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
    client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCIgOiAicnFqZ0xJRHpWZzhDWXdmVFlwaDAwSjRZTHI2Y1hRVk83V1hLdHc3c1k2dyJ9.eyJleHAiOjE2Mzg4ODI2NzMsIm5iZiI6MTYzODg4MjY2MywiaWF0IjoxNjM4ODgyNjYzLCJqdGkiOiI0MDk0YzNhYy03Mzc4LTQzZWQtODM3Ny05NjAzYjFmZjc2MGEiLCJpc3MiOiJlb2oiLCJhdWQiOiJodHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZWFsbXMvZWhlYWx0aCIsInN1YiI6ImVvaiJ9.eQ3kUUmlXGsBphFdH0LqhRAQzgMwkIdVxctM1Fw8J4H6OIq1ZVcEFmY67y-f8RMCHC_sSwZ2EWb1PKKoPHCVXwYAvJ4hWw0yXitN7i-GFW-s9iU9Wgem0I4g_JLaVoYqoGf_WaZXREbaN8MkzCYYz2ODrk15xR6J2hQlgiPMezSOtP0BDJCAly5x6gEFPI6gR1HMeNBjCmGzxh2nFtvkYiGrNjVR4rhcww6F9XqBCZhbIP9l691jAW77oRhTcd0fHdJ50gwOQebwCErV2_hdTSmImJLZIlUSQBNub9RDFoSVjnweZXqCnIrx53THlSGKyIETkG17ww6SamETekB4Mg
    grant_type=urn:ietf:params:oauth:grant-type:token-exchange
    subject_issuer=kobit-sts
    subject_token_type=urn:ietf:params:oauth:token-type:saml2
    subject_token=PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48QXNzZXJ0aW9uIHhtbG5zPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIiBJRD0iXzc0NTEyMzc2LWNlNmUtNDRlNy05NTVkLWNhZTUxMzQwNDQxMSIgSXNzdWVJbnN0YW50PSIyMDIxLTEyLTA4VDExOjQ4OjA4LjMyNloiIFZlcnNpb249IjIuMCI-PElzc3VlciBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpuYW1laWQtZm9ybWF0OmVudGl0eSI-aHR0cHM6Ly9zYW1sLmFkZ2FuZ3NzdHlyaW5nLmVrc3Rlcm50ZXN0LXN0b2V0dGVzeXN0ZW1lcm5lLmRrPC9Jc3N1ZXI-PFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI-PFNpZ25lZEluZm8-PENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxkc2lnLW1vcmUjcnNhLXNoYTI1NiIvPjxSZWZlcmVuY2UgVVJJPSIjXzc0NTEyMzc2LWNlNmUtNDRlNy05NTVkLWNhZTUxMzQwNDQxMSI-PFRyYW5zZm9ybXM-PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8-PFRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjwvVHJhbnNmb3Jtcz48RGlnZXN0TWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8wNC94bWxlbmMjc2hhMjU2Ii8-PERpZ2VzdFZhbHVlPkVvWFdCejlHdWE1NWo1L3pCTHpheFN5bGZvWENWY1ZmNG4wVVMxQ0F2amc9PC9EaWdlc3RWYWx1ZT48L1JlZmVyZW5jZT48L1NpZ25lZEluZm8-PFNpZ25hdHVyZVZhbHVlPlRXbDJJZTQwL004eXM3eCtrSGRvWHdUMVhRN1JDMjRHY2RlMUtyV0QzNmJDOCtNWWxiN2FoaWxJZDZMK2sxTnl3V3hnaXFnMUtoSEVDYTFmM1lnejVlQnVuOWJvb0t4eUhkcm5kYUF1bHlac0JNenJvTUt5RTdIand0NkhabTN1UW1LU2tCa2paTHVZcDIya2hEbGxSbXgvby9HYURVaS9Ha3hWcDZDa3dIV2dtODMyV28xOHpLdlFqNWhZUUVDZTUwMHRRNStsYUR5Q0FpSVp1U3lkbnE0Z1kyTGJEcVhjd2lWVHhKenRzOEc5YkpyVEZHelJVTkJsQ0NhWDlYcXJEZG1jTlZvOXBPTjdXYm82dGF4ejBZWWRWUUZSZW15TW9PY2RVWUZkVGRpdnNYcm50TUQ3UlFod25NSDlKY3Z1K3lKY3QvdGJPckhGTFcrcXBlMFUrZz09PC9TaWduYXR1cmVWYWx1ZT48S2V5SW5mbz48WDUwOURhdGE-PFg1MDlDZXJ0aWZpY2F0ZT5NSUlHSFRDQ0JRV2dBd0lCQWdJRVhnaVRDVEFOQmdrcWhraUc5dzBCQVFzRkFEQkFNUXN3Q1FZRFZRUUdFd0pFU3pFU01CQUdBMVVFQ2d3SlZGSlZVMVF5TkRBNE1SMHdHd1lEVlFRRERCUlVVbFZUVkRJME1EZ2dUME5GVXlCRFFTQkpWakFlRncweU1UQTJNRGd3TnpBM01ETmFGdzB5TkRBMk1EZ3dOekEyTXpWYU1JR1FNUXN3Q1FZRFZRUUdFd0pFU3pFak1DRUdBMVVFQ2d3YVMwOU5Ra2xVSUVFdlV5QXZMeUJEVmxJNk1UazBNelV3TnpVeFhEQWdCZ05WQkFVVEdVTldVam94T1RRek5UQTNOUzFHU1VRNk5qQTBPVEkzT0Rnd09BWURWUVFERERGMFpYTjBMV1ZyYzNSbGNtNHRZV1JuWVc1bmMzTjBlWEpwYm1jZ0tHWjFibXQwYVc5dWMyTmxjblJwWm1scllYUXBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQW5FYlQyMjMwVEVDK1puQWdPV3dBYUJ0b1NqT3N6ZGFNQnhjbDFXQ0NmdjhSYzVORk1wMUZUNjhyZXhOOS9rMUdjVE5XUkVQTFNqRWg5UlV0UTVRSHJFRFVZRHYzZy9sTDJZU0thVnVZN1lpcU1uK0VpODF0Z0tXTzlONVAxVU5kZUxXMCs1RGpOU08rK0NDMzNCMEFFbFhYVkk5WWhRRm5TUjZxVFpzWVBRbnNEL0o2RkE0MVJNeWl6Zms1TUZtRnVyWW4wNm53OUNrVzNDdFk1VDMrRlU0cTU1Z0lPaXdTR3BsSG01ZW1lRkV5eE1rWHRRQmFvUlhwZ09lU3FKSjFyMkdZa0szZ2svMURHay9zMkNLYzF3UGxoaFU5dkpPVjBjTnl5Si93dlVzY1dqanJnVDVVZ0xYMk9LM2xaVWlRNzJXN0RNZ0V4T2NLVHhidktqUCtZd0lEQVFBQm80SUN6RENDQXNnd0RnWURWUjBQQVFIL0JBUURBZ080TUlHSkJnZ3JCZ0VGQlFjQkFRUjlNSHN3TlFZSUt3WUJCUVVITUFHR0tXaDBkSEE2THk5dlkzTndMbWxqWVRBMExuUnlkWE4wTWpRd09DNWpiMjB2Y21WemNHOXVaR1Z5TUVJR0NDc0dBUVVGQnpBQ2hqWm9kSFJ3T2k4dlppNWhhV0V1YVdOaE1EUXVkSEoxYzNReU5EQTRMbU52YlM5dlkyVnpMV2