diff --git a/content/altinn-studio/getting-started/app-dev-course/modul3/datamodel.xsd b/content/altinn-studio/getting-started/app-dev-course/modul3/datamodel.xsd index fcf21515f17..df1842afe90 100644 --- a/content/altinn-studio/getting-started/app-dev-course/modul3/datamodel.xsd +++ b/content/altinn-studio/getting-started/app-dev-course/modul3/datamodel.xsd @@ -1,11 +1,15 @@ - + + + + + - + - + @@ -14,15 +18,15 @@ - - + + - + @@ -31,11 +35,18 @@ - + - + + + + + + + + \ No newline at end of file diff --git a/content/api/dialogporten/_index.en.md b/content/api/dialogporten/_index.en.md new file mode 100644 index 00000000000..490499f5c11 --- /dev/null +++ b/content/api/dialogporten/_index.en.md @@ -0,0 +1,11 @@ +--- +title: Dialogporten API +linktitle: Dialogporten +description: API for Dialogporten functionality +--- + +Please refer to the following sections for Dialogporten API reference information + +* [OpenAPI specifications]({{}}) +* [GraphQL specifications]({{}}) + \ No newline at end of file diff --git a/content/authentication/guides/systemauthentication-for-systemproviders/_index.nb.md b/content/authentication/guides/systemauthentication-for-systemproviders/_index.nb.md index 715f14c41e6..c13deed9cd0 100644 --- a/content/authentication/guides/systemauthentication-for-systemproviders/_index.nb.md +++ b/content/authentication/guides/systemauthentication-for-systemproviders/_index.nb.md @@ -18,8 +18,9 @@ Bakgrunnen til systembruker konsept kan leses om her. Forutsetninger for at man systemleverandør kan benytte seg systembruker er. -- Avtale med maskinporten som klient +- [Avtale med maskinporten som konsument](https://samarbeid.digdir.no/maskinporten/konsument/119) - Avtale med Digdir som gir tilgang til systemregister +- Delegert tilgang til scope altinn:authentication/systemregister.write ## Sette opp maskinporten integrasjon @@ -28,37 +29,147 @@ Dette kan gjøres i [sammarbeidsportalen](https://docs.digdir.no/docs/Maskinport ## Registrere system -Første steg etter man har fått tilgang til systemregisteret er å registrere systemet. +Det første steget etter at man har fått tilgang til systemregisteret, er å registrere systemet. -Systemet er da typisk en nettbasert programvare som er tilgjengelig i markedet som sluttkunder (virksomheter) kan -benytte seg av for kommunukasjon med det offentlige. +Systemet er typisk en nettbasert programvare som er tilgjengelig i markedet, og som sluttkunder (virksomheter) kan benytte for kommunikasjon med det offentlige. -Systemet må beskrives med følgende egenskaper +Systemet må beskrives med følgende egenskaper: -### SystemTypeId +### Id Dette er en unik ID som vil benyttes for å identifisere programvaren. Gyldige tegn er a-z 0-9 og _ -### KlientId +Id må starte med organisasjonsnr til leverandør. Eksempelet nedenfor viser med Digitialiseringsdirektorates organisasjonsnr + +### Vendor + +Dette er informasjon om leverandør. +ID er på formatet 0192:{orgnr} + +0192 er referanse til Enhetsregisteret i [Electronic Adress Scheme](https://docs.peppol.eu/poacc/billing/3.0/codelist/eas/) + +### Name + +Navn på systemet må oppgis på engelsk (en), bokmål (nb) og nynorsk (nn). Navn kan settes likt på alle språk. + +Navn presenteres på Altinn sider under registrering av systembruker. + +### Description + +Description beskriver systemet. Vil kunne presenteres på Altinn sider for informasjon til sluttbrukere. + +Oppgis på engelsk, bokmål og nynorsk. + +### Rights + +Rights beskriver hvilke tjenester systemet trenger rettighet for å kunne fungere. Dette er referanser til applikasjoner i Altinn plattformen eller tjenester utenfor Altinn som er registrert hos Altinn. + +Hvilke rettigheter som kreves vil avhengig av bruksscenario. + +Eksempelet nedenfor viser et system som har behov for tilgang til tjenesten [Krav og betalinger](https://skatteetaten.github.io/api-dokumentasjon/api/kravogbetalinger) fra Skattedirektoratet som er [registrert i Altinn ressursregister](https://platform.tt02.altinn.no/resourceregistry/api/v1/resource/ske-krav-og-betalinger). + +Senere vil Systembruker støtte tilgangspakker som er en samling av rettigheter på tvers av tjenester innfor et område. + +### ClientId Dette er klientidene for integrasjonen som er opprettet i Maskinporten. + Det er kun pålogginger med Maskinportenintegrasjoner som er knyttet mot oppgitte klientider. + +### Eksempel fra TT02 + +Eksempelet viser systemet som er registrert for demoapplikasjonen SmartCloud i TT02 testmiljø. + + ```json { - "SystemTypeId": "visma_supertax", - "SystemVendor": "978234522", - "Name": { - "en": "Visma Super Tax", - "nb" : "Visma superskatt" - "Description": { - "en": "Visma Super Tax allows for .........", - "nb": "Visma superskatt gir deg mulighet...." - } + "id": "991825827_smartcloud", + "vendor": { + "ID": "0192:991825827" }, - "AccessGroupNeeds": ["MVA", "SKATT"], - "ResourceNeeds": ["urn:altinn:resource:skd/mva"],. - "ClientId":["123123","234534552345"] + "mame": { "en": "SmartCloud", "nb": "SmartCloud", "nn": "Smart