Altinn, together with MaskinPorten, will create a new solution for machine-machine communication to give a more secure less cumbersome integration process.
For end users this will be called "Systembruker for virksomhet"
Main Goals
Give a solution that works for Altinn API and other API
Maskinporten will create tokens
System access can be delegated to others without sharing secrets
Altinn Authorization can authorize API calls based on claims in tokens from Maskinporten
Solution will be available for organizations to use. ID-porten covers private persons.
For more details and background, see #200
Functional description
Altinn will introduce a new concept called SystemUsers (Systembruker for virksomheter) to all organizations.
The functionality will be available from Altinn profile.
From the profile, the administrator can access the system users area to manage the system users for the organization.
A system user needs to be paired with a client_id in Maskinporten. The client_id can belong to system providers like Visma or belong to the organization itself.
When paired, the system vendor can call API on behalf of the organization.
For systems not provided by others, the organization can set up their own maskinporten client with help of uploading JWK
The organization admin can delegate rights to the system users to control what it can do or not do.
Consent based creation
In the future, Altinn will support consent-based creation of system users on request from System Vendors. This is to simplify the onboarding process for consumers.
There are still some clarification needed for this use case
Technical Description
System user administration
The system user will be implemented in Altinn Authentication.
New GUI implemented as part of new Altinn Authentication Frontend based on new architecture using React with .Net BFF hosted in Azure Containers Service
Database for system users in a new database for Altinn Authentication in Azure
API to manage system users in Altinn Authentication component
System User Datamodel
{
"id": "12ffc244-e86e-4d7e-9016-cfd0c1ab8b6d",
"Title": "Regnskapssystem Visma",
"Description": "Dette er regnskapssystemet vi bruker. Det er knyttet til abonnementet for Visma. Tore har detaljer om lisens",
"Client_id": "1d1e8d75-5dc4-4d42-b5a3-111741c8d1ea"
"SystemTypeid": "null",
"Created": "2023-12-24 : 18:30"
}
id: Unique identification that will be used in Altinn authorization to assign rights. Will be added to JWT token fra Maskinporten
Title: "Title used for management
Description: Description used for management
Client_Id: Pointer to own clientID in Maskinporten or Client_id system user
SystemTypeId: Reference to system register if placed
Token Authentication
When authenticating in Maskinporten the client will send a JWT Grant request to maskinport
To verify that the client has been given access to a system users for the specified organization, Maskinporten will call a new Altinn Authentication API with the following parameters.
Client_ID
Virksys orgnumber (999888777 in the example above)
The response will be the system userId that will be added to the Token
Flow diagram
Authorization
The following show the Authorize request that would be called from the PEP (Policy Enforcement Point) to the PDP.
PEP could be Dialogporten, Altinn App or any other API that is allowed to consume Altinn Authorization API
In Samarbeidsportalen, System Vendors can create clients that will be available in the system vendor list.
This will be controlled by a scope that will be open and available for everyone having access to Samarbeidsportalen
Maskinporten will expose an API that could be used to get the list of all these integrations.
Maskinporten client admin
To be able to administrate Maskinporten clients from Altinn maskinporten needs to expose API to create and update clients.
The API needs to support upload of JWK.
In scope
To be discussed
[ ] What authentication level will the new token have? Should we have something in token for this? Is this a Altinn only discussion?
[ ] What are the needs for rights delegation in the first iteration
Out of scope
No response
Additional Information
We will use new single rights delegation pages for the delegation of rights to system users.
annerisbakk
commented
1 month ago
Description
Altinn, together with MaskinPorten, will create a new solution for machine-machine communication to give a more secure less cumbersome integration process.
For end users this will be called "Systembruker for virksomhet"
Main Goals
For more details and background, see #200
Functional description
Altinn will introduce a new concept called SystemUsers (Systembruker for virksomheter) to all organizations.
The functionality will be available from Altinn profile.
From the profile, the administrator can access the system users area to manage the system users for the organization.
A system user needs to be paired with a client_id in Maskinporten. The client_id can belong to system providers like Visma or belong to the organization itself.
When paired, the system vendor can call API on behalf of the organization.
For systems not provided by others, the organization can set up their own maskinporten client with help of uploading JWK
The organization admin can delegate rights to the system users to control what it can do or not do.
Consent based creation
In the future, Altinn will support consent-based creation of system users on request from System Vendors. This is to simplify the onboarding process for consumers.
There are still some clarification needed for this use case
Technical Description
System user administration
The system user will be implemented in Altinn Authentication.
System User Datamodel
{ "id": "12ffc244-e86e-4d7e-9016-cfd0c1ab8b6d", "Title": "Regnskapssystem Visma", "Description": "Dette er regnskapssystemet vi bruker. Det er knyttet til abonnementet for Visma. Tore har detaljer om lisens", "Client_id": "1d1e8d75-5dc4-4d42-b5a3-111741c8d1ea" "SystemTypeid": "null", "Created": "2023-12-24 : 18:30" }
id: Unique identification that will be used in Altinn authorization to assign rights. Will be added to JWT token fra Maskinporten Title: "Title used for management Description: Description used for management Client_Id: Pointer to own clientID in Maskinporten or Client_id system user SystemTypeId: Reference to system register if placed
Token Authentication
When authenticating in Maskinporten the client will send a JWT Grant request to maskinport
The token will look like this.
SystemUser delegation check
To verify that the client has been given access to a system users for the specified organization, Maskinporten will call a new Altinn Authentication API with the following parameters.
The response will be the system userId that will be added to the Token
Flow diagram
Authorization
The following show the Authorize request that would be called from the PEP (Policy Enforcement Point) to the PDP. PEP could be Dialogporten, Altinn App or any other API that is allowed to consume Altinn Authorization API
System register Maskinporten
In Samarbeidsportalen, System Vendors can create clients that will be available in the system vendor list. This will be controlled by a scope that will be open and available for everyone having access to Samarbeidsportalen
Maskinporten will expose an API that could be used to get the list of all these integrations.
Maskinporten client admin
To be able to administrate Maskinporten clients from Altinn maskinporten needs to expose API to create and update clients.
The API needs to support upload of JWK.
In scope
To be discussed
Out of scope
No response
Additional Information
We will use new single rights delegation pages for the delegation of rights to system users.
Tasks Frontend/BFF
Tasks Authentication Delivery 1
Dependencies