ID-porten sidecar¶
Status: Beta
This feature is only available in the GCP clusters.
Experimental: users report that this component is working, but it needs a broader audience to be battle-tested properly.
Report any issues to the #nais channel on Slack.
Description¶
A reverse proxy that provides functionality to handle ID-porten login and logout.
Prerequisites
- Ensure that you first enable ID-porten for your application.
- Ensure that you define an ingress for your application.
- Ensure that the ingress is on the correct domain:
dev.nav.no
for the development clustersnav.no
for the production clusters
Spec¶
Port Configuration
The sidecar will occupy and use the ports 7564
and 7565
.
Ensure that you do not bind to these ports from your application as they will be overridden.
spec:
idporten:
sidecar:
enabled: true
# everything below is optional, defaults shown
level: Level4
locale: nb
autoLogin: false
errorPath: ""
See the NAIS manifest for details.
Usage¶
Tip
See the Wonderwall appendix for usage details.
Security Levels¶
ID-porten supports different levels of security
when authenticating users.
This is sent by the sidecar as the acr_values
parameter to the /authorize
endpoint.
Valid values are Level3
or Level4
.
You can set a default value for all requests by specifying spec.idporten.sidecar.level
.
If unspecified, the sidecar will use Level4
as the default value.
For runtime control of the value, set the query parameter level
when redirecting the user to login:
https://<ingress>/oauth2/login?level=Level4
Locales¶
ID-porten supports a few different locales for the user interface during authentication.
This is sent by the sidecar as the ui_locales
parameter to the /authorize
endpoint.
Valid values shown below:
Value | Description |
---|---|
nb |
Norwegian Bokmål |
nn |
Norwegian Nynorsk |
en |
English |
se |
Sámi |
You can set a default value for all requests by specifying spec.idporten.sidecar.locale
.
If unspecified, the sidecar will use nb
as the default value.
For runtime control of the value, set the query parameter locale
when redirecting the user to login:
https://<ingress>/oauth2/login?locale=en
Token Validation¶
Danger
Your application should secure its own endpoints. That is, deny access to sensitive endpoints if the appropriate authentication is not supplied.
Your application should also validate the claims and signature for the ID-porten JWT access_token
attached by the sidecar.
Audience¶
Note that the aud
claim is not set for ID-porten access tokens.
You should instead validate that the client_id
claim has a value equal to your own ID-porten client ID.
Security Level¶
Validate that the acr
claim exists and that the set level matches the minimum security level for your endpoints:
- If your endpoint(s) accepts a minimum of
Level3
authentication, you must also acceptLevel4
. - The inverse should be rejected. That is, applications expecting
Level4
authentication should NOT accept tokens withacr=Level3
.