Altinn Authorization
Technical overview of how Dialogporten integrates with Altinn Authorization
Introduction
Dialogporten is fully integrated with Altinn Authorization, which is used for all authorization decisions made in Dialogporten.
For performance reasons, there are two different ways that Altinn Authorization is utilized.
Authentication and coarse-grained authorization
Dialogporten performs basic authentication and scope-based authorization via self-contained access tokens issued by Maskinporten and ID-porten, and optionally exchanged at Altinn Token Exchange.
See also
Dialog list authorization
All list views in Dialogporten use the Authorized Parties API, which yields a list of all parties the authenticated user can represent, along with all roles, access packages, and service or instance rights that user has been granted for each party.
Dialogporten maintains a map of which roles and access packages grant rights to each resource in the resource registry, and uses that to fetch only dialogs referring to service resources that the user has some kind of access to. The specific actions, such as read or write, are not considered; any right for the given party and the given resource is sufficient to see the dialog in the dialog list.
As only one request for a given party and service-resource tuple has to be performed within a cache TTL window, re-sorting, filtering, and pagination do not require additional requests to Altinn Authorization, and can therefore be performed quickly.
Dialog details authorization
For dialog details, the PDP API is used, allowing fine-grained authorization of the various actions and transmissions defined within the dialog.
All actions and transmissions are decorated with a IsAuthorized flag, which indicates to the end-user system whether or not the user has access. If not, all URLs are removed.