Maskinporten referenceΒΆ
ClaimsΒΆ
See the Access Token reference in Maskinporten for a list of all claims.
Runtime Variables & CredentialsΒΆ
Your application will automatically be injected with environment variables at runtime.
Variables for acquiring tokensΒΆ
These variables are used to consume an external API.
Name | Description |
---|---|
MASKINPORTEN_CLIENT_ID |
Client ID that uniquely identifies the client in Maskinporten. |
MASKINPORTEN_CLIENT_JWK |
Private JWK (RSA) for the client. |
MASKINPORTEN_WELL_KNOWN_URL |
The well-known URL for the metadata discovery document |
MASKINPORTEN_ISSUER |
issuer from the metadata discovery document. |
MASKINPORTEN_TOKEN_ENDPOINT |
token_endpoint from the metadata discovery document. |
Variables for validating tokensΒΆ
These variables are used to secure your API.
Name | Description |
---|---|
MASKINPORTEN_WELL_KNOWN_URL |
The well-known URL for the metadata discovery document |
MASKINPORTEN_ISSUER |
issuer from the metadata discovery document. |
MASKINPORTEN_JWKS_URI |
jwks_uri from the metadata discovery document. |
Scope NamingΒΆ
A Maskinporten scope consists of a prefix and a subscope:
PrefixΒΆ
The prefix is set to nav
for all scopes.
SubscopeΒΆ
A subscope should describe the resource to be exposed as accurately as possible. It consists of three parts; product, separator and name:
- product
-
The
product
is a logical grouping of resources, such asarbeid
,helse
, orpensjon
. - separator
-
The
separator
should be set to/
. - name
-
The
name
describes the resource itself. It may contain multiple parts separated by/
.The name may also contain a suffix to separate between access levels. For instance, you could separate between
write
access:...and
read
access:
ExampleΒΆ
For the following scope definition:
spec:
maskinporten:
enabled: true
scopes:
exposes:
# nav:helse/sykepenger/afp.read
- enabled: true
product: "helse"
separator: "/"
name: "sykepenger/afp.read"
the subscope is then:
which results in the fully qualified scope:
SpecΒΆ
See the NAIS application reference.