x6YzNWcGJtY3dOQzFqWVM1alpYSXdnZ0ZEQmdOVkhTQUVnZ0U2TUlJQk5qQ0NBVElHQ2lxQlVJRXBBUUVCQkFNd2dnRWlNQzhHQ0NzR0FRVUZCd0lCRmlOb2RIUndPaTh2ZDNkM0xuUnlkWE4wTWpRd09DNWpiMjB2Y21Wd2IzTnBkRzl5ZVRDQjdnWUlLd1lCQlFVSEFnSXdnZUV3RUJZSlZGSlZVMVF5TkRBNE1BTUNBUUVhZ2N4R2IzSWdZVzUyWlc1a1pXeHpaU0JoWmlCalpYSjBhV1pwYTJGMFpYUWdaK1pzWkdWeUlFOURSVk1nZG1sc2ErVnlMQ0JEVUZNZ2IyY2dUME5GVXlCRFVDd2daR1Z5SUd0aGJpQm9aVzUwWlhNZ1puSmhJSGQzZHk1MGNuVnpkREkwTURndVkyOXRMM0psY0c5emFYUnZjbmt1SUVKbGJlWnlheXdnWVhRZ1ZGSlZVMVF5TkRBNElHVm1kR1Z5SUhacGJHdmxjbVZ1WlNCb1lYSWdaWFFnWW1WbmN1WnVjMlYwSUdGdWMzWmhjaUJwWm5RdUlIQnliMlpsYzNOcGIyNWxiR3hsSUhCaGNuUmxjaTR3Z1pjR0ExVWRId1NCanpDQmpEQXVvQ3lnS29Zb2FIUjBjRG92TDJOeWJDNXBZMkV3TkM1MGNuVnpkREkwTURndVkyOXRMMmxqWVRBMExtTnliREJhb0ZpZ1ZxUlVNRkl4Q3pBSkJnTlZCQVlUQWtSTE1SSXdFQVlEVlFRS0RBbFVVbFZUVkRJME1EZ3hIVEFiQmdOVkJBTU1GRlJTVlZOVU1qUXdPQ0JQUTBWVElFTkJJRWxXTVJBd0RnWURWUVFEREFkRFVrd3pNRGd6TUI4R0ExVWRJd1FZTUJhQUZGeTdkV0lXTXBtcU5xQzRtdnR2cHd4ZjhBclZNQjBHQTFVZERnUVdCQlIyYlhWVWNXdDVpNHpPOUo5a3BCcnE1Zkp1ZkRBSkJnTlZIUk1FQWpBQU1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQlEwMTVSNTVaWis4M3crZVIvQ05mWng5eWtPS0hxZjcwYk9wTTl5dTdVeEcydGVBQUUrNHhBOFp0L0YvU1BidExieEFaTGtTQmV2bVg0b1ZWWXRObjZDMEhyUzhWL0d0NjVyUzdWeEVJL3ZCdHREMEVPT3Z3eEpQVzYxd000ZjVFWFk4NFhaUHpMOVVZM0VyamhEdnozVzZ0cnhZTnA1d1MxVjR4ODVTSThXQ2VzTlhqcnlNSHBoUGFrSzI1MklPVFh2dXliR05qeVZ3UUwzREdJOWkvRGNPeHpJUGkwQ2FCbEJFVlVUdmdnUjlFN3Y0UC9ZcHh2UXlyZXJxdEVmeThQSUovYTJseXNDeW9NZWVnMFRUcTVBNTFCSzI1U2xXem8wbXV5Sjd0Ykt1UkxrUGZHdHVTcTh1R2ZCQlZ5b3VObDQvbkgwUURvVTltSERQMTdnU1paPC9YNTA5Q2VydGlmaWNhdGU-PC9YNTA5RGF0YT48L0tleUluZm8-PC9TaWduYXR1cmU-PFN1YmplY3Q-PE5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0Olg1MDlTdWJqZWN0TmFtZSI-U0VSSUFMTlVNQkVSPUNWUjoxOTQzNTA3NS1GSUQ6Mzc2NzE1MzMgKyBDTj1rb21iaXQtc3AtdC1kZW1vLXNlcnYgKGZ1bmt0aW9uc2NlcnRpZmlrYXQpLCBPPUtPTUJJVCBBL1MgLy8gQ1ZSOjE5NDM1MDc1LCBDPURLPC9OYW1lSUQ-PFN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