Accessing Feide data from a data source#
Note
We will shortly make the customer portal able to manage accessing Feide data from a data source. For now, please use the dashboard instead.
A data source can be authorized to access Feide data like user and group information. The following must be in place:
The data source needs an access token authorizing the data source to act on behalf of a particular service and possibly user. The access token specifies which attribute groups are available using that token. Inside the token, this is expressed as scopes.
The attribute groups the data source is allowed to access must be configured in the customer portal.
If the data source is to access information about the user logged in to the service, the service must be activated for the user’s organization or organization unit.
To obtain an access token, the data source must first have received a Feide JWT access token. This token must be issued by Feide and addressed to the data source. See Working with Feide JWT tokens.
Next, the service submits the JWT to Feide. If successful, it receives a Feide access
token in return. The request to Feide is a token exchange request to the token endpoint. For this request,
grant type urn:ietf:params:oauth:grant-type:token-exchange
is used. The response
from the token endpoint, termed a token exchange response, will contain a Feide access token, unless the request failed.
Just like for services, the data source can now include the access token as a bearer token in the Authorization header when accessing Feide. See Using an Access Token.
Token exchange request from data source#
Note
This is for the case when a data source wants a regular access token to pass to Feide. See Token exchange request from service for the case when a service wants a JWT to pass to Feide.
A token exchange request includes audience
and scope
parameters. The audience
must be https://auth.dataporten.no
. The valid values for scopes are the Feide access
levels which are configured in the customer portal for the data source.
A token exchange request is made to the token endpoint using the HTTP “POST” method.
Parameters are included in the HTTP request entity-body using the
application/x-www-form-urlencoded
format. The parameters are:
- audience
https://auth.dataporten.no
- client_id
The UUID of the data source making the exchange request.
- client_secret
The client secret of the data source.
- grant_type
The value
urn:ietf:params:oauth:grant-type:token-exchange
selects OAuth2 token exchange.- requested_token_type
The value
urn:ietf:params:oauth:token-type:access_token
selects a regular access token.- scope
A space separated list of identifiers of desired access levels defined by Feide. See Scopes, claims and attribute groups. If this parameter is empty or left out, it is taken as a request for all scopes configured for the data source.
- subject_token
A valid JWT access token issued by Feide. The
aud``claim in the JWT should be the UUID of the data source, prefixed by ``https://n.feide.no/datasources/
.iss
should behttps://auth.dataporten.no
. Thescope
claim in the JWT is ignored.- subject_token_type
Must be
urn:ietf:params:oauth:token-type:jwt
.
Here is an example:
POST https://auth.dataporten.no/oauth/token
content-type: application/x-www-form-urlencoded
audience=https://auth.dataporten.no
&client_id=03dd959b-13ea-44b5-8930-bedae77973f1
&client_secret=7ec72f43-d697-40d3-9992-cd15f4016bae
&grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&requested_token_type=urn:ietf:params:oauth:token-type:access_token
&scope=groups-edu groups-other profile userid userid-feide
&subject_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI...
&subject_token_type=urn:ietf:params:oauth:token-type:jwt
Successful response#
A successful response has status 200 and an application/json
body with the following attributes:
- token_type
The type is
Bearer
.- issued_token_type
The type is
urn:ietf:params:oauth:token-type:access_token
.- access_token
The access token that was issued.
- expires_in
Number of seconds until JWT expires.
- scope
The scopes that were granted.
Here is an example:
{
"access_token": "5f0941ec-9980-4398-a126-83ad8efb34ed",
"token_type": "Bearer",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"expires_in": 299,
"scope": "groups-edu groups-other profile userid userid-feide"
}
The access token is an opaque ASCII string, see the reference documentation.
Token lifetimes#
The token lifetime is 5 minutes. If the data source needs access after the token has expired, it must obtain a new one.