Check user existence#

The check user existence API allows a service to check whether a Feide user exists at an organization, without the user needing to be logged in and without retrieving any user attributes. In order to access the API, a number of requirements have to be met.

The API only supports Feide accounts. It cannot be used to check for the existence of, for example, guest users or users logging in using ID-Porten.

Important notice: There is no guarantee that organizations delete user accounts when they are no longer in use. A positive result means the user account exists in the organization’s records, not necessarily that the user is still active. If this distinction matters, it is recommended to take this up with the organization directly.

API endpoints#

The API supports checking the existence of a user by providing either a Feide ID, sub, or a combination of an organization domain and an email address. The structure of the output is the same for all three variants.

By Feide ID or sub

https://api.dataporten.no/userinfo/v1/exists/{identifier}

By email address:

https://api.dataporten.no/userinfo/v1/exists-by-mail/{domain}/{mail}

Examples#

The examples below are for the testuser asbjorn_elevg@testusers.feide.no. This user belongs to the organization with domain testusers.feide.no and can be identified by the values:

  • Feide ID: feide:asbjorn_elevg@testusers.feide.no

  • sub: af761fdb-71fa-484b-9782-ababdc739559

  • email address: asbjorn.hansen@elev.feide.no

The following API calls rely on an access token with the scope system-check-user-existence.

Check existence by Feide ID#

To check whether this user exists by their Feide ID feide:asbjorn_elevg@testusers.feide.no, make the following call:

curl -sSLf -H 'Authorization: Bearer ....' \
'https://api.dataporten.no/userinfo/v1/exists/feide%3Aasbjorn_elevg%40testusers.feide.no'

Check existence by sub#

To check whether this user exists by their sub af761fdb-71fa-484b-9782-ababdc739559, make the following call:

curl -sSLf -H 'Authorization: Bearer ....' \
'https://api.dataporten.no/userinfo/v1/exists/af761fdb-71fa-484b-9782-ababdc739559'

Check existence by email address#

To check whether this user exists by their organization domain testusers.feide.no and email address asbjorn.hansen@elev.feide.no, make the following call:

curl -sSLf -H 'Authorization: Bearer ....' \
'https://api.dataporten.no/userinfo/v1/exists-by-mail/testusers.feide.no/asbjorn.hansen%40elev.feide.no'

Output#

If a user with the provided Feide ID, sub, or email address exists at the organization, the API returns:

{
    "exists": true
}

If no such user exists, it instead returns:

{
    "exists": false
}

Parameters#

identifier#

The identifier path parameter specifies the target user. This parameter accepts the following identifiers:

The identifier must be percent encoded as specified in the rules for path segments in RFC 3986.

Example:

feide%3Auser%40kommune.test

domain#

The domain path parameter specifies the domain of the organization that the target user belongs to.

Example:

kommune.test

mail#

The mail path parameter specifies the email address of the target user.

The mail must be percent encoded as specified in the rules for path segments in RFC 3986.

Example:

user%40ansatt.kommune.test

Return values#

The API returns a JSON object with a single exists key. The value is

  • true if one or more matching users are found and the service is activated for the entire organization or for at least one of the users’ organizational units.

  • false if no matching user is found, or if matching users are found but the service is not activated for any of their organizational units.

Multiple users#

If multiple users are found with the provided email address, the API returns true, as it can tell that a matching user does indeed exist.

Service activation#

Even if a user exists, the response still depends on whether the service is activated for the user’s organization or organizational units. There are three possible cases:

  1. Activated for the entire organization: true

  2. Activated for at least one of the found user’s organizational units: true

  3. Activated, but not for any of the found user’s organizational units: false

If not activated for the organization at all, see Errors.

Errors#

The API returns 400 Bad Request when the identifier is not a valid Feide ID or sub. A Feide ID must have the prefix feide: and contain an @ symbol.

It returns 401 Unauthorized when the bearer token is missing or invalid.

It returns 403 Forbidden when the requirements below are not met.

Requirements for accessing the API#

  • The service must have the system-check-user-existence scope.

  • The access token must have been obtained using the client credentials flow.

  • The service must be activated for the entire organization or for at least one of the organization’s organizational units.