Several national APIs require access tokens with the API Resource as the only audience. This may be done by making a request to the authorize endpoint (and a corresponding request to the token endpoint) for each API a client need access to.

This technique is cumbersome and may degrade the user experience as the browser is redirected to HelseID for each request to the authorize endpoint.

As an alternative, we support the resource indicator specification - RFC 8707.

Our public github repository has sample code showing use of the resource parameter.

How to request multiple API resources

Consider these APIs which both require access tokens with single audiences.

API 1

API-name (audience):

owner-1:api

Scopes:

owner-1:api\read

owner-1:api\write

API 2

API-name (audience):

owner-2:api

Scopes:

owner-2:api\read

Authenticating the user and indicating resources

The client must

• Indicate which API resources will be requested (the resource parameter)

• Indicate which scopes will be requested for the API resources (the scope parameter)

• Require refresh token (the offline scope in the scope parameter)

Requesting the first access token

You then redeem the code returned from the authorize endpoint, and specify for which resource you want an access token (resource=owner-1:api).

Requesting the next access token

The previous request will return a refresh token and an access token with audience owner-1:api and scope owner-1:api\write. You use the refresh token to aquire the next access token.

This will return a new refresh token and an access token with audience owner-2:api and scope owner-2:api\read