SKY" }, + "description": { "en": "SmartCloud Rocks", "nb": "SmartCloud er verdens beste system.", "nn": "SmartSky er vestlandets beste system" }, + "rights": [ + { + "Resource": [ + { + "value": "ske-krav-og-betalinger", + "id": "urn:altinn:resource" + } + ] + } + ], + "clientId": ["235ar6-8824-955a-g235-5asfaa446533"] +} +``` + +Url for å regsistrere + +```http +POST https://platform.tt02.altinn.no/authentication/api/v1/systemregister/system +``` + +Url for å opppdatere dette systemet (ID må endres for andre system) + +```http +POST https://platform.tt02.altinn.no/authentication/api/v1/systemregister/system/91825827_smartcloud +``` + +For produksjon endres domenet til **platform.altinn.no** + +Se også [eksempelapplikasjon](https://github.com/TheTechArch/altinn-systemuser/tree/main/src/SystemAdmin) for å registrere system. + + +## Sende forespørsel om opprettelse av systembruker til virksomhet + +Som systemleverandør kan man be sine kunder om å opprette systembruker med nødvendige rettigheter. +Dette gir en enkel onboarding av nye kunder. + +For å kunne gjøre dette må man være tildelt scopet **altinn:authentication/systemuser.request.write** + +Systembruker støtter kun virksomheter som kunde. + +### External ref + +Denne benyttes som ekstern refernase hos systemleverandør. Hvis den ikke er satt blir den automatisk satt til orgnr + +### SystemId + +Referanse til system + +### PartyOrgNo + +Organiasjonsnr til systemleverandørens kunde. + +### Rights + +En liste over rettigheter systembrukeren trenger tilgang til. Det beskrives for øyeblikket med referanse til ressurs + + +### RedirectUrl + +Denne urlen + + +### Eksempel + +```json +{ + "externalRef": "213544942", + "systemId": "991825827_smartcloud", + "partyOrgNo": "213544942", + "rights": [ + { + "resource": [ + { + "value": "ske-krav-og-betalinger", + "id": "urn:altinn:resource" + } + ] + } + ], + "redirectUrl": "https:\\smartcloud.azurewebsites.net/receipt" } ``` diff --git a/content/authentication/what-do-you-get/systemuser/_index.nb.md b/content/authentication/what-do-you-get/systemuser/_index.nb.md index c2b0be6fd4f..8de4bfb8734 100644 --- a/content/authentication/what-do-you-get/systemuser/_index.nb.md +++ b/content/authentication/what-do-you-get/systemuser/_index.nb.md @@ -1,6 +1,6 @@ --- title: Systembruker -description: En stor del av bruken av Altinn er via API fra fagsystemer. Dette er programvare som har integrert seg Altinns API og man fra programvare kan f.eks. sende inn skjema eller hente ut meldinger av forskjellig art. +description: En stor del av kommunikasjonen mellom det offentlige og næringslivet skjer via API i Altinn og andre hos andre platformleverandører i det offentlige. tags: [platform, authentication] toc: false weight: 1 @@ -11,6 +11,8 @@ aliases: {{}} Under arbeid. Ting kan endres. Vi tar gjerne imot innspill. {{}} + + Omtrent 50% av skjematrafikken kommer via API, med enkelte tjenester som har nesten 100% fra fagsystemer. Nye autentiserings- og autorisasjonsmekanismer utvikles nå for maskin-til-maskin-integrasjon på Altinn-plattformen og andre offentlige API-er. diff --git a/content/authorization/architecture/resourceregistry/subjectoptions.json b/content/authorization/architecture/resourceregistry/subjectoptions.json index 5548b7b8087..9c43a2be48e 100644 --- a/content/authorization/architecture/resourceregistry/subjectoptions.json +++ b/content/authorization/architecture/resourceregistry/subjectoptions.json @@ -304,5 +304,11 @@ "SubjectSource": "altinn:rolecode", "SubjectTitle": "Programmeringsgrensesnitt for NUF (API)", "SubjectDescription": "Delegerbar rolle som gir kontaktperson for norskregistrert utenlandsk foretak (NUF) tilgang til å administrere tilgang til programmeringsgrensesnitt - API, på vegne av virksomheten." + }, + { + "SubjectId": "innh", + "SubjectSource": "altinn:rolecode", + "SubjectTitle": "Innehaver", + "SubjectDescription": "Innehaver" } ] diff --git a/content/broker/news-and-plans/_index.en.md b/content/broker/news-and-plans/_index.en.md deleted file mode 100644 index 705db69fa9d..00000000000 --- a/content/broker/news-and-plans/_index.en.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: News and plans -linktitle: News and plans -description: News and plans for development of Altinn 3 Broker. -tags: [] -toc: false -weight: 70 ---- - - - -## Migration from Altinn 2 to Altinn 3 Broker - -The Altinn 2 Broker solutions is being reimplemented along with other solutions on the Altinn platform -to transition to a new technology platform and improved services in Altinn 3. - -The development of the Altinn 3 Broker solution began in 2023. By mid-2026, -service owners and users should be transitioned to the new solution. -The Altinn 2 platform will then be shut down. - - -## Planned new and changed features for Altinn 3 Broker - -### The Key New Features in Altinn 3 Broker (Preliminary Overview) - -TBD - - -### Deprecated Functionality in Altinn 3 Broker (Preliminary Overview) - -TBD \ No newline at end of file diff --git a/content/broker/news-and-plans/_index.nb.md b/content/broker/news-and-plans/_index.nb.md deleted file mode 100644 index 8ce50f836d6..00000000000 --- a/content/broker/news-and-plans/_index.nb.