Versions Compared

Old Version 5

changes.mady.by.user e-resept

Saved on

compared with

New Version 6

changes.mady.by.user Anne Marit Skogsfjord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Validere at tokenet er en signert jwt

  • Validere at tokenet er utstedt av ID-porten (iss claimet er som forventet) idporten beskriver)

    • I test https://test.idporten.no

    • I produksjon https://idporten.no

  • Validere at tokenet ikke er utgått (exp claim)

  • Validere at tokenet er signert av ID-porten (er tokenet signert med privatnøkkelen som tilsvarer den offentlig nøkkelen id-porten referert til fra well-known)

  • Validere at tokenet er tiltenkt reseptformidleren (audience claim “aud”)

    • for alle test miljø: http://nhn.test2-na.reseptformidleren.net/NA/NAWebServiceSoapHttpPort

    • for prod: http://nhn.prod-na.reseptformidleren.net/NA/NAWebServiceSoapHttpPort

  • Validere at tokenet har riktig scope eresept:nettutleverer og openid, dette scopet er gyldig både for M9NA1 og M9NA3

  • Nettutlevererens identitet skal verifiseres og stemme over ens i M9NA1/M9NA3 og OIDC token:

    • Nettapotekets juridiske enhet sitt organisasjonsnummer skal være i ISO6523 format i "consumer" claimet, se på ID-porten sin dokumentasjon om access token for mer info.

    • Internt oppslag i Reseptformidlerens register over aktører skal gjøres for å validere at organisasjonsnummeret i nettapotekets virksomhetssertifikat stemmer.

  • Validerer at identiteten angitt som pålogget kunde i M9NA1/M9NA3 er den samme identiteten som angitt i OIDC tokenets pid claim. Identitet er enten fødselsnummer eller d-nummer.

  • Validerer at tokenet har sikkerhetsnivå 4 (claim acr er Level4 idporten-loa-high), dvs kunden har logget inn med bankid.

  • Validerer i tokenet at klienten (nettutlevereren) har autentisert seg mot ID-porten med virksomhetssertifikat eller private_key_jwt (d.v.s. integrasjonen mot ID-porten er med "private_key_jwt") effektivt at client_amr claimet er virksomhetssertifikat eller private_key_jwt.

...

