Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

HelseID requires that all clients authenticate using the private_key_jwt mechanism as described in the OpenID Connect specification.

This document summarizes how a client application should build the client assertion object and what requirements HelseID has for the content.

The structure of a client assertion

A client assertion is a signed JWT (Json Web Token) that is structurally equivalent to any token issued by HelseID. It consists of a header that describes the object, a payload that contains the actual claims and finally a signature made with the clients private key.

The following is an example of a typical client assertion:

eyJhbGciOiJSUzI1NiIsImtpZCI6IkFFMTZGQUFBQUFDM0U1OTk4QkQxOUNCODk1REI5NUU5IiwidHlwIjoiSldUIn0.eyJzdWIiOiI3ZjQwMzU0My1lN2JmLTRlNDItOTk4OC1mYzI5ZDYxYTI1NjMiLCJpYXQiOiIxNjc3NzQzODAzIiwianRpIjoiODkyYmEzZDQ0YTM3NDExZWJjOTI0ODIyMzQxNzYxNTciLCJuYmYiOjE2Nzc3NDM4MDMsImV4cCI6MTY3Nzc0Mzg2MywiaXNzIjoiN2Y0MDM1NDMtZTdiZi00ZTQyLTk5ODgtZmMyOWQ2MWEyNTYzIiwiYXVkIjoiaHR0cHM6Ly9oZWxzZWlkLXN0cy50ZXN0Lm5obi5uby9jb25uZWN0L3Rva2VuIn0.P9kMUfLjuT67ZXoppCDKH_8YUvgv_7pZCyi_QQV_c-ntz9XcNciQ7_4Wrbq_b2AxiyF7sM3jQUMH6PaQF96h9FYJ2_S8uLzCKMee8zzH_ku3pvQ7_qQFWXAZ30_vmLVPDAhEfcT2VzFkvH8IwiqVfl-0iSKbwsOsSTSRsApyWy7QXJsFxxEiRDDCad6N3Se_nLRVRfeY3FqhHxua4-JwyObcHGuHaCF8kBZ94FMQTyQXOQI2Vz61jk05KRb29sUjlbYT2gK_No1Zb361Od6uiFV-X4cAub-zkcVK4TXhUvVOkMEWftKsOd8VHtucMuJS6ZoHmzBatHfzBgWmeF4AJQ7MtJGZEvpwDmWvil6T4ETk4ABT-kgPqVHNNyVgzq3QiAURiW77KZJZeGH2c1oP8MITRrGPa1FZTBwcdq_59Jibfdiu2az6bBI2BF0W_CzWLEULmz5JED1ak2hRX1hXeU7g2Qi8vrg290vALeHb4KovbOuutSCAoe5_uKIbvzUIVqLvAWLUfNnyQkZNoy-15-jI7RNzUdq3xfQbqiS7aCVyxc8vGmv6VXo3WsP1G6EX5hDbA0yaC03k1xCcZO-Zl7hXn16VOuDNOlo3xXcUjLQt8FLQMizXfTsfEDpwi1W7Y7utMR3kXqXynwq8DMHw_9-riOr-qg62dJWNjUXakjw

When we decode the Base64 encoded values we get the following:

{
  "alg": "RS256",
  "kid": "AE16FAAAAAC3E5998BD19CB895DB95E9",
  "typ": "JWT"
}.{
  "sub": "YOUR CLIENT ID",
  "iat": 1677743803,
  "jti": "892ba3d44a37411ebc92482234176157",
  "nbf": 1677743803,
  "exp": 1677743863,
  "iss": "YOUR CLIENT ID",
  "aud": "https://helseid-sts.test.nhn.no/"
}.[Signature]

As you can see the client assertion is a standard JWT. The header should contain claims that describe the JWT itself:

alg

The signing algorithm used to create the signature part of the JWT. HelseID only supports asymmetric signing algorithms.

kid

The Key ID for the key used to create the signature part of the JWT

typ

The type of object this JWT is. Should be set to “JWT”

The body of the JWT should contain the following claims:

sub

Subject ID. Should be set to the Client ID of your client

iat

The time the JWT was issued. Expressed in seconds

jti

A unique id for the JWT. A client assertion should only be used once and this value will be used to enforce that rule in the future

nbf

The earliest time that the JWT can be used. Expressed in seconds

exp

The last time the JWT can be used. Expressed in seconds. Must be no more than 60 seconds in the future.

iss

The issuer of the JWT. Should be set to the Client ID of your client

aud

Audience for the JWT. Should be set to the url of the HelseID environment your client is calling. We also accept the token endpoint of that environment for backward compatibility.

The signature of the JWT should be created using an asymmetric signing algorithm and must be one of the following: RS256, RS384, RS512, ES256, RS384, ES512, PS256, PS384, PS512. The list of accepted signing algorithms may change in the future, and updated list of accepted algorithms is maintained in the HelseID Security Profile for Clients.

  • No labels