Apps hosted in Altinn Apps could cover lots of functional scenario. For statefull apps where the App store data in Altinn Platform in the Storage component, the type of data could be data that is 100% public to highly sensitive data.
The Org that creates the App, would based on the type of data have spceial requirements for encryption to support their Confidentiality requirement for the data.
Storage encryption The storage component uses Azure Cosmos DB and Azrue Blob storage to store data for apps. »
JWTCookieAuthentication is a ASP.NET Core authentication service created for supporting Json Web Tokens (JWT) as bearer tokens and JWT in Cookies. It is based on JWTBearer
This is created for scenarios where you have need for APIs that will be accessed from system using bearer tokens and from Single Page Applications (SPA) where you want to protect the JWT from this SPA. (XSS attacks). When JWT is put in a http only cookie it is not accessible from the SPA and can’t be stolen by malicous javascript running in the browser. »
JSON Web Token are an open, industry standard RFC 7519 method for representing claims securely between two parties and are choosen as the bearer of information about users and systems.
The format that is choosen for JWT tokens is RSA256. This is a asymetric algorithm where the Authentication component in Altinn Platform generates tokens based on a private key in a certificate, and everyone can validate the token with the public key. »
Each App in Altinn Apps can configure to use one of the pre-configured and approved OIDC providers.
When redirecting the user to Altinn Authentication, by default ID-porten will be presented through Altinn 2 configuration.
If authentication component has configured a specific OIDC provider and the app is configured to use this, the user will be redirected to login. Currently, the only approved OIDC providers in Altinn are FEIDE and UIDP have been approved OIDC providers in Altinn. »
See below for details of how we have constructed the PEPs and how to configure them.
Standard PEPs Developers should configure security when possible, which is one important principle we follow. Therefore, we have developed some standard policy enforcement points that API developers can use on different API endpoints.
The best way to solve Attribute-based authorization is by using Policy-Based Authorization in ASP.NET Core.
We have created the standard PEPs in the ASP. »
