Maskinporten reference¶
Claims¶
See the Access Token reference in Maskinporten for a list of all claims.
Runtime Variables & Credentials¶
Your application will automatically be injected with environment variables at runtime.
Variables for acquiring tokens¶
These variables are used to consume an external API.
Name | Description |
---|---|
MASKINPORTEN_CLIENT_ID |
Client ID that uniquely identifies the client in Maskinporten. |
MASKINPORTEN_CLIENT_JWK |
Private JWK (RSA) for the client. |
MASKINPORTEN_SCOPES |
Whitespace-separated string of scopes registered for the client. |
MASKINPORTEN_WELL_KNOWN_URL |
The well-known URL for the metadata discovery document |
MASKINPORTEN_ISSUER |
issuer from the metadata discovery document. |
MASKINPORTEN_TOKEN_ENDPOINT |
token_endpoint from the metadata discovery document. |
Variables for validating tokens¶
These variables are used to secure your API.
Name | Description |
---|---|
MASKINPORTEN_WELL_KNOWN_URL |
The well-known URL for the metadata discovery document |
MASKINPORTEN_ISSUER |
issuer from the metadata discovery document. |
MASKINPORTEN_JWKS_URI |
jwks_uri from the metadata discovery document. |
Scope Naming¶
All scopes within Maskinporten consist of a prefix and a subscope:
For example:
Prefix¶
The prefix is set to nav
for all scopes.
Subscope¶
A subscope should describe the resource to be exposed as accurately as possible. It consists of three parts; product, separator and name:
- product
-
A product should be a logical grouping of the resource, such as
trygdeopplysninger
orpensjon
. - separator
-
The default separator is
:
. Ifname
contains/
, the default separator is instead/
.If the
separator
field is configured, it will override the default separator. - name
-
The name may also be postfixed to separate between access levels. For instance, you could separate between
write
access:...and
read
access:
Example scope¶
If name does not contain any /
(forward slash), the separator is set to :
(colon).
For the following scope definition:
spec:
maskinporten:
enabled: true
scopes:
exposes:
# `nav:arbeid:some.scope.read`
- name: "some.scope.read"
enabled: true
product: "arbeid"
the subscope is then:
which results in the fully qualified scope:
If name contains a /
(forward slash), the separator is set to /
(forward slash).
For the following scope definition:
spec:
maskinporten:
enabled: true
scopes:
exposes:
# `nav:arbeid/some/scope.read`
- name: "some/scope.read"
enabled: true
product: "arbeid"
the subscope is then:
which results in the fully qualified scope:
Spec¶
See the NAIS application reference.