CIS2 Mock INT: mock-jwks returning generic pytest-nhsd-apim client instead of app-specific credentials

Personal Demographics Service (PDS)
, , , ,
1

I am setting up my Integration Testing app for CIS2 Healthcare Worker authentication.

  • App name: mos-nhs-cis2

  • App ID: f5462fa6-50d2-40c3-ac80-053dae5da2c5

  • API Key: lmzYMGw1ElsGkhcS73hU6EgCXzlllglR

  • Enabled APIs:

    • Personal Demographics Service – Healthcare Worker (Integration Testing) :white_check_mark:

    • Healthcare Worker API – Application Restricted (Integration) :white_check_mark:

    • mock-jwks (Integration) :white_check_mark:

When I call the mock-jwks endpoint:
curl -H “apikey: lmzYMGw1ElsGkhcS73hU6EgCXzlllglR”
https://int.api.service.nhs.uk/mock-jwks/keycloak-client-credentials

the response always contains the generic client
“cis2”: {
“client_id”: “pytest-nhsd-apim”,
“client_secret”: “…”,
“redirect_uri”: “https://example.org
}

How could I pair my app mos-nhs-cis2 with the CIS2 Mock IdP?

POST https://int.api.service.nhs.uk/oauth2-mock/token
grant_type:urn:ietf:params:oauth:grant-type:token-exchange
subject_token_type:urn:ietf:params:oauth:token-type:id_token
subject_token:eyJhbGc…
client_assertion_type:urn:ietf:params:oauth:client-assertion-type:jwt-bearer
client_assertion:eyJhbGc…

I am getting something like this:
{
“error”: “invalid_request”,
“error_description”: “Missing or non-matching ‘iss’ claim in subject_token JWT”,
“message_id”: “rrt-8746887105373597003-a-geu2-3829065-104644720-1”
}

That is why I need to use my app_id and my APP related details where I found client_id not found.

Thank you.

2

Hi, you can request that a specific client is created with a custom redirect URL by email the support team - link provided in the developer documentation for the Mock CIS2 Auth.

Secondly, are you mixing the CIS2 Auth and API-M token endpoints - you need to obtain a CIS2 Auth ID token (mock or real) in order to exchange this for API-M access tokens

3

Hi John, thanks for the response.

I’ve followed :

Using the CIS2 Auth /token endpoint to exchange the code for tokens (including the id_token).

Then using the API-M /oauth2/token endpoint to exchange that id_token (as subject_token) along with my client_assertion.

The issue seems to be that my id_token always has: “aud”: “pytest-nhsd-apim”

when i check signature of my client_assertion and the one I took it from id_token had mismatch aud.
mine the client_assertion:
{

  "iss": "lmzYMGw1ElsGkhcS73hU6EgCXzlllglR",

  "sub": "lmzYMGw1ElsGkhcS73hU6EgCXzlllglR",

  "aud": "https://int.api.service.nhs.uk/oauth2/token",

  "jti": "8835916d-5f2a-4e31-8876-9a7e75c07dca",

  "iat": 1758136811,

  "exp": 1758137111

}

while id_token
{
“exp”: 1758140084,
“iat”: 1758136484,
“auth_time”: 1758136460,
“jti”: “6f144814-2e14-40f0-a1ce-e8de955e58b8”,
“iss”: “https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-int”,
“aud”: “pytest-nhsd-apim”,
“sub”: “7f3ff991-d337-437c-b150-e1047115011f”,
“typ”: “ID”,
“azp”: “pytest-nhsd-apim”,
“nonce”: “3454554”,
“session_state”: “ea20e66a-20a1-4d4c-b084-3cfc151dcb5c”,
“at_hash”: “gV4LpIH4fO8GycGKyj4k8w”,
“acr”: “AAL3_ANY”,
“sid”: “ea20e66a-20a1-4d4c-b084-3cfc151dcb5c”,
“id_assurance_level”: “3”,
“email_verified”: true,
“auditTrackingId”: “91f694e6-3749-42fd-90b0-DONOTCHANGE-1546391”,
“amr”: [
“N3_SMARTCARD”
],
“name”: “Test User”,
“authentication_assurance_level”: “3”,
“preferred_username”: “aal3”,
“given_name”: “Test”,
“family_name”: “User”
}

Could you please confirm the correct email address for raising that request? I’ve seen references to nhscareidentityauthentication < at > nhs.net and also ssd.nationalservicedesk < at > nhs.net is one of those the right contact for CIS2 Mock client setup?

Many thanks,
Shariq