Exchange CIS2 Auth ID Token for Access Token - User-restricted RESTful APIs - CIS2 separate authentication and authorisation

Paul_C · 2 July 2025 16:21

Hi,

Following documentation from here: https://digital.nhs.uk/developer/guides-and-documentation/security-and-authorisation/user-restricted-restful-apis-cis2-separate-authentication-and-authorisation

I am not able to successfully generate an access token with refresh token properties from https://int.api.service.nhs.uk/oauth2/token when I use the following request example:
{ “client_assertion”, clientAssertion },
{ “client_assertion_type”, “urn:ietf:params:oauth:client-assertion-type:jwt-bearer” },
{ “grant_type”, “urn:ietf:params:oauth:grant-type:token-exchange” },
{ “subject_token”, idToken },
{ “subject_token_type”, “urn:ietf:params:oauth:token-type:id_token” }

clientAssertion = “eyJhbGciOiJSUzUxMiIsImtpZCI6IkNPQldFQi1CRC1DSVMyLUlOVCIsInR5cCI6IkpXVCJ9.eyJqdGkiOiJjNjVmMGVkNC04MzFkLTRmZTAtYjRjYS1hZmI4NjJkY2RlMDEiLCJzdWIiOiIxRGY0VlJoT1dKbmlDNUFnMXREWjBHRzBJelJwdHB2eCIsIm5iZiI6MTc1MTQ3MjI4MCwiZXhwIjoxNzUxNDcyMzQwLCJpc3MiOiIxRGY0VlJoT1dKbmlDNUFnMXREWjBHRzBJelJwdHB2eCIsImF1ZCI6Imh0dHBzOi8vaW50LmFwaS5zZXJ2aWNlLm5ocy51ay9vYXV0aDIvdG9rZW4ifQ.s3vBX9zz_3kowk4Ku7mS8GsK6_5_EwiGj84ARsqYuJBJVeLiLC3pe6bxnY_p-bvJRYtMgTeLJSgrRS7HaTEI8tmdHCzxCXAAX7s33Y90tNX7qhNlIK_Pftb4YrWDDUtVs4UHEaIhd6T_WDEX980g7YyNoEA0bjF05C9D80Q3s46Uuoi6cV4-B-StXk3UuQhqBkqW1ibmTxMLms65f1Uct9M1jSl4gMbUzKDHe5w_s6KZE-Z1W3Zqs27pL6mCN5c8qlaDNcAfYn-p5jhEJkspToVzPhAFY_863cTdH46vzzPRQ7-lvc0NtDKkT_vMMl8JDr6KpYsRK42mLj24sXrrhQR40BsLjLDN28Ov6CSSbvtT8lbwtc3uM-4sYjncPlDuZKnK3GCrY1MopuSG6QDwbPnEIjT9KphafTmjU0wzwRS1Ai76ANBIQk5eKAuTKSlLvXvXWIbit_yUQUGG2SsYY1U1lGp0ITUNYbzfhNbLP61NRRXOaD_9yts_U9HXSwL-ruRZpq-RlsxircT_8nH6LSC3WeHvt-EgnUaRt8tSlWaj6ocDVZWTjQZeHoW24rnpADi2TUhHAA2WZYGzyKx5jM7bxj6tCyWhxAKEZXpFqyTnwANq-04DMfDPbuY0uvfyHJGO_7QY9XhyXcLP46ikCQ9AMxeMBB1RdAk1LWfrjb8”

idToken = “9SrRLS-XxM65UGJRlXR_6lqf604”

I have added x-request-id to header as well on this occassion was “7da24a2f-6e49-49eb-b4a7-b07dd0c15b13” for tracking

Response example:
{
“error”: “invalid_request”,
“error_description”: “Malformed JWT in subject_token”,
“message_id”: “rrt-1183045613714605707-b-geu2-2173710-114871213-1”
}

Is there anyway to debug “Malformed JWT in subject_token” is being raised? As far as I can tell JWT checks out ok and the id_token is being returned from CIS2 Auth fine.

Strangely enough the same API endpoint will successfully return an access token if my request is just the following parameters:
{ “client_assertion”, clientAssertion },
{ “client_assertion_type”, “urn:ietf:params:oauth:client-assertion-type:jwt-bearer” },
{ “grant_type”, “client_credentials” }

but in that instance the resulting access token does not have a corresponding refresh token e.g.
{
“access_token”: “W70FARrD7UHhuGDUAJplgSjyl7G9”,
“expires_in”: “599”,
“token_type”: “Bearer”,
“issued_at”: “1751473025853”
}

So if just passing client_assertion, client_assertion_type, grant_type, works does that confirm the JWT is formed correctly?

jp24 · 4 July 2025 08:03

Hi there, thanks for providing all the information you have.
If I understand correctly, you’re failing at Step 7 of the documentation you’ve provided, where you exchange the id_token you get back from the CIS2 Auth /token endpoint, for an APIM access_token to acces other APIs?

In which case, the id_token value you’re using doesn’t look correct. It’s usually in the form of a JWT - perhaps you’re using the access_token value you get back in the CIS2 Auth /token response. Can you try using the id_token value you get back instead?

Let me know how you get on.

aubyn.crawford · 4 July 2025 08:12

@Paul_C - I agree with @jp24 it appears to be a problem with the value in the subject_token parameter.
By using “grant_type”, “client_credentials” you are switching to requesting an Application Restricted access token, but it shows that your client assertion JWT is correctly formed.

Paul_C · 4 July 2025 14:44

Awesome thank you.

Yes the code was passing the incorrect variable, the Authorization Code rather than the id_token received from the Auth Code exchange.

I am now able to successfully retrieve an access token e.g.

“access_token”: “oaK6XQmgTbvG8N0e81uUFTn1T7y2”,
“expires_in”: “599”,
“token_type”: “Bearer”,
“issued_token_type”: “urn:ietf:params:oauth:token-type:access_token”,
“refresh_token”: “K8CdN9jXCWJTINGpPAxxReqsjDo4GiUh”,
“refresh_token_expires_in”: “43199”,
“refresh_count”: “0”

Topic		Replies	Views
Cis2 - Exchanging code with id_token and refresh token Care Identity Service (CIS2) authentication , integration	2	184	17 September 2024
NHS CIS2 Technical SCAL queries Care Identity Service (CIS2) ers , cis2	2	215	21 March 2024
Cis2 - not receiving Id Token from the token endpoint Care Identity Service (CIS2)	7	185	8 November 2024
How to obtain credential for user restricted API using NHS Care Identity Service 2 Care Identity Service (CIS2)	2	419	3 August 2023
CIS2 combined authentication and authorisation with standalone java program Care Identity Service (CIS2)	2	39	7 November 2024

Exchange CIS2 Auth ID Token for Access Token - User-restricted RESTful APIs - CIS2 separate authentication and authorisation

Related topics