JWT validation

[jonnyry]

In order to ensure consumers are built in line with recently clarified JWT requirements at:

https://gpconnect-0-5-2.netlify.com/integration_cross_organisation_audit_and_provenance.html#jwt-payload

Suggest the following JWT validation should occur, and return an OperationOutcome with information on the error in the diagnostics element where a failure occurs:

• Check the following claim names are present in the JWT:

  • iss (issuer)
  • sub (subject)
  • aud (audience)
  • exp (expiry)
  • iat (issued at)
  • reason_for_request
  • requested_record
  • requested_scope
  • requesting_device
  • requesting_organization
  • requesting_practitioner

• Check iat and exp as per #222

• Check that reason_for_request == directcare

• Check that aud == https://authorize.fhir.nhs.net/token

• Check that requested_scope is in the list of valid values:

  • patient/*.read
  • organization/*.read

• Check requesting_organization is an Organization resource with:

  • an id element
  • a name element
  • an identifier element with
  • a system element containing https://fhir.nhs.net/Id/ods-organization-code
  • a value element

• Check requesting_practitioner is a Practitioner resource with:

  • an id element
  • a name element, with
  • a family element
  • a given element
  • an identifier element, with
  • a system element containing http://fhir.nhs.net/sds-user-id
  • and a value element

---

This has been transposed from the 1.2.3 ticket: https://github.com/nhsconnect/gpconnect-demonstrator/issues/209

[SimonFarrowNHS]

Extra requirements for validating requesting_device: an requesting_device.identifier element should be present containing both system and value elements requesting_device.version and requesting_device.model elements must also be populated.