JSON Web Tokens (PFS)

Overview

Medicus makes use of JSON Web Tokens (JWT) to ensure that data flowing between Medicus and the consumer system is cryptographically verified.

A JWT token should be sent with each request made to a Transactional or Patient Facing Services API endpoint.

Signing JWT Signatures

Medicus uses the HMAC SHA256 alongside the RS256 signing algorithm.

RS256 ensures that only the private key holder and no one else can sign tokens. JWTs are signed with the consumer’s private key and validated by the Medicus tenant using the public key stored on the Medicus Developer Portal.

Consumers should use the Medicus Developer Portal to upload and rotate public keys. Keys without re-deploying the application with a new secret.

Signature Formation

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

To create the signature, the Base64-encoded header and payload are taken, along with a secret, and signed with the algorithm specified in the header.

In this case, the secret is the consumer’s private key.

Example signature formation:

CODE

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

JWT Structure

JOSE Header

A JSON object containing the parameters describing the cryptographic operations and parameters employed.

Field

Description

Value

alg

The encryption algorithm used

Note: the only value for alg that Medicus accepts is RS256. All other values are rejected

RS256

typ

The JWT media type

Again, the only accepted value is JWT

JWT

kid

The Consumer app's Key ID. This is generated when the Developer uploads an RSA public key to the Developer Portal

b2b036a0-edcd-41ea-bb08-d204aabc5235

Example header payload:

JSON

{
    "alg": "RS256",
    "typ": "JWT",
    "kid": "3cd60f2e-70a5-11ed-95ba-0a58a9feac02"
}

JWS Payload

The payload contains statements about the entity and additional entity attributes, which are called claims.

Claim	Description	Example	Mandatory For PFS?
`iss`	Issuer: the Medicus App ID, generated in the Medicus Developer Portal	`30c9b5ad-dec0-4e88-b248-e54c3a54fdde`	Yes
`aud`	Audience: the target URL of the request	`https://46a1d6.api.uk.medicus.health/pfs-api/v1/patient/27a8db63-28d9-11eb-adc1-47c2069fbda5/name`	Yes
`exp`	Expiry Date/Time as a Unix timestamp	`1490922820`	Yes
`userName`	The user’s name	`John Doe`	No
`userEmail`	The user’s email	`user@user.com`	No
`userIdentifierType`	The user identifier type This should correspond to a recognised professional body (currently NHS England only) Accepted values: `medicus-username` `gb-nhs-cis-user-id` `third-party-system-user-id` `gb-gmc-number` `gb-gphc-number` `gb-hcpc-number` `gb-nmc-pin`	`third-party-system-user-id`	Yes Set to `third-party-system-user-id`
`userIdentifierValue`	The app user’s identifier (dependent on `userIdentifierType`) The identifier only allows a valid registration code from a recognised professional body	`234456`	Yes
`softwareSystem`	The software system making the request	`Prescribing App V1 iOS`	Yes
`applicationName`	The requesting application’s name	`Prescribing App`	No
`organisationName`	The requesting application’s name	`Prescribing App`	No
`organisationIdentifierType`	The organisation’s identifier type Currently the only accepted value is: `nhs-england-ods-code`	`nhs-england-ods-code`	No
`organisationIdentifierValue`	The value corresponding to the identifier type	`X26`	No

Example body payload:

JSON

{
    "iss": "8010045b-d53f-4675-acd4-e9694709c9d3",
    "aud": "https://a10001.api.medicus.health/pfs-api/v1/patient/1339a7c3-28d6-11eb-adc1-0242ac120002/prescriptions",
    "exp": 1490922820,
    "userName": "medicus",
    "userEmail": "medicususer@mail.com",
    "userIdentifierType": "gb-gmc-number",
    "userIdentifierValue": "a83569be-3fc8-4396-b11e-0faeefaa5fe3",
    "softwareSystem": "Healthcare App V1 iOS",
    "applicationName": "My Requesting App",
    "organisationName": "Pharmacy Co"
}

Payload Validation

The JWT token is validated upon each API request:

The token must be signed by the key specified in kid
kid must belong to the issuer iss
exp must not be in the past (Medicus allows 30 seconds for skew)
exp must not be more than 5 minutes in the future (to avoid long-dated JWT Tokens being generated)
aud must match the Medicus tenant URL handling the request
alg must be RS256
iss must be approved by the healthcare organisation to have access to the Medicus tenant
kid must relate to an “active” key (keys can be deactivated or rotated)

Making Requests

The JWT should be included as part of the Bearer in the Authorization HTTP header.

Example request:

CODE

GET https://a10001.api.test.medicus.health/pfs-api/v1/patient/1222aa9c-28d6-11eb-adc1-0242ac120002/nominated-eps-dispensers
Authorization: Bearer [JWT Token]

Example CURL request, including the Authorization header:

BASH

curl --location --request GET 'https://a10001.api.test.medicus.health/pfs-api/v1/patient/ed9a308e-360c-11ed-8b36-060b232f1aa2/dob' \
--header 'Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjNjZDYwZjJlLTcwYTUtMTFlZC05NWJhLTBhNThhOWZlYWMwMiJ9.eyJpc3MiOiIwNWY2OGNiOC03MGE1LTExZWQtOTQ2Ni0wYTU4YTlmZWFjMDIiLCJraWQiOiIzY2Q2MGYyZS03MGE1LTExZWQtOTViYS0wYTU4YTlmZWFjMDIiLCJhdWQiOiJodHRwczovL2ExMDAwMS5hcGkuc3RhZ2luZy5tZWRpY3VzLmhlYWx0aC90cmFuc2FjdGlvbmFsLWFwaS92MS9maWxlL2NhcmUtcmVjb3JkLWRvY3VtZW50LzMzMWRmOWFjLTY3NGUtMTFlZC05YTc2LTA2Mzk5ZjkwNzIyZS8zMzFkZjlhYy02NzRlLTExZWQtOWE3Ni0wNjM5OWY5MDcyMmUiLCJleHAiOjE2NzE0MzkxNjZ9.1DIRypATDkc9nBszy8eRignV0KbVh2_mA5jdpW98m7bodOmm5PvJHWK-VanPxKGIjr7O2AlyJyGI5Cz_LLXTzo0rNLl4GThkiRKnBzi4PewR_1vFo9Za1VmoTnCQVznej6WNjFc73OXIYSjLAaGs3Pa-4lDTCNQFwQF79MqZTOQ

Error States

HTTP Code	Error Code	Scenario
`400`	`TOKEN_BAD_FORMAT`	The JWT is incorrectly formatted
`400`	`TOKEN_MISSING_{key}`	A required claim is missing from the JWT. For example: `TOKEN_MISSING_AUD`
`401`	`NO_JWT_TOKEN_SUPPLIED`	No JWT token was supplied
`401`	`TOKEN_EXPIRED`	The JWT token has expired
`401`	`TIME_CONSTRAINT_FAILURE`	The `exp` is in the future
`401`	`INVALID_CREDENTIALS`	The `iss` is incorrect. The `kid` is incorrect
`401`	`JWT_ISSUER_INVALID`	The `iss` claim is incorrect
`401`	`JWT_AUD_INVALID`	The `aud` claim is incorrect