Versions Compared

Version Old Version 2 New Version 3
Changes made by

Håkon Knudsen

Håkon Knudsen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

I HelseID brukes denne spesifikasjonen når bakenforliggende tjenester, i hovedsak REST API-er, skal kalle andre tjenester på vegne av en autentisert person eller virksomhet.

Sentrale begreper

Token Exchange innfører noen nye begreper:

subject_token: Et access token utstedt av HelseID hvor det er inkludert claims og om autentisert person og virksomhet. Dette tokenet veksles inn ved bruk av token exchange.

...

  • access_token: base64 enkodet Access Token. Dette tokenet brukes av actor client ved forespørsler til andre APIer.

  • issued_token_type: alltid urn:ietf:params:oauth:token-type:access_token.

  • token_type: alltid Bearer.

  • expires_in: levetid i sekunder for returnert token.

Eksempel:

Code Block
breakoutModewide
    HTTP/1.1 200 OK
    Content-Type: application/json
    Cache-Control: no-cache, no-store

 

 {
     "access_token":"eyJhbGciOiJFUzI1NiIsImtpZCI6IjllciJ9eyJhbGciOiJSUzI1NiIsImtpZCI6IkI0Q0FFNDUyQzhCNkE4OTNCNkE4NDBBQzhDODRGQjA3MEE0MjZFNDEiLCJ4NXQiOiJ0TXJrVXNpMnFKTzJxRUNzaklUN0J3cENia0UiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOiJo
  eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDM2NiIsIm5iZiI6MTY3MzYwMjc1NSwiaWF0IjoxNjczNjAyNzU1LCJleHAiOjE2NzM2MDYzNTUsImF1ZCI6InVkZWx0OnRlc3QtYXBpIiwic2NvcGUiOlsidWRlbHQ6dGV
  zdC1hcGkvYXBpIl0sImFtciI6WyJwd2QiXSwiY2xpZW50X2lkIjoidG9rZW5fZXhjaGFuZ2VfYWN0b3JfY2xpZW50IiwiaGVsc2VpZDovL2NsYWltcy9jbGllbnQvb3JpZ2luYWxfY2xpZW50X2lkIjoidG9rZW5fZXhjaG
 dHRwczovL2JhY2tlbmQuZXhhbXBsZS5jb20iLCJpc3MiOiJodHRwczovL2FzLmV FuZ2Vfc3ViamVjdF9jbGllbnQiLCJjbGllbnRfYW1yIjoicHJpdmF0ZV9rZXlfand0IiwiaGVsc2VpZDovL2NsYWltcy9pZGVudGl0eS9waWQiOiIxNTAzNzEwNDIyOSIsImhlbHNlaWQ6Ly9jbGFpbXMvaWRlbnRpdHkvc
  2VjdXJpdHlfbGV2ZWwiOiI0IiwianRpIjoiNzExMzgzRjNENEQ4NjhDMDMzOTdENzEyNTU1N0UzRjAiLCJzaWQiOiI2NzFGOEVCRUU0OEJBRDE0NjgwRUJBNEMwQzI1MDkyMCIsImFjdCI6eyJpc3MiOiJodHRwczovL2xv
  Y2FsaG9zdDo0NDM2NiIsImNsaWVudF9pZCI6InRva2VuX2V4Y2hhbmdlX2FjdG9yX2NsaWVudCIsImhlbHNlaWQ6Ly9jbGFpbXMvY2xpZW50L2NsYWltcy9vcmducl9wYXJlbnQiOiI5OTk5Nzc3NzQifSwiaGVsc2VpZDo
4YW1wbGUuY29tIiwiZXhwIjoxNDQxOTE3NTkzLCJpYXQiOjE0NDE5MTc1MzMsIn  vL2NsYWltcy9jbGllbnQvY2xhaW1zL29yZ25yX3BhcmVudCI6Ijk5OTk3Nzc3NCIsInN1YiI6IlVwVUFpZTNQVTZCYVgyTStTbFZWZVh5cDg2YjRQTXZOeTlpOVppMlNoVWc9IiwiYXV0aF90aW1lIjoxNjczNjAyNzQ1LC
  JpZHAiOiJ0ZXN0aWRwLW9pZGMiLCJuYW1lIjoiQU5ORSBNQVJLVVNTRU4gRU5HRUJBS0tFTiIsImhlbHNlaWQ6Ly9jbGFpbXMvY2xpZW50L2FtciI6InJzYV9wcml2YXRlX2tleSJ9.BGfYrDi6PLks_dV99SDjCsnKFytc
  N1YiI6ImJjQGV4YW1wbGUuY29tIiwic2NvcGUiOiJhcGkifQ.K4Ik-igqOKi_4CkHIbh0sFVNOWF7Y75ZJVzo4xKf6CpA1AO38VnYk7PsGuM3HpSTQSpXl8IAgJ8CsZ8nTBzRponsneamxBLrcUlMcVq-CeY6NmFyUYvV-FZik7D2spEXzNdTuuPGiK7y2Ik1es0SIW_fdKDAzYi9Y06MhVE9YZJNi1OdJzCSU
       nBu4dG3-gGUObfgv-rJhgXVDNOWW_MHgVwddhgVLLQf_bm3xlpQM6wHrLbMaZC4
       LicsQC23g",
  DGNKg_-2u6D18dX2Gd877VViYm0CL6_4N1LxkaKbxMM8LTwh_7Q36VzbqeQAR9sPJibGuOkdJXlJAAmm2B2WzxEU3OpscWe1zCtQ8jhnqfI9oLcD11nX5C549p_1XiL0DAbZQBQwA9P7ce_frQg",
  "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
     "token_type": "Bearer",
     "expires_in":3600
60    }
}

