Merge the two oath2 endpoints in the API-M INT environment into a single endpoint

1 votes

There are two identity services in INT, both using Oauth2:
• One identity service “/oauth2” needs to use a smartcard/OIDC and uses NHS Identity to issue an access token. When this token is provided to the user’s roles are retrieved from NHS identity using the /userinfo endpoint
• There is a second method with no smartcard “/oauth2-no-smartcard” that issues an access token but it is not integrated with NHS identity. There is a different /userinfo endpoint url associated with this method that provides roles information (fake user role data)

Having the Fake NHSID service saves having two separate pre-prod environments, however during development an issue was discovered when connecting to the SCR API via API-M. Regardless of which method was used to authenticate (NHS Identity or no-smartcard) the lookup to the /userinfo endpoint always gets routed to the endpoint that serves NHS Identity and no-smartcard token is invalid. Proposed solution provided to API-M on email.

Under consideration platform platform-phase-3 Suggested by: Danny Ruttle Upvoted: 04 Mar, '21 Comments: 0

Comments: 0