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: Nyheter og videre planer -linktitle: Nyheter og planer -description: Nyheter og videre planer for utvikling av Altinn 3 Formidling -tags: [] -toc: true -weight: 70 ---- - -## Migrering fra Altinn 2 til Altinn 3 - -Altinn 2 Formidling reimplementeres sammen med andre løsninger i Altinn-plattformen -for å komme over på ny teknologiplattform og forbedrede tjenester i Altinn 3. - -Løsningsutviklingen for Altinn 3 Formidling ble startet i 2023. Innen medio 2026 skal -tjenestereiere og brukere være over på ny løsning. Altinn 2 plattformen skal da skrus av. - -## Planlagt ny og endret funksjonalitet i Altinn 3 Formidling - -### De viktigste nyhetene i Altinn 3 Formidling (foreløpig oversikt) - -TBD - -### Utfaset funksonalitet i Altinn 3 Formidling (foreløpig oversikt) - -TBD diff --git a/content/broker/news/_index.en.md b/content/broker/news/_index.en.md new file mode 100644 index 00000000000..9023b0d7544 --- /dev/null +++ b/content/broker/news/_index.en.md @@ -0,0 +1,50 @@ +--- +title: Altinn 3 Broker news +linktitle: What's new? +description: +tags: [] +toc: false +weight: 70 +--- + + + +## Migration to a future proof technology platform +The Altinn 2 Broker solution is being reimplemented along with other solutions on the Altinn platform +to transition to a cloud based technology platform in Altinn 3. + +The development of the Altinn 3 Broker solution began in 2023. By mid-2026, +service owners and users should be transitioned to the new solution. +The Altinn 2 platform will then be shut down. + +## Main Altinn 3 Broker product enhancements + +There are many new features and enhancements in Altinn 3 Broker compared to Altinn 2. +A selection of important such enhancements are listed here. + +
+ {{}} + {{}} + {{}} +
+ +## Recently developed features - ready for customer testing +TBD + +## Upcoming features - plan for customer testing +TBD. diff --git a/content/broker/news/_index.nb.md b/content/broker/news/_index.nb.md new file mode 100644 index 00000000000..7c2ad822000 --- /dev/null +++ b/content/broker/news/_index.nb.md @@ -0,0 +1,51 @@ +--- +title: Nyheter og videre planer +linktitle: Nyheter og planer +description: Nyheter og videre planer for utvikling av Altinn 3 Formidling +tags: [] +toc: true +weight: 70 +--- + +## Migrering til en framtidssikker teknologiplattform + +Altinn 2 Formidling reimplementeres sammen med andre løsninger i Altinn-plattformen +for å komme over på ny, skybasert teknologiplattform og forbedrede tjenester i Altinn 3. + +Løsningsutviklingen for Altinn 3 Formidling ble startet i 2023. Innen medio 2026 skal +tjenestereiere og brukere være over på ny løsning. Altinn 2 plattformen skal da skrus av. + +## Viktige produktforbedringer i Altinn 3 Formidling + +Det er mange produktforbedringer i Altinn 3 Formidling, sammenliknet med Altinn 2. +Her gis et utvalg. + +
+ {{}} + {{}} + {{}} +
+ + + +## Nylig utviklet funksjonalitet - klart for kundetest og pilotering +TBD + +## Kommendene funksjonalitet - planlegg for kundetest og pilotering +TBD. + diff --git a/content/correspondence/getting-started/developer-guides/notifications/_index.en.md b/content/correspondence/getting-started/developer-guides/notifications/_index.en.md index 4a49f133b7c..718925db157 100644 --- a/content/correspondence/getting-started/developer-guides/notifications/_index.en.md +++ b/content/correspondence/getting-started/developer-guides/notifications/_index.en.md @@ -18,7 +18,11 @@ Currently the Events for Correspondence are not ready for full-scale use, due to This documents the expected scenario, but may be subject to change. {{% /notice %}} -To use notifications in Altinn Correspondence, a notification order is placed when a message is created. The notification will primarily be sent out at the publication time of the message. If a reminder is activated, the reminder will be sent after 7 days if the message has not been read. +To use notifications in Altinn Correspondence, a notification order is placed when a message is created. The notification will primarily be sent out at the publication time of the message. If a reminder is activated, the reminder will be sent after 7 days if the message has not been read. + +{{% notice warning %}} +In the test and staging environment, the reminder will be sent out after 1 hour if the message has not been read. +{{% /notice %}} Notifications can be sent via either email or SMS. While email does not have a time window, SMS notifications are sent between 9:00 AM and 5:00 PM. If the sending time falls outside this window, the notification will be sent the