Last modified: Jul 16, 2026

Authentication persistence architecture

Database schemas, tables, blob container and event queue in Altinn Authentication.

The persistence architecture shows how Authentication stores durable data. The model is based on migrations through version 0.29 at source commit e581d8d.

Storage overview

Authentication storage overview

Select a diagram to open it at full size in a new tab.

Authentication uses two PostgreSQL schemas, one configurable blob container for Data Protection keys and one Azure Storage queue for authentication events.

The business_application schema

Database model for the business_application schema

The seven tables store registered systems, Maskinporten clients, system users, requests, archives and the change log. system_register is the root for clients, system user profiles and change logs. Request tables use logical identifiers without foreign keys to the root.

The oidcserver schema

Database model for the oidcserver schema

The nine tables store OIDC clients, login transactions, authorisation codes, sessions, refresh tokens and credentials for self-identified users. An upstream transaction refers to either a registered or unregistered client flow; a check constraint requires exactly one.

authorization_code.session_id is a logical reference to oidc_session.sid, but the migration creates no foreign key.

Blob container and queue

KeysContainer specifies the blob container. The keys.xml blob contains the ASP.NET Core Data Protection key ring and is protected with a Key Vault key. The container name varies between environments.

AuthenticationEventQueueName specifies the queue receiving authentication events before Audit Log processes them. Development configuration uses eventlog.

Scope and maintenance

The SVGs show tables, key columns and explicit relationships. They omit indexes, check constraints, PostgreSQL domains, triggers and functions to remain readable. Update the diagrams and source commit when migrations or storage configuration change.