Implementation Guidance > Connectivity

Connectivity

Token requirements and specs:

Please note that the base standards have many of claims/parameters optional to achieve best interoperability and cover broader use cases. However, eHealth Ontario will make most of registered claim/parameter mandatory and to be validated to enhance security.

https://openid.net/specs/openid-connect-core-1_0.html#IDToken

https://openid.net/specs/openid-heart-oauth2-1_0.html#JWTBearerTokens

Table: JWT Query Data

Data Element Definition Type Optionality Length Example
version Version of the introspection response ST Mandatory 1..10 1.0
uao The identifier of individual or organization ST Mandatory 1..20 UPI123456
uaoType Individual or Organization ST Mandatory 1..20 org or person
uaoName The name of the UAO (Under Authority Of) ST Mandatory 1..75 John Smith or North York General
given_name First name of the person on a keyboard ST Mandatory 1..30 John
family_name Last name of the person on a keyboard ST Mandatory 1..45 Smith
rid License number- present if the user is a licensed provider otherwise it should be empty ST Optional 1..20 cpso:123
sub The login ID of the user initiating the login request-person on a keyboard ST Mandatory 1..50 id-iqT8SOKInhlsCsNd-Cemqk—Hjo-
idp Identify provider- work with eHealth Ontario to assign IDP ST Mandatory 1..50 2.16.840.1.113883.3.239.23.99999
obo License of the HIC working on behalf of ST Optional 1..20 cpso:456
aud Identifier of the user. Should represent the same value as the one present in the FHIR query string (url of the Provider Gateway) ST Mandatory 1..255 https://onegateway.ehealthontario.ca
scope SMART on FHIR scopes ST Mandatory 1..1024 user/Observation.read
profile Identifies the specific EHR asset the request is directed ST Mandatory 1..1024 http://ehealthontario.ca/StructureDefinition/ca-on-lab-profile-DiagnosticReport
iss Issuer, ONE ID or token signer ST Mandatory 1..256 https://federationbroker.ehealthontario.ca/fed/oidc
jti Unique Token ID- will be generated by issuer ST Mandatory 1..40 2402f87c-b6ce-45c4-95b0-7a3f2904997f
exp Token expiration time (Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.) NM Mandatory 1..20 1444147166
azp The name of the application used for the access ST Mandatory 1..50 https://olisviewlet.ehealthontario.ca
iat Issued time (Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time.) NM Mandatory 1..20 1444143566
cntx_ssn Context session ID ST Optional 1..20 5443234343243432
active Status of the token Boolean Mandatory true
location Location of the EMR ST Optioanl 1..20

Samples:

Introspection response: Note the response body is a JSON object with flat parameters describing the token. We can also choose to embed ID Token with "id_token" parameter inside the JSON object.


HTTP/1.1 200 OK
Content-Type: application/json 

{
       "active": true,
       "iss": "https://federationbroker.ehealthontario.ca/fed/oidc",
       "aud": "https://provider.ehealthontario.ca",
       "azp": "https://olisviewlet.ehealthontario.ca",
       "sub": "id-iqT8SOKInhlsCsNd-Cemqk—Hjo-",
       "scope": "user/Observation.read",
       "iat": 1444143566,
       "exp": 1444147166,
       "jti": "2402f87c-b6ce-45c4-95b0-7a3f2904997f",
       "token_type": "bearer",
       "client_id": "https://olisviewlet.ehealthontario.ca",
       "uao": "2.16.840.1.113883.3.239.9:1234567890123",
       "uaoType ": "org",
       "uaoName": "North York General",
       "given_name": "John",
       "family_name": "Smith",
       "rid": "2.16.840.1.113883.4.347:123",
       "email": "john.smith@northyorkgeneral.ca",
       "Idp": "2.16.840.1.113883.3.239.23.99999",
       "obo": 2.16.840.1.113883.4.347:456",
 “profile”:”http://ehealthontario.ca/StructureDefinition/ca-on-lab-profile-DiagnosticReport”,
“version”:”1.0”,
“cntx_ssn”:”5443234343243432”
}

Inactive token response: Inactive token response will only contain the inactive status of false as follows:


HTTP/1.1 200 OK
Content-Type: application/json
{
"active": false
}