Tokens used in Feide

This page describes the types of tokens used by Feide, their format and use. The key used to sign our JWT tokens may be obtained here:

• https://auth.dataporten.no/openid/jwks

Feide access token

An opaque ASCII string. Example:

afd4988b-a205-49f9-b2e0-03e00bb4b8c0

Used to access APIs provided by Feide and third party data sources using the legacy API gatekeeper.

Feide JWT access token

An ASCII string. Example (shortened):

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI...

It is intended for use with third party data sources. It consists of a header, a payload and a signature, with a . between them. Each are base64url encoded. See RFC 7519 - JSON Web Token (JWT). The payload is a json object containing claims.

Here is an example of what the payload may look like after decoding:

{
    "aud": "https://n.feide.no/datasources/02d0f79b-7fbc-422b-bb31-a4d22121f040",
    "iss": "https://auth.dataporten.no",
    "exp": 1610448035,
    "iat": 1610447735,
    "nbf": 1610447735,
    "client_id": "208335d4-e8c1-4910-8928-05b2e5b14127",
    "sub": "208335d4-e8c1-4910-8928-05b2e5b14127",
    "scope": "read append",
    "act": {
        "sub": "208335d4-e8c1-4910-8928-05b2e5b14127",
        "https://n.feide.no/claims/customer_portal_id": "https://n.feide.no/services/1234"
    },
    "name": "Bekymret Sky",
    "https://n.feide.no/claims/eduPersonPrincipalName": "bsk@uinn.no",
    "https://n.feide.no/claims/nin": "05840399895"
}

If the token was issued in the context of an authenticated user, it may contain claims about the user. A claim is only included if the service that requested the token and the data source both are authorized to access the claim.

The following claims are always included in the token:

aud

Audience. The data source should only accept the token if it is the intended audience.

iss

Issuer. Value is https://auth.dataporten.no if token was issued by Feide.

iat

Time of issue. This and other time attributes are given in seconds since 1970-01-01T0:0:0 UTC.

exp

Expiration time.

nbf

Not valid before time. Protects against clock skew.

client_id

ID of the application that requested the token.

sub

Subject - the identity which the token authenticates. Can be a dataporten user ID or a client ID. In the future, a datasource UUID may also become possible.

scope

The scopes that were granted.

act

Actor. It represents a chain of delegation. E.g., an application could authorize a data source to access another on its behalf. We do not currently support delegation in JWT tokens, so the chain is only one level deep. It is a json object with the following attributes:

sub

Has the same value as client_id in the token.

https://n.feide.no/claims/customer_portal_id

The service or datasource that the token was issued for. For services, it is the string https://n.feide.no/service_ids/ followed by the customer portal ID of the service that the token was issued for.

Datasources aren’t currently supported, but may be added in the future. If supported, they will be represented as the string https://n.feide.no/datasource_ids/ followed by the customer portal ID of the datasource that the token was issued for.

User claims in JWT access tokens

The following user claims may be included:

name

Name of user who the token authenticates.

picture

Picture of user.

sub

Described above

https://n.feide.no/claims/userid_sec

Secondary user ID of user.

https://n.feide.no/claims/eduPersonPrincipalName

eduPersonPrincipalName of user. Only for users who authenticated to the Feide IDP.

https://n.feide.no/claims/nin

Norwegian national identity number of user.

ID token

The ID token is a signed information object representing the authenticated identity of the user. It is specified in the OpenID Connect standard. The ID token is encoded as a JWT, and signed using the JWS standard.

The information included - the claims - depends on the scopes / attribute groups enabled for the application. Claims are namespaced, so that claims which are specific to Feide are prefixed with https://n.feide.no/claims/. Claims without this prefix are specified in the OIDC standard or in RFC 7519 - JSON Web Token (JWT).