Respons ved feil

  • error: feilkode.

  • error_description: beskrivelse av feil.

...

  • Feil i validering av subject token:

    Code Block
    {
    "error": "invalid_request",
    "error_description": "invalid subject_token - [detaljert informasjon]"
}

    Dette inkluderer at tokenet ikke er ustedt utstedt av HelseID, at det har utgått og annet.

  • Actor client mangler rettigheter:

    Code Block
    {
    "error": "invalid_request",
    "error_description": "not permitted"
}

    Denne situasjonen oppstår dersom subject client ikke er konfigurert til å tillate token exchange for actor client.

  • Actor client spør om for brede tillatelser:

    Code Block
    {
    "error": "invalid_target",
    "error_description": "invalid scopes requested"
}

    Dette oppstår dersom klienten spør om scopes som går på tvers av API-ressurser.

  • Actor client forsøker å utveklse veksle inn et token som allerede er utvekslet vekslet inn for mange ganger:

    Code Block
    {
    "error": "invalid_request",
    "error_description": "subject_token exchanged too many times ([grenseverdi_her]5)"
}

  • Actor client tilhører en annen Configuration Owner enn ´aud´ aud (API ressurs) i subject token:

    Code Block
    {
    "error": "invalid_request",
    "error_description": "no audience matching configuration owner of client_id [client_id] was found in subject token"
}

...

Code Block
{
    "iss": "https://helseid-sts.test.nhn.no",
    "client_id": "client_actor",
    "helseid://claims/client/claims/orgnr_parent": "912159523",
    "helseid://claims/client/claims/orgnr_parent_description": "EKSEMPEL AS"
}

For kallkjeder hvor der Token Exchange benyttes flere ganger, vil man få en nestet nøstet struktur av act claims. I en slik struktur er det innerste act claimet Den innerste actor er den eldste actor , og det den ytterste actor er den nyeste - og altså den aktive actor for det aktuelle access token.

Eksempel på act claim med nesting:

...

Code Block
{
  "iss": "https://helseid-sts.test.nhn.no",
  "nbf": 1672911351,
  "iat": 1672911351,
  "exp": 1672914951,
  "aud": "test:test-api",
  "scope": [
    "test:test-api/api"
  ],
  "amr": [
    "pwd"
  ],
  "client_id": "[token_exchange_actor_client_guid]",
  "helseid://claims/client/original_client_id": "[token_exchange_subject_client_guid]",
  "client_amr": "private_key_jwt",
  "helseid://claims/identity/pid": "15037104229",
  "helseid://claims/identity/security_level": "4",
  "jti": "2E2F7052528642005005B66995E1D083",
  "sid": "9CC2BC2A4298DEBA9B0C5AD1BF8EC53B",
  "act": {
    "iss": "https://helseid-sts.test.nhn.no",
    "client_id": "token_exchange_actor_client",
    "helseid://claims/client/claims/orgnr_parent": "999977774"
  },
  "helseid://claims/client/claims/orgnr_parent": "999977774",
  "sub": "UpUAie3PU6BaX2M+SlVVeXyp86b4PMvNy9i9Zi2ShUg=",
  "auth_time": 1672911347,
  "idp": "testidp-oidc",
  "name": "ANNE MARKUSSEN ENGEBAKKEN",
  "helseid://claims/client/amr": "rsa_private_key"
}