206aG9sZGVyLW9mLWtleSI-PFN1YmplY3RDb25maXJtYXRpb25EYXRhIHhtbG5zOmE9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiBOb3RCZWZvcmU9IjIwMjEtMTItMDhUMTE6NDg6MDguMzI2WiIgTm90T25PckFmdGVyPSIyMDIxLTEyLTA4VDE5OjQ4OjA4LjMyMloiIFJlY2lwaWVudD0iaHR0cDovL2RlbW8ucHJvZC1zZXJ2aWNlcGxhdGZvcm1lbi5kay9zZXJ2aWNlL0RlbW9TZXJ2aWNlLzEiIGE6dHlwZT0iS2V5SW5mb0NvbmZpcm1hdGlvbkRhdGFUeXBlIj48S2V5SW5mbyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI-PFg1MDlEYXRhPjxYNTA5Q2VydGlmaWNhdGU-TUlJR0lEQ0NCUWlnQXdJQkFnSUVXNnh6ZERBTkJna3Foa2lHOXcwQkFRc0ZBREJJTVFzd0NRWURWUVFHRXdKRVN6RVNNQkFHQTFVRUNnd0pWRkpWVTFReU5EQTRNU1V3SXdZRFZRUUREQnhVVWxWVFZESTBNRGdnVTNsemRHVnRkR1Z6ZENCWVdFbEpJRU5CTUI0WERURTVNRGt4T1RFeU1UWXdPRm9YRFRJeU1Ea3hPVEV5TVRVeE1Gb3dnWW94Q3pBSkJnTlZCQVlUQWtSTE1TTXdJUVlEVlFRS0RCcExUMDFDU1ZRZ1FTOVRJQzh2SUVOV1Vqb3hPVFF6TlRBM05URldNQ0FHQTFVRUJSTVpRMVpTT2pFNU5ETTFNRGMxTFVaSlJEb3pOelkzTVRVek16QXlCZ05WQkFNTUsydHZiV0pwZEMxemNDMTBMV1JsYlc4dGMyVnlkaUFvWm5WdWEzUnBiMjV6WTJWeWRHbG1hV3RoZENrd2dnRWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUUNRd0FOQjYvY0xJOERYYW81YlRQWWowdTJxb0pmNnpwK2tpT1o5cTBnT3EvWWVmU2lGZGxoR2R1T2phQUtNemNPMHhuN1R2cEtaMjM4TlYvU3ZQTk9zUTd6Zm1ISlcwZnZKa0ZBdncwekptYlJUUE5paHlNWGRqOTF6N001ektQQk1yU3RpM2hGdEx2U2YzSW1HWGgrbS9rRXc2aEZCdFd0TENsWmdyKzZIRGNBQzZJaFpJMXlFM2lLM1FyZGs3UVFlOVREdEUwYUFaVmJ1OEVZbTRQSVdIc016dk92clcwQ1lMa0ltdTVqUGhFeE5NZ1daRGEycy9hdEloNnNza21hdFhRTWFISFlxN3FNb2F1d1N0SDdxRlBvQmdWQndRbzVBTzdLc3pKalg2Rm11NUN6bmUrUTlGZ2Z6d0hLNFRGTUtRT0pBNnlTKzQvNXh2SDdwSWV4ckFnTUJBQUdqZ2dMTk1JSUN5VEFPQmdOVkhROEJBZjhFQkFNQ0E3Z3dnWmNHQ0NzR0FRVUZCd0VCQklHS01JR0hNRHdHQ0NzR0FRVUZCekFCaGpCb2RIUndPaTh2YjJOemNDNXplWE4wWlcxMFpYTjBNakl1ZEhKMWMzUXlOREE0TG1OdmJTOXlaWE53YjI1a1pYSXdSd1lJS3dZQkJRVUhNQUtHTzJoMGRIQTZMeTltTG1GcFlTNXplWE4wWlcxMFpYTjBNakl1ZEhKMWMzUXlOREE0TG1OdmJTOXplWE4wWlcxMFpYTjBNakl0WTJFdVkyVnlNSUlCSUFZRFZSMGdCSUlCRnpDQ0FSTXdnZ0VQQmcwckJnRUVBWUgwVVFJRUJnUUNNSUg5TUM4R0NDc0dBUVVGQndJQkZpTm9kSFJ3T2k4dmQzZDNMblJ5ZFhOME1qUXdPQzVqYjIwdmNtVndiM05wZEc5eWVUQ0J5UVlJS3dZQkJRVUhBZ0l3Z2J3d0RCWUZSR0Z1U1VRd0F3SUJBUnFCcTBSaGJrbEVJSFJsYzNRZ1kyVnlkR2xtYVd0aGRHVnlJR1p5WVNCa1pXNXVaU0JEUVNCMVpITjBaV1JsY3lCMWJtUmxjaUJQU1VRZ01TNHpMall1TVM0MExqRXVNekV6TVRNdU1pNDBMall1TkM0eUxpQkVZVzVKUkNCMFpYTjBJR05sY25ScFptbGpZWFJsY3lCbWNtOXRJSFJvYVhNZ1EwRWdZWEpsSUdsemMzVmxaQ0IxYm1SbGNpQlBTVVFnTVM0ekxqWXVNUzQwTGpFdU16RXpNVE11TWk0MExqWXVOQzR5TGpDQnJRWURWUjBmQklHbE1JR2lNRDJnTzZBNWhqZG9kSFJ3T2k4dlkzSnNMbk41YzNSbGJYUmxjM1F5TWk1MGNuVnpkREkwTURndVkyOXRMM041YzNSbGJYUmxjM1F5TWpFdVkzSnNNR0dnWDZCZHBGc3dXVEVMTUFrR0ExVUVCaE1DUkVzeEVqQVFCZ05WQkFvTUNWUlNWVk5VTWpRd09ERWxNQ01HQTFVRUF3d2NWRkpWVTFReU5EQTRJRk41YzNSbGJYUmxjM1FnV0ZoSlNTQkRRVEVQTUEwR0ExVUVBd3dHUTFKTU1UZ3dNQjhHQTFVZEl3UVlNQmFBRkt1b0FVUVpzTE5EbWRyNmZNelNBQmdENXp5L01CMEdBMVVkRGdRV0JCVE1QZWE5QWZCeWJlUkZTVjdtVUtaZndXMEFkekFKQmdOVkhSTUVBakFBTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCQVFBUUIzL3d6amM4T2VsVk5MTHV1UGNRanJxN3p0VFdwb1ZCZnJNaGtheWMyeDQ2d2VOeDZQTWVObTNTdHZJYkcyeTIxb3RBTWhVK0hnanpmZ3NZTEpVMFBFTEdycnp2OHRDLytHMnNHbnJDSVgrNU1zUHg0eURpWlJBNFlrc2pLd0hGT0xHOWFwbVRvV1BHNVhzZTRjeHZzNFViSFd6V2lra3krcVl4RXVybjY1NkVseDVYNkF1S00rK1FHQi9KSXBDa0t0ZlhSSzduODFNV3dqT2JDMlI5TXI5VlZQd1VFNllna2pTZU1nTDFUNUd5MHNuaXp2THkxbmpnMHk5eHhwUTZLVWNHaU1pVFZJSzRlczdqSkxVQ0VIeURhSEFXbDBnQ0tQYk1pcjE5bExyK1Z3Ym5WellhdDVUaGRzNkJXT0I0aThHN2RwQ0QzK3Y5MGFKSVE1dDA8L1g1MDlDZXJ0aWZpY2F0ZT48L1g1MDlEYXRhPjwvS2V5SW5mbz48L1N1YmplY3RDb25maXJtYXRpb25EYXRhPjwvU3ViamVjdENvbmZpcm1hdGlvbj48L1N1YmplY3Q-PENvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDIxLTEyLTA4VDExOjQ4OjA4LjMyMloiIE5vdE9uT3JBZnRlcj0iMjAyMS0xMi0wOFQxOTo0ODowOC4zMjJaIj48QXVkaWVuY2VSZXN0cmljdGlvbj48QXVkaWVuY2U-aHR0cDovL2RlbW8ucHJvZC1zZXJ2aWNlcGxhdGZvcm1lbi5kay9zZXJ2aWNlL0RlbW9TZXJ2aWNlLzE8L0F1ZGllbmNlPjwvQXVkaWVuY2VSZXN0cmljdGlvbj48L0NvbmRpdGlvbnM-PEF0dHJpYnV0ZVN0YXRlbWVudD48QXR0cmlidXRlIE5hbWU9ImRrOmdvdjpzYW1sOmF0dHJpYnV0ZTpDdnJOdW1iZXJJZGVudGlmaWVyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48QXR0cmlidXRlVmFsdWU-MjkxODk4NDY8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjxBdHRyaWJ1dGUgTmFtZT0iZGs6Z292OnNhbWw6YXR0cmlidXRlOkFzc3VyYW5jZUxldmVsIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48QXR0cmlidXRlVmFsdWU-MzwvQXR0cmlidXRlVmFsdWU-PC9BdHRyaWJ1dGU-PEF0dHJpYnV0ZSBOYW1lPSJkazpnb3Y6c2FtbDphdHRyaWJ1dGU6U3BlY1ZlciIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI-PEF0dHJpYnV0ZVZhbHVlPkRLLVNBTUwtMi4wPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9ImRrOmdvdjpzYW1sOmF0dHJpYnV0ZTpLb21iaXRTcGVjVmVyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48QXR0cmlidXRlVmFsdWU-MS4wPC9BdHRyaWJ1dGVWYWx1ZT48L0F0dHJpYnV0ZT48QXR0cmlidXRlIE5hbWU9ImRrOmdvdjpzYW1sOmF0dHJpYnV0ZTpQcml2aWxlZ2VzX2ludGVybWVkaWF0ZSIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyI-PEF0dHJpYnV0ZVZhbHVlPlBEOTRiV3dnZG1WeWMybHZiajBpTVM0d0lpQmxibU52WkdsdVp6MGlWVlJHTFRnaVB6NDhZbkJ3T2xCeWFYWnBiR1ZuWlV4cGMzUWdlRzFzYm5NNlluQndQU0pvZEhSd09pOHZhWFJ6ZEM1a2F5OXZhVzl6WVcxc0wySmhjMmxqWDNCeWFYWnBiR1ZuWlY5d2NtOW1hV3hsSWlCNGJXeHVjenA0YzJrOUltaDBkSEE2THk5M2QzY3Vkek11YjNKbkx6SXdNREV2V0UxTVUyTm9aVzFoTFdsdWMzUmhibU5sSWo0OFVISnBkbWxzWldkbFIzSnZkWEFnVTJOdmNHVTlJblZ5Ympwa2F6cG5iM1k2YzJGdGJEcGpkbkpPZFcxaVpYSkpaR1Z1ZEdsbWFXVnlPakk1TVRnNU9EUTJJajQ4VUhKcGRtbHNaV2RsUG1oMGRIQTZMeTl6WlhKMmFXTmxjR3hoZEdadmNtMWxiaTV3Y205a0xYTmxjblpwWTJWd2JHRjBabTl5YldWdUxtUnJMM0p2YkdWekwzTmxjblpwWTJWemVYTjBaVzF5YjJ4bEwyUjFiVzE1THpFOEwxQnlhWFpwYkdWblpUNDhMMUJ5YVhacGJHVm5aVWR5YjNWd1Bqd3ZZbkJ3T2xCeWFYWnBiR1ZuWlV4cGMzUSs8L0F0dHJpYnV0ZVZhbHVlPjwvQXR0cmlidXRlPjwvQXR0cmlidXRlU3RhdGVtZW50PjxBdXRoblN0YXRlbWVudCBBdXRobkluc3RhbnQ9IjIwMjEtMTItMDhUMTE6NDg6MDguMzIyWiI-PEF1dGhuQ29udGV4dD48QXV0aG5Db250ZXh0Q2xhc3NSZWY-dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6WDUwOTwvQXV0aG5Db250ZXh0Q2xhc3NSZWY-PC9BdXRobkNvbnRleHQ-PC9BdXRoblN0YXRlbWVudD48L0Fzc2VydGlvbj4

