We need to get an overview of common authorization scenarios and mechanisms that exist today and will be implemented into the platform. Here are some movements happening where there are questions related to authorization
The partyid claim in the auth cookie can differ from altinnReportee and AltinnPartyId, how does this stay consistent?
Mechanisms for authorization accepted by apps APIs
User token (logged in through Altinn)
Context: person, and party through party selection
Maskinporten token
Context: org
Platform and Core APIs
Storage - user token + APIM subscription key
User token comes from IUserTokenProvider which in reality is either the AltinnStudioRuntime cookie or the auth header, so it needs the HTTP Context directly
Notifications - PlatformnAccessToken
Events - user token + PlatformAccessToken + APIM subscription key
Profile - user token + PlatformAccessToken + APIM subscription key
Description
We need to get an overview of common authorization scenarios and mechanisms that exist today and will be implemented into the platform. Here are some movements happening where there are questions related to authorization
IServiceTask
implementations (may run in background, may retry operations on failure)In scope
No response
Out of scope
No response
Additional Information
No response
Analysis
User flow 1
Log into tt02 manually, then navigate to an app
altinnContext
cookie is set (this is still A2 I think)altinnContext
andaltinnReportee
cookies are set (this is still A2 I think)platform.tt02.altinn.no/authentication/api/v1/authentication
then back againAltinnStudioRuntime
is set by Authn API, it is a JWT, see below/profile/user
,/parties
, /authorization/parties/current)PUT /parties/{partyId}
,AltinnPartyId
cookie is setJWT token claims:
Q:
partyid
claim in the auth cookie can differ fromaltinnReportee
andAltinnPartyId
, how does this stay consistent?Mechanisms for authorization accepted by apps APIs
Platform and Core APIs
IUserTokenProvider
which in reality is either theAltinnStudioRuntime
cookie or the auth header, so it needs the HTTP Context directlyPlatformnAccessToken
PlatformAccessToken
+ APIM subscription keyPlatformAccessToken
+ APIM subscription keyConclusion
No response