A guide to setting up a maskinporten integration to generate tokens with the required scope to access to the Notifications API
NOTE: This is only required by external system clients.
Altinn internal systems should include an Altinn Platform Access Tokens to the request header to gain access
to the API.
Required Maskinporten scope
The scope altinn:serviceowner/notifications.create is required for external clients to gain
access to the Notifications API.
All registered service owners have been delegated this scope by Digdir and should
be able to find it in their list of scopes in Samarbeidsportalen.
Setting up the Maskinporten integration
A maskinporten client also known as a Maskinporten integration can generate tokens with a set of scopes on request.
The token can then be exchanged for an Altinn token and used to gain access to the API.
Below are guides on how to set up a new Maskinporten integration that generates tokens with the required scope.
Choose Selvbetjening and then Integrasjoner for the environment you want.
Ver2 is test and Produksjon is production.
Choose Ny integrasjon
To fill out the form, provide all required properties:
Scopes: Choose Legge til scopes and include all the scopes necessary for the integration to generate tokens containing
Navn på integrasjonen: Add a descriptive name that allows you to identify the application that will be using the integration
Beskrivelse: Add a short description, not only for yourself but for everyone
that administers integrations on behalf of your organization.
The example above shows an integration used by an Altinn CLI Client which will need to generate tokens containing
one or more of the three selected scopes; altinn:serviceowner,
altinn:serviceowner/instances.read and altinn:serviceowner/instances.write
Choose Opprett in the top right corner when you have completed the configuration
The final steps of this guide cover creating a Json Web Key (JWK) for the integration to use to authenticate towards maskinporten,
as well as noting down important values that can be used to configure the client that will integrate with Maskinporten.
Generate and register JWK for authentication towards Maskinporten
To avoid spreading the business certificate across many systems,
we opt for creating an asymmetric key (JSON Web Key) and associate it to the newly created integration.
In this example we use mkjwk.org.
Navigate to mkjwk.org in a browser
Fill in values like the example below and click Generate
The output should look like this:
Now, the public part of the key should be added to the newly created integration in Samarbeidsportalen.
Navigate back to the integration in Samarbeidsportalen
Choose Egne public nøkler
Add two empty square bracets to the empty text box as shown below
Navigate back to the JWK generator site
Copy the public key of the JWK (marked 1 in the picture) and paste this into the array in Samarbeidsportalen.
Choose Legg til
The registration and configuration in Samarbeidsportalen is now complete,
and the integration is ready to generate Maskinporten tokens on request
from any client that can provide the private and public parts of the JWK.
Important values for client configuration
From samarbeidsportalen:
Integrasjonens identifikator
This will be used in your client configuration.
In Altinn libraries, this value is referred to as the client identifikator
From the JWK generation tool:
Public and private key pair (marked 2 in the picture below)
This is what your client will use when calling the Maskinporten integration.
In Altinn libraries this key pair is referenced as EncodedJwk and must be base64 encoded before
it is included in application configuration or uploaded to a Key Vault.