...

• auth_code: Must be exchanged afterwards for an access token

• Id token

  • tenantid claim: The tenantId that the user selected

  • “region” claim: We suggest that you use this to redirect the user to a hosted version of your web based app located in the same location as the account that the user selected (e.g. redirect from app.company.com to app-eu.company.com). Especially important for Noah ES accounts, to avoid processing e.g. EU patient data in your data center outside the EU

3. Exchange auth_code for an access token

...

4. Connecting to API

• URI and port number

  • QA environment: api.qa.eu.noah-es.com:443

  • EU Production: api.eu.noah-es.com:443

  • US Production: api.us.noah-es.com:443

• We suggest that you use the URI returned as claim “api” in the id token, especially if using the global IdP endpoint that allows the user to select any account from any of our regions

• HIMSA's .NET Client:

  • Either use the constructor that takes an access token or a refresh token as input

...

Note: This is done automatically if you are using HIMSA's .NET Client.We never issue refresh tokens for service apps / machine-to-machine apps.

Lifetime of access tokens and refresh tokens varies depending on the client type and app type.

Logging off

In case a user only set up 1 account and that account is of type single sign-on, logging off will redirect the user directly to the login page. In that case it will not be possible to set up a different account.

We suggest to redirect to the account selection page of the IdP after successfully logging off. It is then important to include "forcechoose" in the query string (with any value).We never issue refresh tokens for service-apps/machine-to-machine apps. For other app types, it is possible to submit a support request for HIMSA to allow the use of refresh tokens for a specific app: https://himsanoah.atlassian.net/servicedesk/customer/portal/1/group/1/create/15