You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/specification/1.0.md
+23-7Lines changed: 23 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -479,9 +479,19 @@ Each time an EHR transmits a request to a CDS Service, the request MUST include
479
479
```
480
480
Authorization: Bearer {{JWT}}
481
481
```
482
-
Note that this is for every single CDS Service call, whether that be a Discovery call, a single CDS Service invocation, or multiple exchanges relating to a single service. Also note that mutual TLS MAY be used alongside JSON web tokens to establish trust of the EHR by the CDS Service.
482
+
Note that this is for every single CDS Service call, whether that be a Discovery call, a single CDS Service invocation, or multiple exchanges relating to a single service. Also note that mutual TLS MAY be used alongside JSON web tokens to establish trust of the EHR by the CDS Service.
483
483
484
-
The EHR MUST use its private key to digitally sign the JWT, using the [JSON Web Signatures (RFC7515)](https://tools.ietf.org/html/rfc7515) standard. The JWT contains the following fields:
484
+
The EHR MUST use its private key to digitally sign the JWT, using the [JSON Web Signatures (rfc7515)](https://tools.ietf.org/html/rfc7515) standard.
485
+
486
+
The JWT header contains the following fields (see [rfc7515 section 4.1](https://tools.ietf.org/html/rfc7515#section-4.1) for further information on these standard headers):
487
+
488
+
Field | Priority | Value
489
+
----- | ----- | --------
490
+
alg | REQUIRED | *string* The cryptographic algorithm used to sign this JWT.
491
+
kid | REQUIRED | *string* The identifier of the key-pair used to sign this JWT.
492
+
typ | REQUIRED | *string* Fixed value: `JWT`.
493
+
494
+
The JWT payload contains the following fields:
485
495
486
496
Field | Priority | Value
487
497
----- | ----- | --------
@@ -491,28 +501,34 @@ aud | REQUIRED | *string or array of strings* The CDS Service endpoint that is b
491
501
exp | REQUIRED | *number* Expiration time integer for this authentication JWT, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC).
492
502
iat | REQUIRED | *number* The time at which this JWT was issued, expressed in seconds since the "Epoch" (1970-01-01T00:00:00Z UTC).
493
503
jti | REQUIRED | *string* A nonce string value that uniquely identifies this authentication JWT (used to protect against replay attacks)
494
-
kid | REQUIRED | *string* The identifier of the key-pair used to sign this JWT.
495
504
496
505
Per [rfc7519](https://tools.ietf.org/html/rfc7519#section-4.1.3), the `aud` value is either a string or an array of strings. For CDS Hooks, this value MUST BE the URL of the CDS Service endpoint being invoked. For example, consider a CDS Service available at a base URL of `https://cds.example.org`. When the EHR invokes the CDS Service discovery endpoint, the aud value is either `"https://cds.example.org/cds-services"` or `["https://cds.example.org/cds-services"]`. Similarly, when the EHR invokes a particular CDS Service (say, `some-service`), the aud value is either `"https://cds.example.org/cds-services/some-service"` or `["https://cds.example.org/cds-services/some-service"]`.
497
506
498
-
An example JSON web token payload:
507
+
The EHR MUST make its public key, expressed as a JSON Web Key (JWK) in a JWK Set, as defined by [rfc7517](https://tools.ietf.org/html/rfc7517). The `kid` value from the JWT header allows a CDS Service to identify the correct JWK in the JWK Set that can be used to verify the signature.
0 commit comments