following day. @@ -86,4 +90,4 @@ The first notification and the reminder notification can use different notificat If a message is deleted before the publication date, the notification order will also be deleted. In situations where an error occurs during the publication of a message, the notification will also be deleted. ## Errors in Notification Ordering -If no contact information is available for a recipient, the message will still be sent as planned. Information about the notification can be viewed by retrieving the details about the specific correspondence. Improvements are planned to provide feedback on this during the creation of a message. \ No newline at end of file +If no contact information is available for a recipient, the message will still be sent as planned. Information about the notification can be viewed by retrieving the details about the specific correspondence. Improvements are planned to provide feedback on this during the creation of a message. diff --git a/content/correspondence/getting-started/developer-guides/notifications/_index.nb.md b/content/correspondence/getting-started/developer-guides/notifications/_index.nb.md index 1e991fc5624..6dbaf4d11c3 100644 --- a/content/correspondence/getting-started/developer-guides/notifications/_index.nb.md +++ b/content/correspondence/getting-started/developer-guides/notifications/_index.nb.md @@ -20,6 +20,10 @@ Dette dokumenterer det forventede scenarioet, men kan endres. For å bruke varslinger i en meldingstjeneste, legges en varslingsbestilling til når en melding opprettes. Varslingen vil bli sendt ut på publikasjonstidspunktet for meldingen. Hvis revarsel er aktivert, vil revarselet sendes ut etter 7 dager dersom meldingen ikke er lest. +{{% notice warning %}} +I test- og stagingmiljøet vil revarselet sendes ut etter det har gått en time dersom meldingen ikke er lest. +{{% /notice %}} + Varslinger kan sendes via enten e-post eller SMS. Mens e-post ikke har noe tidsvindu, vil SMS-varsler bli sendt mellom kl. 09:00 og 17:00. Hvis avsendingstidspunktet faller utenfor dette tidsvinduet, vil varselet bli sendt neste dag. En varslingsbestilling gjøres ved å legge til følgende når du initialiserer en melding: @@ -89,4 +93,4 @@ Dersom en melding slettes før publiseringsdatoen, vil varslingsbestillingen ogs ## Feil ved bestilling av varsling Hvis det ikke finnes kontaktinformasjon for en mottaker, vil meldingen fortsatt bli sendt som planlagt. Informasjon om varslingen kan sees ved å hente detaljer om den spesifikke meldingen. -Det er planlagt forbedringer for å gi tilbakemelding omkring dette under opprettelsen av en melding. \ No newline at end of file +Det er planlagt forbedringer for å gi tilbakemelding omkring dette under opprettelsen av en melding. diff --git a/content/correspondence/getting-started/service-owner/_index.en.md b/content/correspondence/getting-started/service-owner/_index.en.md index 6518f1b7a3f..bb4205cf606 100644 --- a/content/correspondence/getting-started/service-owner/_index.en.md +++ b/content/correspondence/getting-started/service-owner/_index.en.md @@ -27,17 +27,17 @@ This step is only necessary for new enterprises that have not yet established th Perform steps 1 and 2 of the [Common Get started steps](../common-steps) if you have not already done so. ## 3. Register a Resource in Altinn Resource Registry {#register-a-resource-in-altinn-resource-registry} +In order to send messages via Altinn Correspondence, they must first be associated with a resource. +A resource represents a specific function or set of functions used to manage access and rules for the correspondence. +Resources are registered via Altinn Studio and are used to define access rules and access lists, ensuring that only authorized users can perform specific actions. -All operations using Correspondence is associated with a resource/service/"tjenesteressurs". See [Resource Registry](../../../../authorization/what-do-you-get/resourceregistry/). -Resources can be registered through Altinn Studio, and are used for access rules and access lists. Your policy must be configured in such a way that that they permit the actions: - -- "see" to see metadata about a message -- "open" to open a message -- "send" to send a message -- "subscribe" to register event subscriptions in Altinn Events - -To setup a resource that works quickly, you can use our [Postman collection](https://github.com/Altinn/altinn-correspondence/blob/main/altinn-correspondence-postman-collection.json) and run the requests "Create resource" and "Create resource policy" with a token that has the scope "altinn:resourceregistry/resource.write". +1. Log in to Altinn Studio and navigate to the resource dashboard, See [Resource Registry](../../../../authorization/guides/create-resource-resource-admin/) for a detailed guide. +2. Create a new resource, follow the guide and fill in the necessary information and details about the service. +3. Set policy