How to setup an integration between an Altinn App and Maskinporten.
This guide details how to set up an Altinn application to use the built-in Maskinporten authentication client (IMaskinportenClient) for making authorized requests on behalf of the app owner, as opposed to the active user.
In order to set this up, the following must be done:
Before proceeding with this guide, make sure you have access to Azure Key Vault for your organization.
This ensures that the keys created further on in the guide can be stored properly as secrets in Azure.
In this section we will set up the Maskinporten client. A part of setting up the client includes creating keys that
should be stored in Azure Key Vault later on in the guide. If different people in the organization have access to
different resources needed in this process, please cooperate and do the following steps on the same machine. This is
recommended to avoid sending secrets between machines.
When access to creating secrets in Azure Key Vault is confirmed, please proceed to create the integration.
Start by logging into your account with your chosen method.
When logged into your account, the organisation you represent is shown in the top menu to the right.The organisation you represent is shown in the top menu.If you logged in to represent a synthetic organisation, you will also be able to change the synthetic organisation you represent in the drop down menu on that item.You can change the synthetic organisation you represent in the drop down menu.
Select the Create client button to start creating a new client for the organisation you represent.
On the Add client page select Maskinporten.
On the Add Maskinporten client page fill in the display name, description and add your required scopes (these values can also be changed later). Then click the Create button.The 'Add Maskinporten client' page.
You have now created a Maskinporten client for your organisation.
To use this client you need to add at least one authentication key. The client supports JWK and PEM keys.
Start by either locating an existing key or creating a new one. You can use the Altinn JWKS tool or other key generator of your choice for this.
Next, navigate to the key section on your client page and select Add.Keys can be added in the key section.In the JWK or PEM format field paste your public key and click Save. The key is now added to the client.
Store your private key from your JWK or PEM in a secure location, as it is used to authorize the use of this client.
If you use Azure Key Vault to store your private keys, they need to be base64-encoded before uploading.The JWK or PEM public key is pasted in this field
If you didn’t do so in step 5, you need to add the desired scopes to your client before it can be used.From the Scopes tab on your client definition, click the Add button.Scopes available to your organisation will be shown in the list. Select the required ones and click Submit.
Azure Key Vault Configuration
When preparing the application to use secrets from Azure Key Vault, there are some steps that need to be done:
Add the secrets retrieved during the Maskinporten client configuration to Azure Key Vault:
The base64 encoded JWT public and private key pair
The client ID for the integration
It is important that the name of these secrets in Azure Key Vault corresponds with the name of the section in the
appsettings file in the application repository. E.g. if your appsettings section for the Maskinporten integration section looks like this:
For the application to be able to read the secrets from Azure Key Vault, it needs to be configured to do so.
See the secrets section to achieve this.
Add the appsettings section example from above into the appsettings.{env}.json file.
Note: The secrets are read by the application on launch so
if you make changes after the application is deployed, you
will need to redeploy the application for them to come into effect.
Application Setup
The application automatically includes the built-in IMaskinportenClient which can be injected into your services.
Configuration Paths
The client will automatically look for a Maskinporten configuration at the default path “MaskinportenSettings”. If you wish to use a different path, perhaps because you are deploying multiple apps and you need each one to carry different credentials, you can configure this via the ConfigureMaskinportenClient method.
Typed and named Http clients can be authorized with the available extension methods, as illustrated below.
void RegisterCustomAppServices(IServiceCollection services, IConfiguration config, IWebHostEnvironment env)
{
// ...// For external APIs that require raw Maskinporten tokens services.AddHttpClient<CustomClient1>().UseMaskinportenAuthorization("scope1", "scope2");
services.AddHttpClient("named-client1").UseMaskinportenAuthorization("scope1", "scope2");
// For Altinn APIs that require Altinn tokens (exchanges Maskinporten token) services.AddHttpClient<CustomClient2>().UseMaskinportenAltinnAuthorization("scope1", "scope2");
services.AddHttpClient("named-client2").UseMaskinportenAltinnAuthorization("scope1", "scope2");
}
Manual Usage
If you need to fetch a Maskinporten token manually, you can inject the IMaskinportenClient in your service and retrieve tokens with the GetAccessToken and GetAltinnExchangedToken methods.
publicclassExample(IMaskinportenClient maskinportenClient) : IProcessTaskEnd
{
publicasync Task End(string taskId, Instance instance)
{
var maskinportenToken = await maskinportenClient.GetAccessToken(["scope1", "scope2"]);
var altinnExchangedToken = await maskinportenClient.GetAltinnExchangedToken(["scope1", "scope2"]);
// Do something with the tokens... }
}
Key Vault Configuration
Lastly, we need to add the Azure Key Vault configuration provider to our host. This is done by adding the highlighted code after the ConfigureWebHostBuilder method.
Certain legacy services require an implementation of IMaskinportenTokenProvider to retrieve access tokens. The MaskinportenClient will automatically register this service if it has not already been supplied elsewhere.
The example below illustrates how to map an Altinn.ApiClients.Maskinporten.Config.MaskinportenSettings object to the format required by the built-in client.
using Altinn.App.Core.Features.Maskinporten.Exceptions;
using LegacyMaskinportenSettings = Altinn.ApiClients.Maskinporten.Config.MaskinportenSettings;
// ...void RegisterCustomAppServices(IServiceCollection services, IConfiguration config, IWebHostEnvironment env)
{
// ...var legacySettings =
config.GetSection("Maskinporten-Config-Path").Get<LegacyMaskinportenSettings>()
?? thrownew MaskinportenConfigurationException("Maskinporten settings not found in config.");
services.ConfigureMaskinportenClient(options =>
{
options.ClientId = legacySettings.ClientId;
options.JwkBase64 = legacySettings.EncodedJwk;
options.Authority = legacySettings.Environment switch {
"prod" => "https://maskinporten.no/",
"test" => "https://test.maskinporten.no/",
"dev" => "https://maskinporten.dev/",
_ => thrownew MaskinportenConfigurationException($"Unknown Maskinporten environment value {legacySettings.Environment}")
};
});
// More information about the Maskinporten environment mapping:// https://github.com/Altinn/altinn-apiclient-maskinporten/blob/main/src/Altinn.ApiClients.Maskinporten/Services/MaskinportenService.cs#L343}
In this section you will find couple of brief examples of how to migrate your existing configuration from the standalone Maskinporten client to the built-in one.
Use of AddMaskinportenHttpClient
The following example shows how an EventSubscriptionClient has traditionally been configured, and how you can achieve the same result using the built-in Maskinporten client.
The following example shows how Altinn.ApiClients.Dan has typically been configured, and how you can achieve the same result using the built-in Maskinporten client.
