Skip to content


Status: Opt-In Open Beta

This feature is only available in team namespaces

Forthcoming changes

ID-porten is currently undergoing some changes. These changes will roll out in the coming months.

TL;DR: new URL and issuer, PKCE is required for Authorization Code Flow and the contents of the sub claim will likely change.



ID-porten is a common log-in system used for logging into Norwegian public e-services for citizens.

The NAIS platform provides support for simple, declarative provisioning of an ID-porten client with sensible defaults that your application may use to integrate with ID-porten.

An ID-porten client allows your application to leverage ID-porten for authentication of citizen end-users, providing sign-in capabilities with single sign-on (SSO). To achieve this, your application must implement OpenID Connect with the Authorization Code flow.

This is also a critical first step in request chains involving an end-user whose identity and permissions should be propagated through each service/web API when accessing services in NAV using the OAuth 2.0 Token Exchange protocol. See the TokenX documentation for details.


See the NAV Security Guide for NAV-specific usage of this client.


Please ensure that you have read the ID-porten Integration guide.


    enabled: true

    # optional, default shown
    clientURI: ""

    # optional, default shown
    redirectPath: "/oauth2/callback"

    # optional, default shown
    frontchannelLogoutPath: "/oauth2/logout"

    # optional, defaults shown
      - ""

    # optional, in seconds - defaults shown (1 hour)
    accessTokenLifetime: 3600

    # optional, in seconds - defaults shown (2 hours)
    sessionLifetime: 7200

  # required for on-premises only
  webproxy: true


See the NAIS manifest.

Access Policies

ID-porten is a third-party service outside of our clusters, which is not reachable by default like most third-party services.

Google Cloud Platform (GCP)

The following outbound external hosts are automatically added when enabling this feature:

  • in development
  • in production

You do not need to specify these explicitly.


You must enable and use webproxy for external communication.



For security reasons you may only specify one ingress when this feature is enabled.

Redirect URI

The redirect URI is the fully qualified URI that ID-porten redirects back to after a successful authorization request.

NAIS will automatically infer the complete redirect URI to be registered at ID-porten using the scheme:

spec.ingresses[0] + spec.idporten.redirectPath

where spec.idporten.redirectPath has a default value of /oauth2/callback.



If you wish to use a different path than the default, you may do so by manually specifying spec.idporten.redirectPath.

Logout URIs


When integrating with ID-porten, you are required to correctly implement proper logout functionality. Refer to the documentation at DigDir for further details.

Self-initiated Logout

When logout is initiated from your client, you must redirect the given user to ID-porten's endsession-endpoint.

ID-porten will then log the user out from all other services connected to the same single sign-on session.

If the optional parameters id_token_hint and post_logout_redirect_uri are set in the request, ID-porten will redirect the user to the specified URI given that the URI is registered for the client.

Front-channel Logout

Front-channel logouts are logouts initiated by other ID-porten clients.

Your application will receive a GET request from ID-porten at frontchannel_logout_uri. This request includes two parameters:

  • iss which denotes the issuer for the Identity Provider
  • sid which denotes the user's associated session ID at ID-porten which is set in the sid claim in the user's id_token

In short, when receiving such a request you are obligated to clear the local session for your application for the given user's sid so that the user is properly logged out across all services in the circle-of-trust.

Your application's frontchannel_logout_uri is by default automatically inferred by NAIS and registered at ID-porten using the following scheme:

spec.ingresses[0] + spec.idporten.frontchannelLogoutPath

where spec.idporten.frontchannelLogoutPath has a default value of /oauth2/logout.



If you wish to use a different path than the default, you may do so by manually specifying spec.idporten.frontchannelLogoutPath.



See the NAV Security Guide for NAV-specific usage.

Runtime Variables & Credentials

The following environment variables and files (under the directory /var/run/secrets/ are available at runtime:



ID-porten client ID. Unique ID for the application in ID-porten.

Example value: e89006c5-7193-4ca3-8e26-d0990d9d981f



Private JWK containing the private RSA key for creating signed JWTs when authenticating to ID-porten with a JWT grant.

  "use": "sig",
  "kty": "RSA",
  "kid": "jXDxKRE6a4jogcc4HgkDq3uVgQ0",
  "alg": "RS256",
  "n": "xQ3chFsz...",
  "e": "AQAB",
  "d": "C0BVXQFQ...",
  "p": "9TGEF_Vk...",
  "q": "zb0yTkgqO...",
  "dp": "7YcKcCtJ...",
  "dq": "sXxLHp9A...",
  "qi": "QCW5VQjO..."



The redirect URI registered for the client at ID-porten. This must be a valid URI for the application where the user is redirected back to after successful authentication and authorization.

Example value:



The well-known URL for the OIDC metadata discovery document for ID-porten.

Example value:

Test Users for Logins

ID-porten maintains a public list of test users found here.

Permanently deleting a client


Permanent deletes are irreversible. Only do this if you are certain that you wish to completely remove the client from DigDir.

When an IDPortenClient resource is deleted from a Kubernetes cluster, the client is not deleted from DigDir.


The Application resource owns the IDPortenClient resource, deletion of the former will thus trigger a deletion of the latter.

If the IDPortenClient resource is recreated, the client will thus retain the same client ID.

If you want to completely delete the client from DigDir, you must add the following annotation to the IDPortenClient resource:

kubectl annotate idportenclient <app>

When this annotation is in place, deleting the IDPortenClient resource from Kubernetes will trigger removal of the client from DigDir.