Hello API Platform Team,
I am trying to use the client assertions - signed jwt authentication.
I followed the instructions, but I would like to use an external identity provider to generate the tokens instead of doing it on the application itself.
And I noticed that this identity provider makes use of the ‘iss’ claim in tokens issued.
Is it mandatory that the claim ‘iss’ should contain the API Key?
Note: I tried with one of the c# examples and I got an error when replacing the ‘iss’ with something else (“my-identity-provider”), and I would like to know if there is any workaround for this situation.
{
"iss": "my-identity-provider",
"sub": "my-apikey",
"jti": "2e373277-2ff5-416f-a6cc-33baefb181e7",
"nbf": 1753765391,
"exp": 1753765451,
"aud": "https://sandbox.api.service.nhs.uk/oauth2/token"
}
Within the token’s header, is JWT the only value permitted for the ‘typ’ field, or is AT+JWT also an accepted type?
{
"alg": "RS256",
"kid": "E92307B3F70909F40A7533981A34B05A66D21DA1",
"x5t": "6SMHs_cJCfQKdTOYGjSwWmbSHaE",
"typ": "at+jwt"
}
Thanks you.