Implementation Guidance > Connectivity
Please note that the base standards have many of claims/parameters optional to achieve best interoperability and cover broader use cases. However, eHealth Ontario will make most of registered claim/parameter mandatory and to be validated to enhance security.
https://openid.net/specs/openid-connect-core-1_0.html#IDToken
https://openid.net/specs/openid-heart-oauth2-1_0.html#JWTBearerTokens
Table: JWT Query Data
| Data Element | Definition | Type | Optionality | Length | Example |
|---|---|---|---|---|---|
| version | Version of the introspection response | ST | Mandatory | 1..10 | 1.0 |
| uao | The identifier of individual or organization | ST | Mandatory | 1..20 | UPI123456 |
| uaoType | Individual or Organization | ST | Mandatory | 1..20 | org or person |
| uaoName | The name of the UAO (Under Authority Of) | ST | Mandatory | 1..75 | John Smith or North York General |
| given_name | First name of the person on a keyboard | ST | Mandatory | 1..30 | John |
| family_name | Last name of the person on a keyboard | ST | Mandatory | 1..45 | Smith |
| rid | License number- present if the user is a licensed provider otherwise it should be empty | ST | Optional | 1..20 | cpso:123 |
| sub | The login ID of the user initiating the login request-person on a keyboard | ST | Mandatory | 1..50 | id-iqT8SOKInhlsCsNd-Cemqk—Hjo- |
| idp | Identify provider- work with eHealth Ontario to assign IDP | ST | Mandatory | 1..50 | 2.16.840.1.113883.3.239.23.99999 |
| obo | License of the HIC working on behalf of | ST | Optional | 1..20 | cpso:456 |
| aud | Identifier of the user. Should represent the same value as the one present in the FHIR query string (url of the Provider Gateway) | ST | Mandatory | 1..255 | https://onegateway.ehealthontario.ca |
| scope | SMART on FHIR scopes | ST | Mandatory | 1..1024 | user/Observation.read |
| profile | Identifies the specific EHR asset the request is directed | ST | Mandatory | 1..1024 | http://ehealthontario.ca/StructureDefinition/ca-on-lab-profile-DiagnosticReport |
| iss | Issuer, ONE ID or token signer | ST | Mandatory | 1..256 | https://federationbroker.ehealthontario.ca/fed/oidc |
| jti | Unique Token ID- will be generated by issuer | ST | Mandatory | 1..40 | 2402f87c-b6ce-45c4-95b0-7a3f2904997f |
| exp | Token expiration time (Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.) | NM | Mandatory | 1..20 | 1444147166 |
| azp | The name of the application used for the access | ST | Mandatory | 1..50 | https://olisviewlet.ehealthontario.ca |
| iat | Issued time (Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.) | NM | Mandatory | 1..20 | 1444143566 |
| cntx_ssn | Context session ID | ST | Optional | 1..20 | 5443234343243432 |
| active | Status of the token | Boolean | Mandatory | true | |
| location | Location of the EMR | ST | Optioanl | 1..20 |
Introspection response: Note the response body is a JSON object with flat parameters describing the token. We can also choose to embed ID Token with "id_token" parameter inside the JSON object.
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": true,
"iss": "https://federationbroker.ehealthontario.ca/fed/oidc",
"aud": "https://provider.ehealthontario.ca",
"azp": "https://olisviewlet.ehealthontario.ca",
"sub": "id-iqT8SOKInhlsCsNd-Cemqk—Hjo-",
"scope": "user/Observation.read",
"iat": 1444143566,
"exp": 1444147166,
"jti": "2402f87c-b6ce-45c4-95b0-7a3f2904997f",
"token_type": "bearer",
"client_id": "https://olisviewlet.ehealthontario.ca",
"uao": "2.16.840.1.113883.3.239.9:1234567890123",
"uaoType ": "org",
"uaoName": "North York General",
"given_name": "John",
"family_name": "Smith",
"rid": "2.16.840.1.113883.4.347:123",
"email": "john.smith@northyorkgeneral.ca",
"Idp": "2.16.840.1.113883.3.239.23.99999",
"obo": 2.16.840.1.113883.4.347:456",
“profile”:”http://ehealthontario.ca/StructureDefinition/ca-on-lab-profile-DiagnosticReport”,
“version”:”1.0”,
“cntx_ssn”:”5443234343243432”
}
Inactive token response: Inactive token response will only contain the inactive status of false as follows:
HTTP/1.1 200 OK
Content-Type: application/json
{
"active": false
}
Powered by SIMPLIFIER.NET