ID-porten sidecar

Status: Beta

This feature is only available in the GCP clusters, except labs-gcp.

Experimental: users report that this component is working, but it needs a broader audience to be battle-tested properly.

Report any issues to the #nais channel on Slack.

Description

A reverse proxy that provides functionality to handle ID-porten login and logout.

Prerequisites

• Ensure that you first enable ID-porten for your application.
• Ensure that you define an ingress for your application.
• Ensure that the ingress is on the correct domain:
  • dev.nav.no for the development clusters
  • nav.no for the production clusters

Spec

Port Configuration

The sidecar will occupy and use the ports 7564 and 7565.

Ensure that you do not bind to these ports from your application as they will be overridden.

nais.yaml

spec:
  idporten:
    enabled: true
    sidecar:
      enabled: true

      # everything below is optional, defaults shown
      level: Level4
      locale: nb
      autoLogin: false
      errorPath: ""

See the NAIS manifest for details.

Usage

Tip

See the Wonderwall appendix for usage details.

Security Levels

ID-porten supports different levels of security when authenticating users. This is sent by the sidecar as the acr_values parameter to the /authorize endpoint.

Valid values are Level3 or Level4.

You can set a default value for all requests by specifying spec.idporten.sidecar.level. If unspecified, the sidecar will use Level4 as the default value.

For runtime control of the value, set the query parameter level when redirecting the user to login:

https://<ingress>/oauth2/login?level=Level4

Locales

ID-porten supports a few different locales for the user interface during authentication. This is sent by the sidecar as the ui_locales parameter to the /authorize endpoint.

Valid values shown below:

Value	Description
nb	Norwegian Bokmål
nn	Norwegian Nynorsk
en	English
se	Sámi

You can set a default value for all requests by specifying spec.idporten.sidecar.locale. If unspecified, the sidecar will use nb as the default value.

For runtime control of the value, set the query parameter locale when redirecting the user to login:

https://<ingress>/oauth2/login?locale=en

Token Validation

Danger

Your application should secure its own endpoints. That is, deny access to sensitive endpoints if the appropriate authentication is not supplied.

Your application should also validate the claims and signature for the ID-porten JWT access_token attached by the sidecar.

Audience

Note that the aud claim is not set for ID-porten access tokens. You should instead validate that the client_id claim has a value equal to your own ID-porten client ID.

Security Level

Validate that the acr claim exists and that the set level matches the minimum security level for your endpoints:

• If your endpoint(s) accepts a minimum of Level3 authentication, you must also accept Level4.
• The inverse should be rejected. That is, applications expecting Level4 authentication should NOT accept tokens with acr=Level3.

---

Last update: 2022-07-04
Created: 2021-08-25