Cis2 - not receiving Id Token from the token endpoint

Hi,
I have recently taken over work for our Cis2 authentication implementation and it seems that our request to receive the Id token is only returning an access token.
I’m making the call to https://int.api.service.nhs.uk/oauth-mock/token using the client secret and prior to this I authenticate using User UID 656005750108 on the Cis2 Mock Int log in screen. I’m returned a 200 ok response from the token request that only contains the access token.

Please advise whether this might be a config issue (if it is what might be missing) or if I’m using the wrong URI.

Hi, the URL you have is the API-M mock CIS2 endpoint, is this what you are expecting to use? That endpoint may not return an id_token

I think I was hoping to have a full run through of CIS2 using the mock endpoints but was struggling due to not being able to get an Id token, it might be that I was using the wrong endpoint.
I’ve now swapped to using “https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/authorize”, just waiting on smart cards/windows hello to get past this first connection

Hello! I’ve got windows hello set up now but I’m still facing some issues. Firstly for the initial connection after authenticating using windows hello is the “code” returned the auth code that I use in acquiring the ID token? I’m given:
{code, xxxx}
{iss, yyyy}
{state, zzzz}
{client_id, iiii}

Secondly on the token request I’m the error “Invalid client or Invalid client credentials”. I’m unsure if this may be due to using the wrong client id, auth code, secret or url. Is there any way that we could start a private chat to discuss this in more detail?

Authentication connection to -
https://am.nhsint.auth-ptl.cis2.spineservices.nhs.uk:443/openam/oauth2/realms/root/realms/NHSIdentity/realms/Healthcare/authorize

Id token request to -
https://identity.ptl.api.platform.nhs.uk/realms/Cis2-mock-int/protocol/openid-connect/token

I think this error may be due to creating the client assertion wrong. For the call to the token endpoint https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/guidance-for-developers/detailed-guidance/authorization-code-flow#userinfo-request states " The authentication token must be sent as the value of the client_assertion parameter." for this step I don’t use the private key, iss etc. to create the client assertion, I am supposed to just send the auth token as the client assertion?

I’m now under the assumption that the URI i’m calling for the token endpoint may be incorrect as I’ve tried with both private key jwt (which looks correctly formed) and with client secret, both are getting the same invalid client credentials error.

Hi @sgroom, you appear to be mixing the real INT environment and the mock CIS2 Auth endpoints. You would need to make the id_token request to the same service as the initial auth was made. Please reach out to the onboarding team and they can either offer guidance or reach out to myself or the technical team if you have any further questions

Yeah it was an issue with URLs, config for the different environments was found here.
https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/guidance-for-developers/detailed-guidance/discovery