OIDC Providers
Altinn Authentication support configuration of multiple OIDC Providers
Each App in Altinn Apps can configure to use one of the pre-configured and approved OIDC providers.
When redirecting the user to Altinn Authentication, by default ID-porten will be presented through Altinn 2 configuration.
If authentication component has configured a specific OIDC provider and the app is configured to use this, the user will be redirected to login. Currently, the only approved OIDC providers in Altinn are FEIDE and UIDP have been approved OIDC providers in Altinn. (School sector)
OIDC Configuration
Under general setting for the AuthenticationComponent there are two settings.
| Value | Datatype | Decription |
|---|---|---|
| EnableOidc | true/false | If true, an app can request a specific OIDC provider when login in |
| EnforceOidc | true/false | If true, OIDC is the default login method. In the future, this will always be true |
| DefaultOidcProvider | string | id for the provider should be used as default if non is set. Only relevant when enforceOidc is true |
Altinn Platform Authentication can support endless numbers of ID providers. However, in an Altinn context, each provider needs to be approved.
Currently, FEIDE and UIDP are the only approved providers. UDIR applications use these.
Each provider needs a separate setup.
| Value | Description |
|---|---|
| Issuer | The issuer’s identification |
| AuthorizationEndpoint | Authorization endpoint for issuer |
| TokenEndpoint | Endpoint where ID-provider generates tokens |
| WellKnownConfigEndpoint | Id-provider well known endpoint |
| LogoutEndpoint | Where to redirect user during logout |
| ClientId | Registrated ID |
| ClientSecret | Registrated secret |
| Scope | Scopes that will be used when requesting authentication |
| ExternalIdentityClaim | This claim will be used to match the existing user or create a new one. If this ID is the only claim and is not a common identifier like social security number or email address, the user will be anonymous for Altinn. If not set, the expectation is that there will be a PID claim containing ssn. |
| UserNamePrefix | When generating a new user, this will be the prefix |
| IncludeIssInRedirectUri | Identifies if authorization request should cointain ISS in return URL. Needed when IDprovider does not include this |
| ProviderClaims | Claims that should be copied to Altinn token during exchange process. This could be identifying users or other properties available in the app code. |
"OidcProviders": {
"altinn": {
"Issuer": "https://idprovider.azurewebsites.net/",
"AuthorizationEndpoint": "https://idprovider.azurewebsites.net/authorize",
"TokenEndpoint": "https://idprovider.azurewebsites.net/api/token",
"WellKnownConfigEndpoint": "https://idporten.azurewebsites.net/api/v1/openid/.well-known/openid-configuration",
"LogoutEndpoint": "https://idporten.azurewebsites.net/api/v1/logout",
"ClientId": "asdf34argf",
"ExternalIdentityClaim": "sub",
"UserNamePrefix": "UIDP_",
"IncludeIssInRedirectUri": true,
"ProviderClaims": [ "locale", "urn:feide:role", "sub" ]
}