Accessing Feide data from a data source#

A data source may need Feide data, such as user and group information, when processing a request from a service. To access the Feide data, the data source can do a token exchange to get a Feide access token.

Warning

The service should not pass its own access token to the data source, as this would allow the data source to impersonate the service.

Example flow#

Here is an example flow showing a data source that retrieves the user’s groups to determine if they have access:

        sequenceDiagram
   accTitle: Data source accessing Feide data
   accDescr: A diagram illustrating the flow of accessing Feide data from a data source
   autonumber
   participant Service
   participant Feide
   participant Data source
   Service ->> Feide: requests a JWT for Data source
   Feide -->> Service: JWT for Data source
   Service ->> Data source: requests some data, using JWT for Data source
   Data source ->> Feide: requests access token for self,<br>using JWT it got from Service
   Feide -->> Data source: opaque access token
   Data source ->> Feide: requests user's groups,<br>using access token
   Feide -->> Data source: user's groups
   Data source -->> Service: requested data
    

Steps 1 through 3 is the normal flow a service uses to access data from a data source in Feide. See Accessing data using JWT Token Exchange for details.

When the data source needs to access Feide data, the flow also includes steps 4 through 7.

In step 4, the data source sends a token exchange request to Feide with the JWT it received from the service. See Token exchange request from data source for details about this request. Feide returns an access token to the data source in step 5.

The data source then uses the access token to retrieve the user’s groups from Feide. These allow the data source to check that the user has access to the requested information, before returning the requested data to the service in step 8.

Available Feide data#

A data source can access the same data from Feide as a normal service. Like for services, access to Feide data for data sources is configured in the Feide customer portal.

Token exchange request from data source#

Note

This is for the case when a data source wants a regular access token to pass to Feide. See Token exchange request from service for the case when a service wants a JWT to pass to Feide.

A token exchange request includes audience and scope parameters. The audience must be https://auth.dataporten.no. The valid values for scopes are the Feide access levels which are configured in the customer portal for the data source.

A token exchange request is made to the token endpoint using the HTTP “POST” method. Parameters are included in the HTTP request entity-body using the application/x-www-form-urlencoded format. The parameters are:

audience

https://auth.dataporten.no

client_id

The UUID of the data source making the exchange request.

client_secret

The client secret of the data source.

grant_type

The value urn:ietf:params:oauth:grant-type:token-exchange selects OAuth2 token exchange.

requested_token_type

The value urn:ietf:params:oauth:token-type:access_token selects a regular access token.

scope

A space separated list of scopes that should be enabled for the token. The scopes specify which information the data source can retrieve from Feide. See Scopes, claims and attribute groups.

The desired scopes must be enabled for the data source in the Feide customer portal. If this parameter is empty or left out, all scopes enabled in the Feide customer portal will be available.

subject_token

The JWT the data source received from the service.

subject_token_type

Must be urn:ietf:params:oauth:token-type:jwt.

Here is an example:

POST https://auth.dataporten.no/oauth/token
content-type: application/x-www-form-urlencoded

audience=https://auth.dataporten.no
&client_id=03dd959b-13ea-44b5-8930-bedae77973f1
&client_secret=7ec72f43-d697-40d3-9992-cd15f4016bae
&grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&requested_token_type=urn:ietf:params:oauth:token-type:access_token
&scope=groups-edu groups-other profile userid userid-feide
&subject_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI...
&subject_token_type=urn:ietf:params:oauth:token-type:jwt

Successful response#

A successful response has status 200 and an application/json body with the following attributes:

token_type

The type is Bearer.

issued_token_type

The type is urn:ietf:params:oauth:token-type:access_token.

access_token

The access token that was issued.

expires_in

Number of seconds until JWT expires.

scope

The scopes that were granted.

Here is an example:

{
    "access_token": "5f0941ec-9980-4398-a126-83ad8efb34ed",
    "token_type": "Bearer",
    "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
    "expires_in": 299,
    "scope": "groups-edu groups-other profile userid userid-feide"
}

The access token is an opaque ASCII string, see the reference documentation.

Token lifetimes#

The token lifetime is 5 minutes. If the data source needs access after the token has expired, it must obtain a new one.