ID token example:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvYXV0aC5kZ
XYuZmVpZGVjb25uZWN0Lm5vIiwiYXVkIjoiNWFjODc1M2YtODI5Ni00MWJmLWI5ODUtNTl
kODk3NjkwMDVlIiwic3ViIjoiNzZhN2EwNjEtM2M1NS00MzBkLThlZTAtNmY4MmVjNDI1M
DFmIiwiaWF0IjoxNDQ5MDY1NDMyLCJleHAiOjE0NDkwNjkwMzIsImF1dGhfdGltZSI6MTQ
0OTA2NTM2NH0.bObvZ\_Ampf\_exj4iUcocptJwHKt\_zZI4GnZ-VrXoqYlXaGGgwACzCz
hSpck\_z1C87gZYlOdK-TQwILHcGyObmi1rH5VCvrYL1xNyGeHYlYs8bQ8odhZAPiYjb9c
et5nP1aP4ZeJu5aInWwLIaeVUgavQEVAl1xGiPRh8WjKZdP-P1WslLACnVZu84YLrOZQYn
kGMpDS\_VBGHVSK3VPVjRd14vhqYCoGTaKSXrp49LlejU0dzaokmGI\_ZAejwVY1BCFMon
EyDNwZVZKoq2GbHwqpjhucWOZRQjYzeWTEXlly18EwYg55k6awNPZt8fKp0XoRoTB4we5W
GoFV6XZuaGA

Here is a decoded example of a minimal ID token:

{
    "iss": "https://auth.dataporten.no",
    "aud": "5ac8753f-8296-41bf-b985-59d89769005e",
    "sub": "76a7a061-3c55-430d-8ee0-6f82ec42501f",
    "iat": 1449065432,
    "exp": 1449069032,
    "auth_time": 1449065364
}

The example above shows what the ID token includes when only the openid scope is enabled. All times are in seconds since 1970-01-01 00:00:00 UTC.

iss

Issuer

aud

Audience - the client ID

sub

Subject - The internal ID of the authenticated user. This ID is stable but opaque, not releasing any additional information about the user.

iat

Issued at - Time issued (in seconds since 1970-01-01T0:0:0 UTC)

exp

Expiration time (in seconds since 1970-01-01T0:0:0 UTC)

auth_time

Time when the end-user authentication occurred

The attributes acr, at_hash, c_hash and nonce may also be present. See the OIDC standard for info about these.

Here is an example of a decoded ID token which includes all supported claims:

{
    "iss": "https://auth.dataporten.no",
    "jti": "f95ed523-b9b2-42e7-b193-a08143d9f342",
    "aud": "5ac8753f-8296-41bf-b985-59d89769005e",
    "sub": "76a7a061-3c55-430d-8ee0-6f82ec42501f",
    "iat": 1635509702,
    "exp": 1635513302,
    "auth_time": 1635505713,
    "nonce": "PLt3i3bT2~xTw7m",
    "email": "jon.kare.hellan@uninett.no",
    "name": "Jon Kåre Hellan",
    "picture": "https://api.dataporten.no/userinfo/v1/user/media/p:c0050004-386e-4c58-9073-e37344bc8769",
    "https://n.feide.no/claims/userid_sec": [
        "feide:jk@uninett.no"
    ],
    "https://n.feide.no/claims/eduPersonPrincipalName": "jk@uninett.no",
    "at_hash": "DiafctHGah2reptMDjEqUg"
}

User claims in ID tokens

email

The user’s email. Requires the email attribute group

name

The user’s name. Requires the userinfo-name attribute group

picture

A picture of the user. Requires the userinfo-photo attribute group

https://n.feide.no/claims/userid_sec

An array of secondary user IDs, with a prefix to indicate the source.

If the application has the userid-feide attribute group, and the user logged in with Feide, it will contain feide: followed by the eduPersonPrincipalName of the user. Example: feide:jk@uninett.no.

If the application has the userid-nin attribute group, and the user logged in with ID-porten, it will contain nin: followed by the national identity number of the user. Example: nin:10108012345

https://n.feide.no/claims/eduPersonPrincipalName

The user’s eduPersonPrincipalName. Requires the userid-feide attribute group. Only available if the user logged in with Feide.

https://n.feide.no/claims/nin

The user’s national identity number. Requires the userid-nin attribute group.