Skip to content

ID-porten

Status: Opt-In Open Beta

This feature is only available in team namespaces

Forthcoming changes

ID-porten is currently undergoing some changes. These changes will roll out in the coming months.

TL;DR: new URL and issuer, PKCE is required for Authorization Code Flow and the contents of the sub claim will likely change.

Abstract

Abstract

ID-porten is a common log-in system used for logging into Norwegian public e-services for citizens.

The NAIS platform provides support for simple, declarative provisioning of an ID-porten client with sensible defaults that your application may use to integrate with ID-porten.

An ID-porten client allows your application to leverage ID-porten for authentication of citizen end-users, providing sign-in capabilities with single sign-on (SSO). To achieve this, your application must implement OpenID Connect with the Authorization Code flow.

This is also a critical first step in request chains involving an end-user whose identity and permissions should be propagated through each service/web API when accessing services in NAV using the OAuth 2.0 Token Exchange protocol. See the TokenX documentation for details.

Info

See the NAV Security Guide for NAV-specific usage of this client.

Warning

Please ensure that you have read the ID-porten Integration guide.

Configuration

spec:
  idporten:
    enabled: true

    # optional, default shown
    clientURI: "https://nav.no"

    # optional, default shown
    redirectPath: "/oauth2/callback"

    # optional, default shown
    frontchannelLogoutPath: "/oauth2/logout"

    # optional, defaults shown
    postLogoutRedirectURIs: 
      - "https://nav.no"

    # optional, in seconds - defaults shown (1 hour)
    accessTokenLifetime: 3600

    # optional, in seconds - defaults shown (2 hours)
    sessionLifetime: 7200

  # required for on-premises only
  webproxy: true

Spec

See the NAIS manifest.

Access Policies

ID-porten is a third-party service outside of our clusters, which is not reachable by default like most third-party services.

Google Cloud Platform (GCP)

The following outbound external hosts are automatically added when enabling this feature:

  • oidc-ver2.difi.no in development
  • oidc.difi.no in production

You do not need to specify these explicitly.

On-premises

You must enable and use webproxy for external communication.

Ingresses

Danger

For security reasons you may only specify one ingress when this feature is enabled.

Redirect URI

The redirect URI is the fully qualified URI that ID-porten redirects back to after a successful authorization request.

NAIS will automatically infer the complete redirect URI to be registered at ID-porten using the scheme:

spec.ingresses[0] + spec.idporten.redirectPath

where spec.idporten.redirectPath has a default value of /oauth2/callback.

E.g.

https://my.application.ingress/oauth2/callback

If you wish to use a different path than the default, you may do so by manually specifying spec.idporten.redirectPath.

Logout URIs

Warning

When integrating with ID-porten, you are required to correctly implement proper logout functionality. Refer to the documentation at DigDir for further details.

Self-initiated Logout

When logout is initiated from your client, you must redirect the given user to ID-porten's endsession-endpoint.

ID-porten will then log the user out from all other services connected to the same single sign-on session.

If the optional parameters id_token_hint and post_logout_redirect_uri are set in the request, ID-porten will redirect the user to the specified URI given that the URI is registered for the client.

Front-channel Logout

Front-channel logouts are logouts initiated by other ID-porten clients.

Your application will receive a GET request from ID-porten at frontchannel_logout_uri. This request includes two parameters:

  • iss which denotes the issuer for the Identity Provider
  • sid which denotes the user's associated session ID at ID-porten which is set in the sid claim in the user's id_token

In short, when receiving such a request you are obligated to clear the local session for your application for the given user's sid so that the user is properly logged out across all services in the circle-of-trust.

Your application's frontchannel_logout_uri is by default automatically inferred by NAIS and registered at ID-porten using the following scheme:

spec.ingresses[0] + spec.idporten.frontchannelLogoutPath

where spec.idporten.frontchannelLogoutPath has a default value of /oauth2/logout.

E.g.

https://my.application.ingress/oauth2/logout

If you wish to use a different path than the default, you may do so by manually specifying spec.idporten.frontchannelLogoutPath.

Usage

Info

See the NAV Security Guide for NAV-specific usage.

Runtime Variables & Credentials

The following environment variables and files (under the directory /var/run/secrets/nais.io/idporten) are available at runtime:


IDPORTEN_CLIENT_ID

Note

ID-porten client ID. Unique ID for the application in ID-porten.

Example value: e89006c5-7193-4ca3-8e26-d0990d9d981f


IDPORTEN_CLIENT_JWK

Note

Private JWK containing the private RSA key for creating signed JWTs when authenticating to ID-porten with a JWT grant.

{
  "use": "sig",
  "kty": "RSA",
  "kid": "jXDxKRE6a4jogcc4HgkDq3uVgQ0",
  "alg": "RS256",
  "n": "xQ3chFsz...",
  "e": "AQAB",
  "d": "C0BVXQFQ...",
  "p": "9TGEF_Vk...",
  "q": "zb0yTkgqO...",
  "dp": "7YcKcCtJ...",
  "dq": "sXxLHp9A...",
  "qi": "QCW5VQjO..."
}

IDPORTEN_REDIRECT_URI

Note

The redirect URI registered for the client at ID-porten. This must be a valid URI for the application where the user is redirected back to after successful authentication and authorization.

Example value: https://my.application.dev.nav.no/callback


IDPORTEN_WELL_KNOWN_URL

Note

The well-known URL for the OIDC metadata discovery document for ID-porten.

Example value: https://oidc-ver2.difi.no/idporten-oidc-provider/.well-known/openid-configuration

Test Users for Logins

ID-porten maintains a public list of test users found here.

Permanently deleting a client

Warning

Permanent deletes are irreversible. Only do this if you are certain that you wish to completely remove the client from DigDir.

When an IDPortenClient resource is deleted from a Kubernetes cluster, the client is not deleted from DigDir.

Info

The Application resource owns the IDPortenClient resource, deletion of the former will thus trigger a deletion of the latter.

If the IDPortenClient resource is recreated, the client will thus retain the same client ID.

If you want to completely delete the client from DigDir, you must add the following annotation to the IDPortenClient resource:

kubectl annotate idportenclient <app> digdir.nais.io/delete=true

When this annotation is in place, deleting the IDPortenClient resource from Kubernetes will trigger removal of the client from DigDir.