APIM - Authorisation Server API

Is this available as an API by itself?

Many APIM API’s follow https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation

I’m working on a regional system (NHS England North West GMSA) which will involve many enterprise service bus (ESB) (more commonly known within the region as Trust Integration Engines (TIE)) communicating with each other.

We intend to support the same security and authorisation mechanism (but for application restricted only, as all the ESB/TIE.

Longer term we plan to add a NHS England APIM API to our system (which to us will be another ESB/TIE). So it makes some sense to use the same authorisation server as this service would use.

Kevin,

There are currently no plans (as such) to allow APIM access tokens to be used by other resource servers. There are clear benefits, but the key reasons why there not at this point in time:

  • Third parties need to manage their own authorisation
  • There isn’t a clear national proposal on how to manage this
  • If we were to put a system in place, we would want to use OAuth token exchange ( RFC 8693), which has two benefits:
    • The third party implements their own OAuth server
    • Helps reinforce the responsibilities split for authorisation
1 Like

many thanks for your prompt reply