Accessing Feide data from a data source#
A data source may need Feide data, such as user and group information, when processing a request from a service. To access the Feide data, the data source can do a token exchange to get a Feide access token.
Warning
The service should not pass its own access token to the data source, as this would allow the data source to impersonate the service.
Example flow#
Here is an example flow showing a data source that retrieves the user’s groups to determine if they have access:
sequenceDiagram accTitle: Data source accessing Feide data accDescr: A diagram illustrating the flow of accessing Feide data from a data source autonumber participant Service participant Feide participant Data source Service ->> Feide: requests a JWT for Data source Feide -->> Service: JWT for Data source Service ->> Data source: requests some data, using JWT for Data source Data source ->> Feide: requests access token for self,<br>using JWT it got from Service Feide -->> Data source: opaque access token Data source ->> Feide: requests user's groups,<br>using access token Feide -->> Data source: user's groups Data source -->> Service: requested data
Steps 1 through 3 is the normal flow a service uses to access data from a data source in Feide. See Accessing data using JWT Token Exchange for details.
When the data source needs to access Feide data, the flow also includes steps 4 through 7.
In step 4, the data source sends a token exchange request to Feide with the JWT it received from the service. See Token exchange request from data source for details about this request. Feide returns an access token to the data source in step 5.
The data source then uses the access token to retrieve the user’s groups from Feide. These allow the data source to check that the user has access to the requested information, before returning the requested data to the service in step 8.
Available Feide data#
A data source can access the same data from Feide as a normal service. Like for services, access to Feide data for data sources is configured in the Feide customer portal.
Token exchange request from data source#
Note
This is for the case when a data source wants a regular access token to pass to Feide. See Token exchange request from service for the case when a service wants a JWT to pass to Feide.
A token exchange request includes audience
and scope
parameters. The audience
must be https://auth.dataporten.no
. The valid values for scopes are the Feide access
levels which are configured in the customer portal for the data source.
A token exchange request is made to the token endpoint using the HTTP “POST” method.
Parameters are included in the HTTP request entity-body using the
application/x-www-form-urlencoded
format. The parameters are:
- audience
https://auth.dataporten.no
- client_id
The UUID of the data source making the exchange request.
- client_secret
The client secret of the data source.
- grant_type
The value
urn:ietf:params:oauth:grant-type:token-exchange
selects OAuth2 token exchange.- requested_token_type
The value
urn:ietf:params:oauth:token-type:access_token
selects a regular access token.- scope
A space separated list of scopes that should be enabled for the token. The scopes specify which information the data source can retrieve from Feide. See Scopes, claims and attribute groups.
The desired scopes must be enabled for the data source in the Feide customer portal. If this parameter is empty or left out, all scopes enabled in the Feide customer portal will be available.
- subject_token
The JWT the data source received from the service.
- subject_token_type
Must be
urn:ietf:params:oauth:token-type:jwt
.
Here is an example:
POST https://auth.dataporten.no/oauth/token
content-type: application/x-www-form-urlencoded
audience=https://auth.dataporten.no
&client_id=03dd959b-13ea-44b5-8930-bedae77973f1
&client_secret=7ec72f43-d697-40d3-9992-cd15f4016bae
&grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&requested_token_type=urn:ietf:params:oauth:token-type:access_token
&scope=groups-edu groups-other profile userid userid-feide
&subject_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI...
&subject_token_type=urn:ietf:params:oauth:token-type:jwt
Successful response#
A successful response has status 200 and an application/json
body with the following attributes:
- token_type
The type is
Bearer
.- issued_token_type
The type is
urn:ietf:params:oauth:token-type:access_token
.- access_token
The access token that was issued.
- expires_in
Number of seconds until JWT expires.
- scope
The scopes that were granted.
Here is an example:
{
"access_token": "5f0941ec-9980-4398-a126-83ad8efb34ed",
"token_type": "Bearer",
"issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
"expires_in": 299,
"scope": "groups-edu groups-other profile userid userid-feide"
}
The access token is an opaque ASCII string, see the reference documentation.
Token lifetimes#
The token lifetime is 5 minutes. If the data source needs access after the token has expired, it must obtain a new one.