This is work in progress Type of resources There are different types of resources that can be registrated
GenericAccessResource MaskinportenSchema Systemresource Later it will be possible to registrate
Altinn 3 Apps Legacy Altinn 2 services for legacy archive authorization (not finalized) Generic Access Resources GenericAccessResources will be used as linkServices are used in Altinn 2.
The resource would be any type of service provided by public organiazations.
We used cpsv:PublicService as inspiration to the data model. »
Ressursene håndteres som filer i et repo for hver tjenesteeier.
Hvis tjenesteeier har opprettet repo {org}-resources så vil dashboard for ressurser være tilgjengelig på forsiden av Altinn Studio.
Brukere som tilhører en team som har tilgang til repo kan gjøre endringer på ressurser.
Fra Dashboardet kan man opprette eller endre på ressurser. Ressursene kan gis et navn samt en id. Denne id må kun bestå av tall eller små bokstaver a - z og må være globalt unikt. »
This is work in progress Access Packages can be delegated or can be connected to external roles
Example ER Role DAGL could give access to AccessPackage X,Y Z »
Innhold på siden er under arbeid. Innholdet vil ikke være gjeldende før nye tilgangspakker trer i kraft. Dette må derfor ikke ansees som en fasit pr nå
Enhetsregisteret som fullmaktskilde Alle virksomheter i Norge registeres i Enhetsregisteret og får et organisasjonsnummer som de identifiseres ved. I den forbindelse registreres også personer eller virksomheter som har ulike roller og med det fullmakt til å opptre på vegene av virksomheten i ulike sammenhenger. »
AccessToken Client .Net applications use AccessToken clients needing to call protected APIs in the Altinn Platform infrastructure.
The AccessToken Client has an Access Token generator
that generates a JWT based on a unique certificate made available in the Kubernetes clusters.
Example usage App template calling register. App template calling Altinn Events. Altinn Events function calling Altinn Events. Configuration To use the Access Token client, you need to add the following to program. »
Altinn Studio Altinn Studio Designer creates a JWT-based Access Token signed by a certificate that the Altinn Studio Designer has available when running in the Altinn Studio Kubernetes Cluster. The certificate is different for each environment.
Using separate certificates makes it possible for each Altinn Platform environment to configure which Altinn Studio environment is allowed to deploy and modify applications in that specific environment.
Altinn Studio Designer generates a token with the help of the Access Token generator for each call to the platform components. »
Altinn Studio Developer authentication The App Developer using Altinn Studio will authenticate with help of the build in account in Gitea.
The designer part of Altinn Studio integrates with Gitea so it identifies the user logged in in Gitea.
Git repo authentication When users tries to update the Git-repo where source files for the app is stored it needs to authenticate against the Git-repo.
This can be done through using a App Key generated in Gitea or using the username/password for the Gitea account. »
As part of the authentication component, there is some APIs that support authentication of different types of users and systems.
API for SBL Authentication cookie This API creates a JWT Cookie (A cookie with a JWT Token) based on the SBL Cookie created during login in the Legacy SBL solution. This API uses API in the SBL Bridge to verify the cookie and get information about the logged-in user.
Based on this information this API creates a JWT token with claims about the user (userid, authentication level ++) and sign the JWT token with the private key of Altinn Platform. »
The authorization capabilities are based on ABAC (Attribute-Based Access Controls) and use the XACML 3.0 standard.
These capabilities include:
The capability to define wide/narrow authorization policies for apps. Rules can be valid for the whole application or only for a subset of resources. The capability to evaluate policies based on a request for a resource The capability to configure authorization policies for API endpoints The capability to enforce decision request (permit or deny) The capability to enrich decision requests with needed information The capability to retrieve context information from different sources for subject and resource. »
