Hi all,
I am integrating NHS CIS2 Authentication (Separate Authentication & Authorisation) into a backend ASP.NET Core API for accessing PDS in the Integration (INT) environment, and I’d appreciate some guidance to confirm the correct OIDC Authority and discovery configuration.
What I am trying to do
-
Use ASP.NET Core OpenIdConnect middleware
-
Authenticate healthcare workers via CIS2 (smartcard)
-
Exchange the CIS2 ID token for an OAuth access token (private_key_jwt)
-
Call PDS using user‑restricted access
CIS2 client setup
-
Client registered via Connection Manager (INT)
-
Authentication method: private_key_jwt
-
JWKS: NHS‑hosted JWKS URL provided during onboarding
-
Client ID generated successfully and configured in the app
Issue I’m seeing
When the application starts or when a [Authorize] endpoint is accessed, ASP.NET Core fails during OIDC discovery with:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk/.well-known/openid-configuration'.
What I’ve discovered so far
From the CIS2 Discovery documentation (“Integrate → Design and build → Discovery”), the Integration (INT) discovery endpoint for the Healthcare realm is:
https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk
/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare
/.well-known/openid-configuration
This endpoint does return valid OIDC metadata when accessed directly in a browser.
However, when configuring OIDC like this:
C#
options.Authority =
“https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk”;
ASP.NET Core automatically appends /.well-known/openid-configuration to the root and tries to fetch metadata from:
https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk/.well-known/openid-configuration
which does not exist.
I’m fairly new to OAuth and OpenID connect - any help/guidance is much appreciated
Many thanks,
Prince