Implementation Guidance Index> Connectivity Summary
Connectivity Summary
Token requirements and specs:
Please note that the base standards have many of claims/parameters optional to achieve best interoperability and cover broader use cases. However, Ontario Health will make most of registered claim/parameter mandatory and to be validated to enhance security.
https://openid.net/specs/openid-connect-core-1_0.html#IDToken
https://openid.net/specs/openid-heart-oauth2-1_0.html#JWTBearerTokens
Table: JWT Query Data
| Data Element | Definition | Type | Optionality | Length | Example |
|---|---|---|---|---|---|
| jti | Unique Token ID- will be generated by application | ST | Mandatory | 1..40 | |
| org | The name of original organization the application is associated with | ST | Optional | 1..70 | University Health Network |
| app | The name of application used for the access | ST | Mandatory | 1..50 | Medly |
| appVersion | The version of the application | ST | Mandatory | 1..10 | 1.03 |
| sub | The login ID of the user initiating the login request | ST | Mandatory | 1..50 | jasmith@myhealthapp.com |
| idp | Identify provider- work with eHealth Ontario to assign IDP | ST | Mandatory | 1..255 | http://ehealthontario.ca/fhir/NamingSystem/idp-medly |
| prn | Name of the user (principal , as defined in https://openid.net/specs/draft-jones-json-web-token-07.html | ST | Mandatory | 1..75 | John Smith |
| usertype | Type of the user, P (patient) or D (delegate). | ST | Mandatory | 1..1 | P |
| aud | Identifier of the user. Should represent the same value as the one present in the FHIR query string | ST | Mandatory | 1..90 | |
| exp | Token expiration time (Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.) | NM | Mandatory | 1..20 | |
| iat | Issued time (Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.) | NM | Mandatory | 1..20 | 1444143566 |
JWT Header
| Data Element | Definition | Type | Optionality |
|---|---|---|---|
| alg | Algorithm used. As defined in https://tools.ietf.org/html/rfc7515#page-10 This has to be set to "RS256" | ST | Mandatory |
| kid | Key ID used to secure the token, as defined in https://tools.ietf.org/html/rfc7515#page-11 ST | Optional | |
| x5t | Certificate thumbprint used to sign the token, as defined in https://tools.ietf.org/html/rfc7515#page-12 | ST | Mandatory |
| typ | Type of the token. As defined in: https://tools.ietf.org/html/rfc7515#page-12 always set to “JWT” | ST | Mandatory |
Samples:
Introspection response: Note the response body is a JSON object with flat parameters describing the token. We can also choose to embed ID Token with "id_token" parameter inside the JSON object.
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": true,
"iss": "https://federationbroker.ehealthontario.ca/fed/oidc",
"aud": "https://provider.ehealthontario.ca",
"azp": "https://olisviewlet.ehealthontario.ca",
"sub": "id-iqT8SOKInhlsCsNd-Cemqk—Hjo-",
"scope": "user/Observation.read filter/COVID19",
"iat": 1444143566,
"exp": 1444147166,
"jti": "2402f87c-b6ce-45c4-95b0-7a3f2904997f",
"token_type": "bearer",
"client_id": "https://olisviewlet.ehealthontario.ca",
"uao": "2.16.840.1.113883.3.239.9:1234567890123",
"uaoType ": "org",
"uaoName": "North York General",
"given_name": "John",
"family_name": "Smith",
"rid": "2.16.840.1.113883.4.347:123",
"email": "john.smith@northyorkgeneral.ca",
"Idp": "2.16.840.1.113883.3.239.23.99999",
"obo": 2.16.840.1.113883.4.347:456",
“profile”:”http://ehealthontario.ca/StructureDefinition/ca-on-lab-profile-DiagnosticReport”,
“version”:”1.0”,
“cntx_ssn”:”5443234343243432”
}
Inactive token response: Inactive token response will only contain the inactive status of false as follows:
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": false
}