New machine-machine authentication method #331
Comments
TheTechArch
added
status/draft
15 tasks
20 tasks
ekorra
removed
the
status/draft
5 tasks
This was referenced Feb 21, 2024
|
@ekorra rydder denne |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Altinn, together with MaskinPorten, will create a new solution for machine-machine communication to give a more secure less cumbersome integration process.
For end users this will be called "Systembruker for virksomhet"
Main Goals
For more details and background, see #200
Functional description
Altinn will introduce a new concept called SystemUsers (Systembruker for virksomheter) to all organizations.
The functionality will be available from Altinn profile.
From the profile, the administrator can access the system users area to manage the system users for the organization.
A system user needs to be paired with a client_id in Maskinporten. The client_id can belong to system providers like Visma or belong to the organization itself.
When paired, the system vendor can call API on behalf of the organization.
For systems not provided by others, the organization can set up their own maskinporten client with help of uploading JWK
The organization admin can delegate rights to the system users to control what it can do or not do.
Consent based creation
In the future, Altinn will support consent-based creation of system users on request from System Vendors. This is to simplify the onboarding process for consumers.
There are still some clarification needed for this use case
Technical Description
System user administration
The system user will be implemented in Altinn Authentication.
System User Datamodel
{
"id": "12ffc244-e86e-4d7e-9016-cfd0c1ab8b6d",
"Title": "Regnskapssystem Visma",
"Description": "Dette er regnskapssystemet vi bruker. Det er knyttet til abonnementet for Visma. Tore har detaljer om lisens",
"Client_id": "1d1e8d75-5dc4-4d42-b5a3-111741c8d1ea"
"SystemTypeid": "null",
"Created": "2023-12-24 : 18:30"
}
id: Unique identification that will be used in Altinn authorization to assign rights. Will be added to JWT token fra Maskinporten
Title: "Title used for management
Description: Description used for management
Client_Id: Pointer to own clientID in Maskinporten or Client_id system user
SystemTypeId: Reference to system register if placed
Token Authentication
When authenticating in Maskinporten the client will send a JWT Grant request to maskinport
{ "aud": "https://maskinporten.no/", "iss": "0e85a8ba-77e8-4a6c-a0f5-74fc328a9ffb", "scope": "digdir:dialogporten skatteetaten:mva" "authorization_details": [ { "type": "urn:altinn:systemuserorgno", "part": "0192:999888777", } ] }The token will look like this.
{ "iss" : "https://ver2.maskinporten.no/", "client_amr" : "virksomhetssertifikat", "token_type" : "Bearer", "aud" : "unspecified", "consumer" : { "authority" : "iso6523-actorid-upis", "ID" : "0192:910753614" }, "authorization_details": [ { "type": "urn:altinn:systemuserorgno", "systemuserparty": "0192:999888777", "systemuser": "12ffc244-e86e-4d7e-9016-cfd0c1ab8b6d", // Used for authorization "systemid": "f9e58561-a165-4e26-85ed-fe9da8d2325a" // Identifies the software } "scope" : "digdir:dialogporten skatteetaten:mva", "exp" : 1578924303, "iat" : 1578923303, "jti" : "QPdTeNlE-RtrNczkCIZ0yAoSzJSIC3Jo7L6B_PmY2X4" }SystemUser delegation check
To verify that the client has been given access to a system users for the specified organization, Maskinporten will call a new Altinn Authentication API with the following parameters.
The response will be the system userId that will be added to the Token
Flow diagram
Authorization
The following show the Authorize request that would be called from the PEP (Policy Enforcement Point) to the PDP.
PEP could be Dialogporten, Altinn App or any other API that is allowed to consume Altinn Authorization API
{ "Request": { "ReturnPolicyIdList": true, "AccessSubject": [ { "Attribute": [ { "AttributeId": "urn:altinn:systemuser", "Value": "12ffc244-e86e-4d7e-9016-cfd0c1ab8b6d" }, { "AttributeId": "scope", "Value": "digdir:dialogporten skatteetaten:mva" } ] } ], "Action": [ { "Attribute": [ { "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", "Value": "read", "DataType": "http://www.w3.org/2001/XMLSchema#string" } ] } ], "Resource": [ { "Attribute": [ { "AttributeId": "urn:altinn:resource", "Value": "mva_dialog" }, { "AttributeId": "urn:altinn:organization", "Value": "91234124352" } ] } ] } }System register Maskinporten
In Samarbeidsportalen, System Vendors can create clients that will be available in the system vendor list.
This will be controlled by a scope that will be open and available for everyone having access to Samarbeidsportalen
Maskinporten will expose an API that could be used to get the list of all these integrations.
Maskinporten client admin
To be able to administrate Maskinporten clients from Altinn maskinporten needs to expose API to create and update clients.
The API needs to support upload of JWK.
In scope
To be discussed
Out of scope
No response
Additional Information
We will use new single rights delegation pages for the delegation of rights to system users.
Analyses
Tasks Frontend/BFF
Tasks
Tasks Authentication Delivery 1
Tasks
Dependencies
Features
The text was updated successfully, but these errors were encountered: