Hi,
We are attempting to do a token exchange between CIS2 and ERS, and as part of the process are submitting a subject_token to e-RS which is the id_token from CIS2. When we submit this, we get the following response:
Missing or non-matching ‘iss’ claim in subject_token JWT.
This is occurring in the DEP environment. We are not manipulating the subject token in any sense before submitting it to ERS. We have also contacted NHS e-RS Partners, and they have directed us here. Please let me know if you want any additional detail.
Ankur
Hi John,
We have already hit the /access_token endpoint under am.nhsdep.auth-ptl.cis2.spineservices.nhs.uk. This returns us an access_token and an id_token (This is step 5 of the CIS2 separate authentication and authorisation process). We have created a client_assertion (step 6), and are stuck with exchanging a token for ERS. As per step 7, we submit the subject_token (ID token from step 5) to the dep.api.service.nhs.uk/oauth2/token endpoint. This is the request which is returning: Missing or non-matching ‘iss’ claim in subject_token JWT.
Thanks for the extra info, have you configured a client on the API-M side - if you have successfully obtained a set of CIS2 tokens, then you may have to reach out to the API team - I cannot see their logs to see why they are rejecting the client_id - in the PTL environments, you would need to configure the client in the developer portal as per the instructions above
Hi Ankur, Can you please let us know if the issue has been resolved.