Last modified: Jun 13, 2024

Access Token

Altinn uses an additional access token when we need to authenticate the application or call a component in the Altinn Platform.

AccessToken Client

.Net applications use AccessToken clients needing to call protected APIs in the Altinn Platform infrastructure.

The AccessToken Client has an Access Token generator
that generates a JWT based on a unique certificate made available in the Kubernetes clusters.

Example usage


To use the Access Token client, you need to add the following to program.cs

    // The Acces Token service
    services.AddSingleton<IAccessTokenGenerator, AccessTokenGenerator>();
    // The Signing credential resolver that finds the correct certificate on disk
    services.AddTransient<ISigningCredentialsResolver, SigningCredentialsResolver>();

Example from Altinn Events


Platform components use AccessToken to protect API from external usage.

It uses an AltinnTokenValidator to verify the presence of a bearer token in a special header.

The certificate to validate the token is retrieved from Keyvault using the SigningKeyResolver

Each end platform cluster and apps cluster has its unique certificate.

Configuration AccessToken

To use the Access Token, you need to add the following to program.cs

    // The handler to validate token
    services.AddSingleton<IAuthorizationHandler, AccessTokenHandler>();
    // The resolver to get the certificate from KeyVault
    services.AddSingleton<ISigningKeysResolver, SigningKeysResolver>();

      services.AddAuthorization(options =>
        // The policy to be used by API controllers
        options.AddPolicy("PlatformAccess", policy => policy.Requirements.Add(new AccessTokenRequirement()));

Example from register

The API developer can configure the policy for each endpoint or controller.

    [Authorize(Policy = "PlatformAccess")]
    public class PartiesController : Controller

Example from Register