Expand
titleBase64 de-enkodet access token med hjelpetekst
Code Block
languagejs
// Header (merk denne linjen er kun hjelpetekst)
{
  "kid" : "vPpZeoG8ddLzfts1digitaliseringsdirektoratet--lgsug8sraWwmm8txIhbwcXwGMIcert0",
  "alg" : "RS256"
}
// Payload (merk denne linjen er kun hjelpetekst)
{
  "sub" : "SscL6J9e9wRuxbE5CC1JMYoTX4e23P29nU1UC32t-oA=19108209340",
  "iss" : "https://oidc-ver2test.difiidporten.no/idporten-oidc-provider/",
  "client_amr" : "virksomhetssertifikatprivate_key_jwt",
  "pid" : "19108209340",
  "token_type" : "Bearer",
  "client_id" : "57308738-56fa-4676-b422-83269165b00e",
  "aud" : [ "http://nhn.test2-na.reseptformidleren.net/NA/NAWebServiceSoapHttpPort", "57308738-56fa-4676-b422-83269165b00e" ],
  "acr" : "Level4idporten-loa-high",
  "scope" : "eresept:nettutleverer openid",
  "supplier" : {
    "authority" : "iso6523-actorid-upis",
    "ID" : "0192:994598759"
  },
  "exp" : 16862340291698852734,
  "iat" : 16862337301698852434,
  "client_orgnojti" : "983044778-DmVMB32Cmo",
  "jticonsumer" : "-ZbowD2jWPlU6MW0H-kbG4yh2n_ieN87lIeSEq4qPSc",{
  "consumer" : {
    "authority" : "iso6523-actorid-upis",
    "ID" : "0192:983044778"
  }
}
// Signatur (merk denne linjen er kun hjelpetekst)
g9yf1IIS3mm2PqEEdKW-f-jQbJ6jTYhIHN0Gnqx90VOjdpGlsDJcHjv6WzWLaObbqcZ40XPQ8YorS2EPq_09VCA-xO0y4XPHpH74uYTpWxNQahQykHxk6CQBA36hWd1DUup2E3btvYYYh9QCuqrZl5Hr3TBzWG_E6znTUmIY_oqz2F5MOmyAeY0OySvVQ_xk512yBGR0Lh0WgQRgdgxzm-WpnW9_Bu91OG1JTORARkm9cj1WRcTxiuTvm4m7Dce-BegDXxwOQAs4wlWm8a5NTeC28bMbdNk3DtNidhjg9IqoE1VzyHKJzbZst9TjAzcMP6vWHlhD8hCZBOqj22U9uZAMkx0B15WzvYCWrabgYjWYhfMckby_TpUOgEI1kOnTmStZkDZow
588Pz0QJ-kEQpdTNfDm5OQadIgSeGWn8LXh7ePE5Q9B4blf9rtXlJ_Uhn43XyZ7793kaKer41VTXgKi68Ltt8lny_X9aOk2J409WOLBWp17mrIbt4M2sU8M04_jx931X_z6n5U3Jse2wkzoXL9f4bp_nlbC-_tzho8dH-b6EIBgV3lFJCe7XuAabtYl9cGL11TQ4FmEyhF2GyM7UqAzWiDhKiM0gPjl92dflb-9PThq0Z7ljnB4Q8dKC92zeny0mTC_vQ50-ElvH4NSJekeM4SWzXCK9OlkiPni4ci8tICpz0Ove9mK3xo2J9N-V3gAv7p3a37DETtYjSsomVcMKCdNCdlaunYejyO9edKCXz8NAKPNzs8BXE89hffep3YJJbfuB3joDUhmUtf9Z0j_Ce7oo9TKOGJ9ePOkUIIoDOH9JdyG3_x8OSuu2tMLnrl-vnUIPd5FyBb3