rules for the resource. Your policy must be configured in such a way that that they permit the actions: + - "read" meant for recipients to open and read a message + - "write" meant for senders to send a message + - "subscribe" to register event subscriptions in Altinn Events Here is an [example policy](ExamplePolicy.xml). diff --git a/content/correspondence/getting-started/service-owner/_index.nb.md b/content/correspondence/getting-started/service-owner/_index.nb.md index e2585fd78ca..01d8582ea2a 100644 --- a/content/correspondence/getting-started/service-owner/_index.nb.md +++ b/content/correspondence/getting-started/service-owner/_index.nb.md @@ -28,21 +28,17 @@ Dette trinnet er bare nødvendig for nye virksomheter som ennå ikke har etabler Utfør steg 1 og 2 i [Felles kom i gang-steg](../common-steps) hvis du ikke allerede har gjort det. ## 3. Opprett ny ressurs {#register-a-resource-in-altinn-resource-registry} -For at filer skal kunne sendes med Altinn Formidling, må de være tilknyttet en ressurs. -En ressurs representerer en spesifikk funksjon eller et sett av funksjoner som brukes til å administrere tilgang og regler for filoverføring. +For å kunne sende meldinger over med Altinn Melding, må de først være tilknyttet en ressurs. +En ressurs representerer en spesifikk funksjon eller et sett av funksjoner som brukes til å administrere tilgang og regler for overføring av meldinger. Ressurser registreres via Altinn Studio og brukes til å definere tilgangsregler og tilgangslister, som sikrer at bare autoriserte brukere kan utføre bestemte handlinger. -1. Logg inn på Altinn Studio og naviger til ressursdashboardet, Se [Ressursregister](../../../../authorization/what-do-you-get/resourceregistry/) for en detaljert veiledning. +1. Logg inn på Altinn Studio og naviger til ressursdashboardet, Se [Ressursregister](../../../../authorization/guides/create-resource-resource-admin/) for en detaljert veiledning. 2. Opprett ny ressurs, følg veiledningen og fyll inn nødvendig informasjon og detaljer om tjenesten. -3. Angi tilgangsregler for ressursen. -4. Tilgangsregler må for ressursen må konfigureres slik at de tillater følgende handlinger: - - "see" for å se metadata om en melding - - "open" for å åpne en melding - - "send" for å sende en melding +3. Angi tilgangsregler for ressursen. Tilgangsregler må for ressursen må konfigureres slik at de tillater følgende handlinger: + - "read" ment for mottakere å åpne og lese en melding + - "write" ment for avsendere å sende en melding - "subscribe" for å registrere hendelsesabonnement i Altinn Events -Alternativt, for å sette opp en ressurs som fungerer raskt, kan du bruke vår [Postman-samling](https://github.com/Altinn/altinn-correspondence/blob/main/altinn-correspondence-postman-collection.json) og kjøre forespørslene "Create resource" og "Create resource policy" med en token som har scopet "altinn:resourceregistry/resource.write". - Her er en [eksempelpolicy](ExamplePolicy.xml). Merk at denne eksempelpolicyen angir en påkrevd brukerrolle "DAGL(daglig leder)" for brukeren som har tilgang til ressursen, og krever bruk av [Ressursrettighetsregister](../../../../authorization/what-do-you-get/resourceregistry/) (gå til engelsk språk for å se dokumentasjon for RRR) for å gi tilgang til spesifikke organisasjoner. diff --git a/content/dialogporten/getting-started/authorization/_index.md b/content/dialogporten/getting-started/authorization/_index.md index 78b8e1681db..887685e215b 100644 --- a/content/dialogporten/getting-started/authorization/_index.md +++ b/content/dialogporten/getting-started/authorization/_index.md @@ -4,5 +4,12 @@ description: 'Learn how Dialogporten uses Altinn Authorization and provides its weight: 20 --- +## Introduction + +Dialogporten is fully integrated with ID-porten, Maskinporten and Altinn Authorization. Access to all dialogs are subject to the same access policy as the service they represent, which is fully manageable via roles, access packages and service rights in [Altinn Access Management]({{}}). + +**Read more** +* {{}} + {{}} diff --git a/content/dialogporten/getting-started/authorization/attributes/_index.md b/content/dialogporten/getting-started/authorization/attributes/_index.md index f28fc8d2cd0..a47a886f656 100644 --- a/content/dialogporten/getting-started/authorization/attributes/_index.md +++ b/content/dialogporten/getting-started/authorization/attributes/_index.md @@ -1,7 +1,7 @@ --- title: 'Authorization Attributes' description: 'Learn how dialogs in Dialogporten implements fine-grained access control using Altinn Authorization' -weight: 10 +weight: 20 --- ## Introduction diff --git a/content/dialogporten/getting-started/authorization/dialog-tokens/_index.md b/content/dialogporten/getting-started/authorization/dialog-tokens/_index.md index c2bb5956a36..f208f478030 100644 --- a/content/dialogporten/getting-started/authorization/dialog-tokens/_index.md +++ b/content/dialogporten/getting-started/authorization/dialog-tokens/_index.md @@ -1,7 +1,7 @@ --- title: 'Dialog Tokens' description: 'Learn how dialog tokens can be used to simplify authorization and enable higher confidentiality' -weight: 20 +weight: 30 --- ## Introduction diff --git a/content/dialogporten/getting-started/authorization/service-resource/_index.md b/content/dialogporten/getting-started/authorization/service-resource/_index.md index c875241d86b..2700a4c86ef 100644 --- a/content/dialogporten/getting-started/authorization/service-resource/_index.md +++ b/content/dialogporten/getting-started/authorization/service-resource/_index.md @@ -8,9 +8,9 @@ weight: 10 All dialogs must refer to a main _service resource_. A service resource describes a particular digital service, and contains metadata such as a name, a description, what public actor owns and - most importantly - the authorization policy governing the use of that service. -Service resources reside in [Altinn Resource Registry]({{}}), alongside other types of resources which utilize Altinn Authorization for access management and control. The authorization policies are expressed in [XACML]({{}}), which describes the access rules that governs all dialogs that refer to it. Dialogporten is integrated with Altinn Authorization, and will consult it for every request made to Dialogporten and enforce its decisions. The main service resource policy is thus used to control what information a given user can retrieve from Dialogporten. Access managers within organizations use these service resources, or groups of related service resources, when handling who should have access to do what on behalf of an organization. +Service resources reside in [Altinn Resource Registry]({{}}), alongside other types of resources which utilize Altinn Authorization for access management and control. The authorization policies are expressed in [XACML]({{}}), which describes the access rules that governs all dialogs that refer to it. Dialogporten is integrated with Altinn Authorization, and will consult it for every request made to Dialogporten and enforce its decisions. The main service resource policy is thus used to control what information a given user can retrieve from Dialogporten. Access managers within organizations use these service resources, or groups of related service resources, when handling who should have access to do what on behalf of an organization. -For example, an action named "Go to signing" might refer to an _action_ called "sign" in the XACML policy for the main service resource. If the user does not posess this permission, the button may be grayed out and disabled. +For example, an action named "Go to signing" might refer to an _action_ called "sign" in the [XACML]({{}}) policy for the main service resource. If the user does not posess this permission, the button may be grayed out and disabled. ## Advanced usage XACML offers great flexibility in how coarse or fine-grained the access control should be, and dialogs can contain actions and transmissions that can be matched by different rules defined within the policy of the service resource. Transmissions and actions can even refer to different service resources, giving the service owner more options in how the various parts of a dialog should be governed. This is enabled through the use of [authorization attributes]({{}}) diff --git a/content/dialogporten/getting-started/dialogs/_index.md b/content/dialogporten/getting-started/dialogs/_index.md index df4d6879451..baf51a9f154 100644 --- a/content/dialogporten/getting-started/dialogs/_index.md +++ b/content/dialogporten/getting-started/dialogs/_index.md @@ -41,7 +41,7 @@ Attachments can be used on both transmission and dialog level. An _action_ describes an interaction that users can perform with or related to a dialog. Examples of actions are "Open", "Start signing", "Pay", "Confirm", "Learn more", "Cancel", etc. The list of relevant actions is part of the structured description of a dialog and can be changed at any time by the service provider through the API. -An action is either a _"GUI" action_ or an _"API" action_. All actions - both GUI and API - have an identifier that maps to an _action_ (and optionally an [authorization attribute]({{}})) in the authorization policy (XACML) associated with a [service resource]({{}}). +An action is either a _"GUI" action_ or an _"API" action_. All actions - both GUI and API - have an identifier that maps to an _action_ (and optionally an [authorization attribute]({{}})) in the authorization policy ([XACML]({{}})) associated with a [service resource]({{}}). ### GUI Actions diff --git a/content/dialogporten/reference/authorization/_index.md b/content/dialogporten/reference/authorization/_index.md index 7e853be6997..beba032835f 100644 --- a/content/dialogporten/reference/authorization/_index.md +++ b/content/dialogporten/reference/authorization/_index.md @@ -4,5 +4,9 @@ description: 'Reference