Response:

{
  "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJwNi16RFFwSXVyVGxJWGVWeUZwTlZ1cVpud1B2WUdiVzhxOHB1TkhLQ21jIn0.eyJleHAiOjE2Mzg4ODAxOTcsImlhdCI6MTYzODg3OTg5NywianRpIjoiNTU3NzA0OWQtNGViNS00ZjRjLWIyMTQtMDgwNjNlMWRkYTFlIiwiaXNzIjoiaHR0cHM6Ly9zYW1sLnRlc3QwMDEuZWhlYWx0aC5zdW5kaGVkLmRrL2F1dGgvcmVhbG1zL2VoZWFsdGgiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiZmUzNmJkNGEtZjUwMC00MTEwLThhZGItYmU1ZDMxMjI2ZGY2IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiZW9qIiwic2Vzc2lvbl9zdGF0ZSI6IjllMDU2N2UwLTk1ZWItNGIxOS05NjQxLTBmNjE4ZjFhNmViNiIsImFjciI6IjEiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiIsImRlZmF1bHQtcm9sZXMtZWhlYWx0aCJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBlbWFpbCIsInNpZCI6IjllMDU2N2UwLTk1ZWItNGIxOS05NjQxLTBmNjE4ZjFhNmViNiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiYnBwIjoiPD94bWwgdmVyc2lvbj1cIjEuMFwiIGVuY29kaW5nPVwiVVRGLThcIj8-PGJwcDpQcml2aWxlZ2VMaXN0IHhtbG5zOmJwcD1cImh0dHA6Ly9pdHN0LmRrL29pb3NhbWwvYmFzaWNfcHJpdmlsZWdlX3Byb2ZpbGVcIiB4bWxuczp4c2k9XCJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZVwiPjxQcml2aWxlZ2VHcm91cCBTY29wZT1cInVybjpkazpnb3Y6c2FtbDpjdnJOdW1iZXJJZGVudGlmaWVyOjI5MTg5ODQ2XCI-PFByaXZpbGVnZT5odHRwOi8vc2VydmljZXBsYXRmb3JtZW4ucHJvZC1zZXJ2aWNlcGxhdGZvcm1lbi5kay9yb2xlcy9zZXJ2aWNlc3lzdGVtcm9sZS9kdW1teS8xPC9Qcml2aWxlZ2U-PC9Qcml2aWxlZ2VHcm91cD48L2JwcDpQcml2aWxlZ2VMaXN0PiIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcmlhbG51bWJlcj1jdnI6MTk0MzUwNzUtZmlkOjM3NjcxNTMzICsgY249a29tYml0LXNwLXQtZGVtby1zZXJ2IChmdW5rdGlvbnNjZXJ0aWZpa2F0KSwgbz1rb21iaXQgYS9zIC8vIGN2cjoxOTQzNTA3NSwgYz1kayIsImN2ciI6IjI5MTg5ODQ2In0.Tov5xlwX9bS-bPPJ73g0P5Lq89H5xFx5_HD2K20b3B_Ij4EzSBSJuM6M1CXFJzmG_zxAS2qylT3K8Oq7RUnqJHUw1wJsjq6HQWdoCrLOQgVI-LVMM6ZSHXZF1kZwUalGZBOJMMeoII4bnE1ZQ7wMdzPuoGWiu9v523jlAJvxeM59K-UvNATlOUr4F1bCEMabo45XYXVLxXQ4Tkg8utEuEmUZwl5J2eJnbMBoc6iAa99m5CuSLlM0GT7_QSyq8CN8yCn9LWG4cxrdqgqL5Wf3kwVE1pS_sUqinR6rHPt5Y6mnAYFER2Gk5em4pBrochxZLApRRjsPGf-asLpoM5DA5A",
  "expires_in": 300,
  "refresh_expires_in": 1800,
  "refresh_token": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyMGRlOTdiOC1jMGU3LTQ4MTktYWVhZi1iYjgxMmI2ZjI4NjIifQ.eyJleHAiOjE2Mzg4ODE2OTcsImlhdCI6MTYzODg3OTg5NywianRpIjoiZTRiZmU4YzQtNThjNy00MDBiLWI0MjYtOTM0MWE0ZjRlMDkwIiwiaXNzIjoiaHR0cHM6Ly9zYW1sLnRlc3QwMDEuZWhlYWx0aC5zdW5kaGVkLmRrL2F1dGgvcmVhbG1zL2VoZWFsdGgiLCJhdWQiOiJodHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZWFsbXMvZWhlYWx0aCIsInN1YiI6ImZlMzZiZDRhLWY1MDAtNDExMC04YWRiLWJlNWQzMTIyNmRmNiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJlb2oiLCJzZXNzaW9uX3N0YXRlIjoiOWUwNTY3ZTAtOTVlYi00YjE5LTk2NDEtMGY2MThmMWE2ZWI2Iiwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwic2lkIjoiOWUwNTY3ZTAtOTVlYi00YjE5LTk2NDEtMGY2MThmMWE2ZWI2In0.rysjXEeHUgxjrOI5bYyPB9A8l3N5yD_UoxzkQsPqGFc",
  "token_type": "Bearer",
  "not-before-policy": 0,
  "session_state": "9e0567e0-95eb-4b19-9641-0f618f1a6eb6",
  "scope": "profile email"
}