Merk at "supplier" feltet eksisterer kun fordi vi er en leverandør som

Det tilsvarende rå access tokenet er en jwt (json web token) som sett under

Rå access token jwt
Code Block
eyJraWQiOiJ2UHBaZW9HOGRkTHpmdHMxLWxnc3VnOHNyYVd3bW04dHhJaGJ3Y1h3R01JIiwiYWxnIjoiUlMyNTYifQeyJraWQiOiJkaWdpdGFsaXNlcmluZ3NkaXJla3RvcmF0ZXQtLWNlcnQwIiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJNN1FiV3Y3WDJMTkMwQl9ILWVIYnFpQnV3Q0JnWWVjSGVsOFl1UFlMTnFvPSIsImlzcyI6Imh0dHBzOlwvXC9vaWRjLXZlcjIuZGlmaS5ub1wvaWRwb3J0ZW4tb2lkYy1wcm92aWRlclwvIiwiY2xpZW50X2FtciI6InZpcmtzb21oZXRzc2VydGlmaWthdCIsInBpZCI6IjE5MTA4MjA5MzQwIiwidG9rZW5fdHlwZSI6IkJlYXJlciIsImNsaWVudF9pZCI6ImYyOWM3NTZhLTIxYmMtNDliYi1hMTdiLTg5MWI2MDdmZjk4MyIsImF1ZCI6Imh0dHBzOlwvXC93d3cudGVzdDMubmV0dGFwb3Rlay5hb2Qubm9cLyIsImFjciI6IkxldmVsNCIsInNjb3BlIjoiZXJlc2VwdDpuZXR0dXRsZXZlcmVyIG9wZW5pZCIsImV4cCI6MTY4NTA5MDEwMCwiaWF0IjoxNjg1MDg5ODA5LCJjbGllbnRfb3Jnbm8iOiI5OTQ1OTg3NTkiLCJqdGkiOiJjaVZBUzJ4S2NVMkZ6UkhLVmRUTjdYM3RHVDgtZ2taUlFzdHpPZWU0NEtjIiwiY29uc3VtZXIiOnsiYXV0aG9yaXR5IjoiaXNvNjUyMy1hY3RvcmlkLXVwaXMiLCJJRCI6IjAxOTI6OTk0NTk4NzU5In19eyJzdWIiOiIxOTEwODIwOTM0MCIsImlzcyI6Imh0dHBzOi8vdGVzdC5pZHBvcnRlbi5ubyIsImNsaWVudF9hbXIiOiJwcml2YXRlX2tleV9qd3QiLCJwaWQiOiIxOTEwODIwOTM0MCIsImNsaWVudF9pZCI6IjU3MzA4NzM4LTU2ZmEtNDY3Ni1iNDIyLTgzMjY5MTY1YjAwZSIsImF1ZCI6WyJodHRwOi8vbmhuLnRlc3QyLW5hLnJlc2VwdGZvcm1pZGxlcmVuLm5ldC9OQS9OQVdlYlNlcnZpY2VTb2FwSHR0cFBvcnQiLCI1NzMwODczOC01NmZhLTQ2NzYtYjQyMi04MzI2OTE2NWIwMGUiXSwiYWNyIjoiaWRwb3J0ZW4tbG9hLWhpZ2giLCJzY29wZSI6ImVyZXNlcHQ6bmV0dHV0bGV2ZXJlciBvcGVuaWQiLCJzdXBwbGllciI6eyJhdXRob3JpdHkiOiJpc282NTIzLWFjdG9yaWQtdXBpcyIsIklEIjoiMDE5Mjo5OTQ1OTg3NTkifSwiZXhwIjoxNjk4ODUyNzM0LCJpYXQiOjE2OTg4NTI0MzQsImp0aSI6Ii1EbVZNQjMyQ21vIiwiY29uc3VtZXIiOnsiYXV0aG9yaXR5IjoiaXNvNjUyMy1hY3RvcmlkLXVwaXMiLCJJRCI6IjAxOTI6OTgzMDQ0Nzc4In19.Zmm2PqEEdKW-f-KloHyQi1Z3qGaxK2EpP7AYwatm8SMzvy8G4shaoQZ5viNVvrAqlkmToRf7ZonSNbM3-cJOyvsVIsf0kYXFbymKdmFWJtiSp226DYZd_hKusdKH-WLd5RVYMWUR1yYxWWvenbcYUDA5wLXM-ky1H24VJl5JTCRMf-bUh19KtuhzpblyMVwfrO6qMtzn5C2-PfPU6r4if9AZWWuxJW7CLTX5Ifi9mlQ0XYzt1iTUz6FwMX83NY20Pym-HpJQGh8ph-IPsR9w2nFA0W6Otvx1jm1js3T1RglGsQ6VWPqGQEbJqIH3-8vvEPWmhh7o466-HzUF5b9jFDwslwVRcvw7wOjdpGlsDJcHjv6WzWLaObbqcZ40XPQ8YorS2EPq_588Pz0QJ-kEQpdTNfDm5OQadIgSeGWn8LXh7ePE5Q9B4blf9rtXlJ_Uhn43XyZ7793kaKer41VTXgKi68Ltt8lny_X9aOk2J409WOLBWp17mrIbt4M2sU8M04_jx931X_z6n5U3Jse2wkzoXL9f4bp_nlbC-_tzho8dH-b6EIBgV3lFJCe7XuAabtYl9cGL11TQ4FmEyhF2GyM7UqAzWiDhKiM0gPjl92dflb-9PThq0Z7ljnB4Q8dKC92zeny0mTC_vQ50-ElvH4NSJekeM4SWzXCK9OlkiPni4ci8tICpz0Ove9mK3xo2J9N-V3gAv7p3a37DETtYjSsomVcMKCdNCdlaunYejyO9edKCXz8NAKPNzs8BXE89hffep3YJJbfuB3joDUhmUtf9Z0j_Ce7oo9TKOGJ9ePOkUIIoDOH9JdyG3_x8OSuu2tMLnrl-vnUIPd5FyBb3

For å være tydelige forventer reseptformidleren at det rå access token jwt’en er base64 enkodet. Altså:

Code Block
val accessTokenJwtString = "eyJraWQiOi..."
val forventetFormat = Base64.encode(accessTokenJwtString)

...