Hi,
We are attempting to do a token exchange between CIS2 and ERS, and as part of the process are submitting a subject_token to e-RS which is the id_token from CIS2. When we submit this, we get the following response:
Missing or non-matching ‘iss’ claim in subject_token JWT.
This is occurring in the DEP environment. We are not manipulating the subject token in any sense before submitting it to ERS. We have also contacted NHS e-RS Partners, and they have directed us here. Please let me know if you want any additional detail.
Ankur
Hi John,
We have already hit the /access_token endpoint under am.nhsdep.auth-ptl.cis2.spineservices.nhs.uk. This returns us an access_token and an id_token (This is step 5 of the CIS2 separate authentication and authorisation process). We have created a client_assertion (step 6), and are stuck with exchanging a token for ERS. As per step 7, we submit the subject_token (ID token from step 5) to the dep.api.service.nhs.uk/oauth2/token endpoint. This is the request which is returning: Missing or non-matching ‘iss’ claim in subject_token JWT.
Thanks for the extra info, have you configured a client on the API-M side - if you have successfully obtained a set of CIS2 tokens, then you may have to reach out to the API team - I cannot see their logs to see why they are rejecting the client_id - in the PTL environments, you would need to configure the client in the developer portal as per the instructions above