Access Token
Altinn uses an additional access token when we need to authenticate the application or call a component in the Altinn Platform.
AccessToken Client
.Net applications use AccessToken clients needing to call protected APIs in the Altinn Platform infrastructure.
The AccessToken Client has an Access Token generator
that generates a JWT based on a unique certificate made available in the Kubernetes clusters.
Example usage
- App template calling register.
- App template calling Altinn Events.
- Altinn Events function calling Altinn Events.
Configuration
To use the Access Token client, you need to add the following to program.cs
// The Acces Token service
services.AddSingleton<IAccessTokenGenerator, AccessTokenGenerator>();
// The Signing credential resolver that finds the correct certificate on disk
services.AddTransient<ISigningCredentialsResolver, SigningCredentialsResolver>();
AccessToken
Platform components use AccessToken to protect API from external usage.
It uses an AltinnTokenValidator to verify the presence of a bearer token in a special header.
The certificate to validate the token is retrieved from Keyvault using the SigningKeyResolver
Each end platform cluster and apps cluster has its unique certificate.
Configuration AccessToken
To use the Access Token, you need to add the following to program.cs
// The handler to validate token
services.AddSingleton<IAuthorizationHandler, AccessTokenHandler>();
// The resolver to get the certificate from KeyVault
services.AddSingleton<ISigningKeysResolver, SigningKeysResolver>();
services.AddAuthorization(options =>
{
// The policy to be used by API controllers
options.AddPolicy("PlatformAccess", policy => policy.Requirements.Add(new AccessTokenRequirement()));
});
The API developer can configure the policy for each endpoint or controller.
[Authorize]
[Authorize(Policy = "PlatformAccess")]
[Route("register/api/v1/parties")]
public class PartiesController : Controller
Example from Register