Requesting Access token with Refresh Token

Using a refresh token is like the initial token exchange request an HTTP POST request with content-type application/x-www-form-urlencoded

Body Parameters:

client_id: The id of the requesting client.
client_assertion_type: Always urn:ietf:params:oauth:client-assertion-type:jwt-bearer.
client_assertion: The JWS described in the previous section.
grant_type: Always refresh_token.
refresh_token: A valid refresh token acquired by a previous access token request.

NOTE: Remember that the JWS is single use.

Example:

POST: https://saml.test001.ehealth.sundhed.dk/auth/realms/ehealth/protocol/openid-connect/token
Headers: 
    Accept=application/x-www-form-urlencoded
    Content-Type=application/x-www-form-urlencoded
Body: 
    client_id=eoj
    client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
    client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCIgOiAicnFqZ0xJRHpWZzhDWXdmVFlwaDAwSjRZTHI2Y1hRVk83V1hLdHc3c1k2dyJ9.eyJleHAiOjE2Mzg4ODI2NzMsIm5iZiI6MTYzODg4MjY2MywiaWF0IjoxNjM4ODgyNjYzLCJqdGkiOiJmYzI0NTc3NC02N2M2LTRmYmYtOTk5YS02MTZmZTE3MDUxNjYiLCJpc3MiOiJlb2oiLCJhdWQiOiJodHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZWFsbXMvZWhlYWx0aCIsInN1YiI6ImVvaiJ9.GUA34KZX1CONjJ9gXx2TAI1dq-vooYNOfUYB32AKK1GhFJeBUAhUiVaaGBzB5sk9DuBEyQQbT7yoOXbl2joStrj2QPYVtFO06XMlp5iqrb8eQdkWexMg3ZpLP7YV1HDGWrSEksV0liQpVs35OmhJDivkKuHf63n-fpqcKLHiGpkUrwrxycXHeG6Lv846fxrn3eiJVB_ywKNjgST8nPZr9uFpiATsX-Vrx5r6LtYyg6hN6AD8bJamOuJ2txem41DoVTgeAuqNaDZxradLc8GiaVmXdSuPM-_KH41bUwfOTA6jbMdgsJNo6lzYJdoxRub5ld-D33WaeRvtRFWBLElwHQ
    grant_type=refresh_token
    refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIyMGRlOTdiOC1jMGU3LTQ4MTktYWVhZi1iYjgxMmI2ZjI4NjIifQ.eyJleHAiOjE2Mzg4ODQ0NjMsImlhdCI6MTYzODg4MjY2MywianRpIjoiZTI2ZTk5NjEtZDE0My00MTA1LTkwY2MtN2UwNTMwODNmMmNjIiwiaXNzIjoiaHR0cHM6Ly9zYW1sLnRlc3QwMDEuZWhlYWx0aC5zdW5kaGVkLmRrL2F1dGgvcmVhbG1zL2VoZWFsdGgiLCJhdWQiOiJodHRwczovL3NhbWwudGVzdDAwMS5laGVhbHRoLnN1bmRoZWQuZGsvYXV0aC9yZWFsbXMvZWhlYWx0aCIsInN1YiI6ImZlMzZiZDRhLWY1MDAtNDExMC04YWRiLWJlNWQzMTIyNmRmNiIsInR5cCI6IlJlZnJlc2giLCJhenAiOiJlb2oiLCJzZXNzaW9uX3N0YXRlIjoiYzM0NzgxYzAtZThiZS00NGVjLWFlYjUtMjViYjVlMDRlOGRkIiwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwic2lkIjoiYzM0NzgxYzAtZThiZS00NGVjLWFlYjUtMjViYjVlMDRlOGRkIn0.O3pcwZvYU8WTPLsx1ODfRHzGYRenXd8dcixmK7f5dfs

SAML Assertion to JWT Exchange

JWT Client Authentication

Obtaining the kid from a Public key

Requesting Access token with Token Exchange

Requesting Access token with Refresh Token

Obtaining the `kid` from a Public key