I am reading through the documentation on both the Combined Auth and Separate Auth options. I understand there is an onboarding requirement for separate but I am also finding a few differences that the documentation doesn’t explains so hoping someone can correct me or agree. Are my assumptions below correct?
Combined:
- Does NOT support passing the scopes parameter and therefore does not populate claims
- Does NOT support passing the prompt parameter
- Does provide refresh tokens
Separate:
- Does NOT provide refresh tokens
Any assistance would be greatly appreciated as we have clients wanting to consume both methods.
Separate supports everything including refresh tokens and is the preferred option as you get full control over the auth journey now and in the future.
Note that the CIS2 Auth refresh token isn’t currently used in 99% of scenarios as you only use the access token at the point of login for the userinfo endpoint - this may change as we look at session management and SSO.
Combined auth proxies the CIS2 Auth requests on your behalf it returns the API-M access & refresh tokens (not CIS2 Auth ones) you would need to do token exchange with the CIS2 ID token in the separate auth flow to obtain the API-M tokens.
For separate auth, https://digital.nhs.uk/services/care-identity-service/applications-and-services/cis2-authentication/integrate/design-and-build/sign-in-journey#token-request mentions the inclusion of the refresh token.
For combined auth, we do have a backlog item to add scopes and prompt but I can’t confirm when (or whether) it will be delivered.
Hi John, I am using .Net oAuth for Combined and OpenIdConnect for Separate (as per the turorals). I have everything working except I am not getting a refresh token for the Separate OpenIdConnect version. Any ideas?
Hi All, Ignore me. Turns out I don’t know how to read. 
I am missing the entire step “Exchange the ID token for an access token”. I’ll implement that now and leave you all alone.