Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 23 Current »

Her finner du en oversikt over Claims som du finner i HelseID. HelseID utsteder tokens med mange forskjellige typer claims. Mange av disse claimstypene har sin opprinnelse i spesifikasjoner, mens andre er spesielt definert med utgangspunkt i behovene til helsesektoren i Norge.

Claims

Name

Example

Description

helseid://claims/hpr/hpr_number

181000001

Health personel number according to NHN’s coding standard

helseid://claims/identity/security_level

3

Defined by Rammeverk for autentisering og uavviselighet i elektronisk kommunikasjon med og i offentlig sektor . Possible values are 2, 3 or 4.

helseid://claims/identity/pid

04048900181

Personal identifier

helseid://claims/identity/pid_pseudonym

 

Personal identifier pseudonymized with HMAC (the contents in these claims are superseded by the subclaim)

helseid://claims/identity/network

helsenett

Indicates whether an enduser authenticated using a HelseID server on Internet or ’Helsenett’. Note that local infrastructure may route users from Helsenett to HelseID nodes exposed on the Internet. Possible values are ’internett’ and ’helsenett’.

helseid://claims/client/client_name

Name of Client

The name of the client configuration as setup in HelseID Selvbetjening. This value can be used for logging purposes in APIs, but should not be used to do access control.

helseid://claims/client/claims/orgnr_parent

912159523

The parent organization for an end user / client. See below.

helseid://claims/client/claims/orgnr_child

922734046

The child organization (underenhet/behandlingssted) for an end user / client. See below.

helseid://claims/client/claims/orgnr_supplier

994598759

For a multi-tenant system this is the organization that has received a delegation to access HelseID on behalf of an organization. See below.

helseid://claims/client/client_tenancy

multi-tenant

Indicates the type of system that requested the access token. Can have one of the following values “none”, “single-tenant” or “multi-tenant”.

client_amr

private_key_jwt

The type of secret used for authenticating the client. Possible values are ’client_secret’, ’private_key_jwt’. If this claims is missing, it indicates that no secret was used.

Organization Number claims

HelseID offers two ways of including organization numbers in Access Tokens.

Organization numbers stored on the client configuration

The first manner is done by storing a parent organization number on the configuration when it is setup in HelseID Selvbetjening. The organization the user represents will be stored as the organization number of the client configuration. The user can also setup a whitelist of child organization numbers, but this is optional. Without the whitelist no child organization number will be included in the token. The client can inform HelseID about which child organization to include (How to submit organizational information to HelseID, machine-to-machine and Passing organization identifier from a client application to HelseID), this organization number will then be validated against the whitelist.

Multi-tenant systems

The second manner of handling organization numbers is by setting up a multi-tenant client configuration in HelseID. These configurations can represent multiple parent organizations and HelseID must be informed about which parent organization number to include in the token. The organization number is then validated against Altinn and which delegations are setup there. HelseID will verify that there exists a delegation from the submitted organization number to the organization number of the Supplier stored in the client configuration. If the delegation exists, the organization number will be included in the supplied Access Token. The client can also supply a child organization number. HelseID does not validate this organization number against a whitelist.

Standard claims

A token will also contain a set of standard claims originating from OpenID Connect and the JSON Web Token specification.

Claims from the OpenId Connect specification

Navn

Eksempelverdi

Beskrivelse

at_hash

y9WtN9oBLG9q0J6NDbAHZQ

Access Token hash value

amr

[ “external” ]

Authentication Methods References
Anvendte autentiseringsmetoder

auth_time

1495545039

Når sluttbruker-autentiseringen fant sted

client_id

75127481-74cb-4d74-8a97-1af4dfb90441

Identifiserer unikt et oppsettet i HelseID for en klient.

name

Ola Olsen Nordmann

Full name

given_name

Ola

Given name

family_name

Nordmann

Family name

middle_name

Olsen

Middle name

sid

 

Session ID

Claims from the JWT specification

Navn

Eksempelverdi

Beskrivelse

aud

kjernejournal

Audience
Hvem tokenet er tiltenkt, som oftest navnet til et API.

exp

1495545339

Expiration Time

iat

1495545039

Issued At

idp

https://idporten.difi.no

Identity Provider

iss

https://helseid-sts.test.nhn.no

Issuer

jti

F4F832F0C68E24F0011F773B71CC6739

JWT ID - unique for each token issued by a specificic provider within a given time period.

nbf

1495545039

Not before

scope

[ “openid”, “profile”, “read” ]

Authorization and identity scopes

sub

 wEPgwne8KbTgNrfvEmWgaY7b7ePgzXCa+aRcON+K7eQ=

Subject
Unique for a given person for a given client.

Hash of client_id + pid + salt

sid

A773716579B066C5757522F4422E5BBE

Session ID

Unique identificator for a Single Signon-session

  • No labels