Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Her finner du en oversikt over Claims som du finner i HelseID. HelseID utsteder tokens med mange forskjellige typer claims. Mange av disse claimstypene har sin opprinnelse i spesifikasjoner, mens andre er spesielt definert med utgangspunkt i behovene til helsesektoren i Norge.

Claims

...

Name

...

Example

...

Description

...

helseid://claims/hpr/hpr_number

...

181000001

...

Health personel number according to NHN’s coding standard

...

helseid://claims/identity/security_level

...

3

...

Defined by Rammeverk for autentisering og uavviselighet i elektronisk kommunikasjon med og i offentlig sektor . Possible values are 2, 3 or 4.

...

helseid://claims/identity/pid

...

04048900181

...

Personal identifier

...

helseid://claims/identity/pid_pseudonym

...

 

...

Personal identifier pseudonymized with HMAC (the contents in these claims are superseded by the subclaim)

...

helseid://claims/identity/network

...

helsenett

...

Indicates whether an enduser authenticated using a HelseID server on Internet or ’Helsenett’. Note that local infrastructure may route users from Helsenett to HelseID nodes exposed on the Internet. Possible values are ’internett’ and ’helsenett’.

...

helseid://claims/client/client_name

...

Name of Client

...

The name of the client configuration as setup in HelseID Selvbetjening. This value can be used for logging purposes in APIs, but should not be used to do access control.

...

helseid://claims/client/claims/orgnr_parent

...

912159523

...

The parent organization for an end user / client. See below.

...

helseid://claims/client/claims/orgnr_child

...

922734046

...

The child organization (underenhet/behandlingssted) for an end user / client. See below.

...

helseid://claims/client/claims/orgnr_supplier

...

994598759

...

For a multi-tenant system this is the organization that has received a delegation to access HelseID on behalf of an organization. See below.

...

helseid://claims/client/client_tenancy

...

multi-tenant

...

Indicates the type of system that requested the access token. Can have one of the following values “none”, “single-tenant” or “multi-tenant”.

...

client_amr

...

private_key_jwt

...

The type of secret used for authenticating the client. Possible values are ’client_secret’, ’private_key_jwt’. If this claims is missing, it indicates that no secret was used.

Organization Number claims

HelseID offers two ways of including organization numbers in Access Tokens.

Organization numbers stored on the client configuration

The first manner is done by storing a parent organization number on the configuration when it is setup in HelseID Selvbetjening. The organization the user represents will be stored as the organization number of the client configuration. The user can also setup a whitelist of child organization numbers, but this is optional. Without the whitelist no child organization number will be included in the token. The client can inform HelseID about which child organization to include (How to submit organizational information to HelseID, machine-to-machine and Passing organization identifier from a client application to HelseID), this organization number will then be validated against the whitelist.

Multi-tenant systems

The second manner of handling organization numbers is by setting up a multi-tenant client configuration in HelseID. These configurations can represent multiple parent organizations and HelseID must be informed about which parent organization number to include in the token. The organization number is then validated against Altinn and which delegations are setup there. HelseID will verify that there exists a delegation from the submitted organization number to the organization number of the Supplier stored in the client configuration. If the delegation exists, the organization number will be included in the supplied Access Token. The client can also supply a child organization number. HelseID does not validate this organization number against a whitelist.

Standard claims

A token will also contain a set of standard claims originating from OpenID Connect and the JSON Web Token specification.

Claims from the OpenId Connect specification

...

Navn

...

Eksempelverdi

...

Beskrivelse

...

at_hash

...

y9WtN9oBLG9q0J6NDbAHZQ

...

Access Token hash value

...

amr

...

[ “external” ]

...

Authentication Methods References
Anvendte autentiseringsmetoder

...

auth_time

...

1495545039

...

Når sluttbruker-autentiseringen fant sted

...

client_id

...

75127481-74cb-4d74-8a97-1af4dfb90441

...

Identifiserer unikt et oppsettet i HelseID for en klient.

...

name

...

Ola Olsen Nordmann

...

Full name

...

given_name

...

Ola

...

Given name

...

family_name

...

Nordmann

...

Family name

...

middle_name

...

Olsen

...

Middle name

...

sid

...

 

...

Session ID

Claims from the JWT specification

...

Navn

...

Eksempelverdi

...

Beskrivelse

...

aud

...

kjernejournal

...

Audience
Hvem tokenet er tiltenkt, som oftest navnet til et API.

...

exp

...

1495545339

...

Expiration Time

...

iat

...

1495545039

...

Issued At

...

idp

...

https://idporten.difi.no

...

Identity Provider

...

iss

...

https://helseid-sts.test.nhn.no

...

Issuer

...

jti

...

F4F832F0C68E24F0011F773B71CC6739

...

JWT ID - unique for each token issued by a specificic provider within a given time period.

...

nbf

...

1495545039

...

Not before

...

scope

...

[ “openid”, “profile”, “read” ]

...

Authorization and identity scopes

...

sub

...

 wEPgwne8KbTgNrfvEmWgaY7b7ePgzXCa+aRcON+K7eQ=

...

Subject
Unique for a given person for a given client.

Hash of client_id + pid + salt

...

sid

...

A773716579B066C5757522F4422E5BBE

Session ID

...

Dokumentet har blitt flyttet til Utviklerportalen.

This document has been moved. Please see the document at this page (English).