Last modified: May 20, 2022

OIDC Providers

Altinn Authentication support configuration of multiple OIDC Providers

Each App in Altinn Apps can configure to use one of the pre-configured and approved OIDC providers.

When redirecting the user to Altinn Authentication, by default ID-porten will be presented through Altinn 2 configuration.

If authentication component has configured a specific OIDC provider and the app is configured to use this, the user will be redirected to login. Currently, the only approved OIDC providers in Altinn are FEIDE and UIDP have been approved OIDC providers in Altinn. (School sector)

OIDC Configuration

Under general setting for the AuthenticationComponent there are two settings.

EnableOidctrue/falseIf true, an app can request a specific OIDC provider when login in
EnforceOidctrue/falseIf true, OIDC is the default login method. In the future, this will always be true
DefaultOidcProviderstringid for the provider should be used as default if non is set. Only relevant when enforceOidc is true

Altinn Platform Authentication can support endless numbers of ID providers. However, in an Altinn context, each provider needs to be approved.

Currently, FEIDE and UIDP are the only approved providers. UDIR applications use these.

Each provider needs a separate setup.

IssuerThe issuer’s identification
AuthorizationEndpointAuthorization endpoint for issuer
TokenEndpointEndpoint where ID-provider generates tokens
WellKnownConfigEndpointId-provider well known endpoint
LogoutEndpointWhere to redirect user during logout
ClientIdRegistrated ID
ClientSecretRegistrated secret
ScopeScopes that will be used when requesting authentication
ExternalIdentityClaimThis claim will be used to match the existing user or create a new one. If this ID is the only claim and is not a common identifier like social security number or email address, the user will be anonymous for Altinn. If not set, the expectation is that there will be a PID claim containing ssn.
UserNamePrefixWhen generating a new user, this will be the prefix
IncludeIssInRedirectUriIdentifies if authorization request should cointain ISS in return URL. Needed when IDprovider does not include this
ProviderClaimsClaims that should be copied to Altinn token during exchange process. This could be identifying users or other properties available in the app code.
"OidcProviders": {
    "altinn": {
      "Issuer": "",
      "AuthorizationEndpoint": "",
      "TokenEndpoint": "",
      "WellKnownConfigEndpoint": "",
      "LogoutEndpoint": "",
      "ClientId": "asdf34argf",
      "ExternalIdentityClaim": "sub",
      "UserNamePrefix": "UIDP_",
      "IncludeIssInRedirectUri": true,
      "ProviderClaims": [ "locale", "urn:feide:role", "sub" ]