Accessing Feide data from a data source#

Note

We will shortly make the customer portal able to manage accessing Feide data from a data source. For now, please use the dashboard instead.

A data source can be authorized to access Feide data like user and group information. The following must be in place:

The data source needs an access token authorizing the data source to act on behalf of a particular service and possibly user. The access token specifies which attribute groups are available using that token. Inside the token, this is expressed as scopes.
The attribute groups the data source is allowed to access must be configured in the customer portal.
If the data source is to access information about the user logged in to the service, the service must be activated for the user’s organization or organization unit.

To obtain an access token, the data source must first have received a Feide JWT access token. This token must be issued by Feide and addressed to the data source. See Working with Feide JWT tokens.

Next, the service submits the JWT to Feide. If successful, it receives a Feide access token in return. The request to Feide is a token exchange request to the token endpoint. For this request, grant type urn:ietf:params:oauth:grant-type:token-exchange is used. The response from the token endpoint, termed a token exchange response, will contain a Feide access token, unless the request failed.

Just like for services, the data source can now include the access token as a bearer token in the Authorization header when accessing Feide. See Using an Access Token.

Token exchange request from data source#

Note

This is for the case when a data source wants a regular access token to pass to Feide. See Token exchange request from service for the case when a service wants a JWT to pass to Feide.

A token exchange request includes audience and scope parameters. The audience must be https://auth.dataporten.no. The valid values for scopes are the Feide access levels which are configured in the customer portal for the data source.

A token exchange request is made to the token endpoint using the HTTP “POST” method. Parameters are included in the HTTP request entity-body using the application/x-www-form-urlencoded format. The parameters are:

audience: https://auth.dataporten.no
client_id: The UUID of the data source making the exchange request.
client_secret: The client secret of the data source.
grant_type: The value urn:ietf:params:oauth:grant-type:token-exchange selects OAuth2 token exchange.
requested_token_type: The value urn:ietf:params:oauth:token-type:access_token selects a regular access token.
scope: A space separated list of identifiers of desired access levels defined by Feide. See Scopes, claims and attribute groups. If this parameter is empty or left out, it is taken as a request for all scopes configured for the data source.
subject_token: A valid JWT access token issued by Feide. The aud``claim in the JWT should be the UUID of the data source, prefixed by ``https://n.feide.no/datasources/. iss should be https://auth.dataporten.no. The scope claim in the JWT is ignored.
subject_token_type: Must be urn:ietf:params:oauth:token-type:jwt.

Here is an example:

POST https://auth.dataporten.no/oauth/token
content-type: application/x-www-form-urlencoded

audience=https://auth.dataporten.no
&client_id=03dd959b-13ea-44b5-8930-bedae77973f1
&client_secret=7ec72f43-d697-40d3-9992-cd15f4016bae
&grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&requested_token_type=urn:ietf:params:oauth:token-type:access_token
&scope=groups-edu groups-other profile userid userid-feide
&subject_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI...
&subject_token_type=urn:ietf:params:oauth:token-type:jwt

Successful response#

A successful response has status 200 and an application/json body with the following attributes:

token_type: The type is Bearer.
issued_token_type: The type is urn:ietf:params:oauth:token-type:access_token.
access_token: The access token that was issued.
expires_in: Number of seconds until JWT expires.
scope: The scopes that were granted.

Here is an example:

{
    "access_token": "5f0941ec-9980-4398-a126-83ad8efb34ed",
    "token_type": "Bearer",
    "issued_token_type": "urn:ietf:params:oauth:token-type:access_token",
    "expires_in": 299,
    "scope": "groups-edu groups-other profile userid userid-feide"
}

The access token is an opaque ASCII string, see the reference documentation.

Token lifetimes#

The token lifetime is 5 minutes. If the data source needs access after the token has expired, it must obtain a new one.