Technical flows
The main cross-component flows in Altinn Authorization.
The flows highlight transitions of responsibility between components. Detailed API contracts and integration steps belong in the API and guide sections.
Interactive authentication
- A browser starts sign-in with Authentication.
- Authentication delegates identity proofing to a configured provider, typically ID-porten.
- After successful sign-in, Authentication establishes session and identity context.
- Services use this context for subsequent authorization checks.
Machine-to-machine token exchange
- A client presents a token from a trusted issuer, typically Maskinporten.
- Authentication validates issuer, signature, audience, lifetime and relevant claims.
- External identity and representation are translated into Altinn identity context.
- Altinn Access Token participates as a platform dependency owned by Team Platform.
Authorization decision
- A PEP creates or forwards a request with subject, resource, action and context.
- Authorization enriches the context with party, role and resource information when required.
- Relevant policy and delegated rights are retrieved.
- PDP evaluates the request and returns a decision.
- The PEP enforces the decision; PDP does not perform the protected action.
- Security-relevant events may be sent to Audit Log.
Rights administration
- The UI or an authorised client calls Access Management.
- The service validates who may administer the right for the party and resource.
- The access relationship is stored and made available through read models.
- A later PDP request uses the relationship as part of its decision basis.
System User
System User connects a registered vendor system to a customer organisation and a constrained set of rights. Establishment and runtime are separate flows: the relationship is first created and approved; a Maskinporten-authenticated system may then act for the customer within delegated rights.
Consent
Consent uses resource definitions and metadata from Resource Registry. A consent establishes purpose-bound and often time-limited authority. Validation combines identity, grantor, recipient, resource, action, purpose and validity.