information about Dialogporten authorization mechanisms' weight: 30 --- +## Introduction + +See [getting started with authorization]({{}}) for a functional overview of how Dialogporten implements authorization. + {{}} diff --git a/content/dialogporten/reference/authorization/altinn-authorization/_index.md b/content/dialogporten/reference/authorization/altinn-authorization/_index.md new file mode 100644 index 00000000000..ed9ab84d0a0 --- /dev/null +++ b/content/dialogporten/reference/authorization/altinn-authorization/_index.md @@ -0,0 +1,41 @@ +--- +title: 'Altinn Authorization' +description: 'Technical overview of how Dialogporten integrates with Altinn Authorization' +weight: 1 +--- + +## Introduction + +Dialogporten is fully integrated with Altinn Authorization, which is used for all authorization decisions made in Dialogporten. + +For performance reasons, there are two different ways that Altinn Authorization is utilized. + +## Authentication and coarse-grained authorization + +Dialogporten performs basic authentication and scope-based authorization via self-contained access tokens issued by Maskinporten and ID-porten, and optionally exhanged at Altinn Token Exchange. + +**See also** +* {{}} + + +## Dialog list authorization + +All list views in Dialogporten utilizes the [Authorized Parties API]({{}}), that yields a list of all parties the authenticated user can represent along with all roles/access packages and service/instance rights that user has been granted for each party. + +Dialogporten maintains a map of which roles/access packages grant rights to each resource in the resource registry, and uses that to fetch only dialogs referring to service resources that the user has some kind of access to. Which actions (read, write, etc) are not considered - any right for the given party for the given resource is sufficient to see the dialog in the dialog list. + +As only one request (for a given party/service resource tuple) will have to be performed within a cache TTL window, re-sorting/filtering and pagination does not require additional requests to Altinn Authorization, and can therefor be performed quickly. + +## Dialog details authorization + +For dialog details, the [PDP API]({{}}) is utilized, allow for fine-grained authorization of the various actions and transmissions defined within the dialog. + +All actions and transmissions are decorated with a `IsAuthorized` flag, which indicates to the end-user system whether or not the user has access. If not, all URLs are removed. + +{{}} +While Dialogporten indicates that the action is unauthorized, and removes the URLs, the endpoint should still always perform authentication/authorization on incoming requests and not rely on Dialogporten simply obscuring access to the endpoints +{{}} + + +{{}} + diff --git a/content/dialogporten/reference/authorization/attributes/_index.md b/content/dialogporten/reference/authorization/attributes/_index.md index d4d267a2637..e99e333bae0 100644 --- a/content/dialogporten/reference/authorization/attributes/_index.md +++ b/content/dialogporten/reference/authorization/attributes/_index.md @@ -1,12 +1,298 @@ --- title: 'Authorization Attributes' description: 'Reference information about authorization attributes' -weight: 1 +weight: 10 --- -{{}} +## Introduction + +See [getting started with authorization attributes]({{}}) for a functional overview of authorization attributes and what they can be used for. + +Authorization attributes are a way to control how the XACML request is constructed for a given dialog, making it possible to have more fine grained rules and even refer to several distinct resource policies. + +{{}} +Authorization attributes are only considered in single dialog endpoints, ie. when requesting a dialog by ID. For dialog search/lists, the authorization attributes are not considered. +{{}} + +## Usage + +Authorization attributes can be supplied on: + +* GUI actions +* API actions +* Transmissions + +## Basic format + +The value of the authorization attribute will be mapped to a XACML resource that Altinn Authorization can understand, ie. a URN. Valid examples: + +``` +urn:altinn:subresource:mysubresource +urn:altinn:task:Task_1 +urn:altinn:resource:someotherresource +``` + +{{}} +In addition, a bare non-URN string like `foobar` can be supplied as a shorthand for `urn:altinn:subresource:foobar` +{{}} + +The authorization attribute is split at the last segment, and the first part is used as the *attribute id* and the second part as the *attribute value*. + +## Mapping to XACML + +Eg. given a dialog that has `ServiceResource` set to `urn:altinn:resource:myfirstservice` and a GUI/API action shaped like this on a dialog : + +```json +{ + "action": "sign", + "authorizationAttribute": "urn:altinn:task:gm_signing_task", + ... +} +``` + +will result in a XACML request like this: + +```json +{ + "Request": { + "AccessSubject": [ /* information about the user omitted */ ], + "Action": [ + { + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "sign" + } + ] + } + ], + "Resource": [ + { + "Attribute": [ + { + "AttributeId": "urn:altinn:resource", + "Value": "myfirstservice" + }, + { + "AttributeId": "urn:altinn:task", + "Value": "gm_signing_task" + } + /* information about the party owning the dialog omitted */ + ] + } + ] + } +} +``` + +This can be governed by a policy rule like this: + +```xml + +A rule giving user with role DAGL to "sign" within the task named "gm_signing_task" + + + + + DAGL + + + + + + + + myfirstservice + + + + gm_signing_task + + + + + + + + sign + + + + + + +``` + +If the request fails, Dialogporten will flag the GUI/API-action or transmission with `isAuthorized: false` and remove the associated URLs. This allows for end user systems to indicate to the user that access to the given action is denied. + +{{}} +While Dialogporten indicates that the action is unauthorized, and removes the URLs, the endpoint should still always perform authentication/authorization on incoming requests and not rely on Dialogporten simply obscuring access to the endpoints +{{}} + +## Using authorization attributes on transmissions + +For transmissions, the mechanics are the same, but there are no explicit actions associated with transmission. Therefore, either `read` or `transmissionread` actions are inferred and used in the XACML requests. + +If a authorization attribute is supplied that refers to a separate resource/policy in Resource Registry (see below), `read` will be used as the action in the authorization check. `read` is also used if no authorization attribute is supplied at all. However, if a authorization attribute that does NOT refer to a separate resource/policy i Resource Registry is supplied, then `transmissionread` will be used as the action in the authorization check. + +The reason for this is that the `read` action is usually defined for the entire resource, which will include all subresources due to the matching nature of XACML authorization "permit"-rules used in Altinn Authorization (a XACML rule defines constraints, ie. attributes that must be present in the request; an empty XACML rule will thus match - and return "permit" - any request). So in order to use authorization attributes that refer to rules within the same policy that should define separate access requirements, using something else than `read` is required, ie `transmissionread`. + +Example: + +```xml + +A rule giving user with role UTINN or DAGL to read the dialog + + + + + UTINN + + + + + + DAGL + + + + + + + + myfirstservice + + + + + + + + read + + + + + + + +A rule giving users with DAGL to read a particular transmission + + + + + DAGL + + + + + + + + myfirstservice + + + + sometransmission + + + + + + + + transmissionread + + + + + + +``` + +In the above example, the following XACML request: + +```json +{ + "Request": { + "AccessSubject": [ + { + "Attribute": [ + { + "AttributeId": "urn:altinn:rolecode", + "Value": "UTINN" + } + ] + } + ], + "Action": [ + { + "Attribute": [ + { + "AttributeId": "urn:oasis:names:tc:xacml:1.0:action:action-id", + "Value": "read" + } + ] + } + ], + "Resource": [ + { + "Attribute": [ + { + "AttributeId": "urn:altinn:resource", + "Value": "myfirstservice" + }, + { + "AttributeId": "urn:altinn:subresource", + "Value": "sometransmission" + } + ] + } + ] + } +} +``` + +Will result in `Permit`, because the request satisfies all the constraints defined in the first rule, which is not what we want. Using a different action, ie `transmissionread`, it will no longer match the first rule, and because UTINN is not part of the subject in the second rule, a `Permit` response will not be given and the transmission will be flagged as unaccessible by Dialogporten. + +## Refer to separate resource/policy in Resource Registry + +If the authorization attribute value starts with either `urn:altinn:resource` or `urn:altinn:app`, and the full value differs from what `ServiceResource` for the given dialog is set to, the authorization attribute is considered as referring to different resources in the Resource Registry. This way, access to the various part of a dialog might be governed by different policies. + +A typical use case is having dialogs that all refer to different resources/policies, but within them contain [transmissions]({{}}) representing a shared kind of communication (ie. notice of coercive fine) that are governed by the same authorization policy, regardless of the dialog in which it is used. + +Example: +```json +// First dialog +{ + "id": "019275d2-1b5d-7b82-b436-4b74e5cbd02b", + "serviceResource": "urn:altinn:resource:some-service", + "transmissions": [ + { + "id": "019275d3-41d5-743c-be44-aa729cf95acf", + "authorizationAttribute": "urn:altinn:resource:notice-of-coervice-fine", + ... + } + ] + ... +} +// Second dialog +{ + "id": "019275d4-d550-7e93-9819-1e40579f243a", + "serviceResource": "urn:altinn:resource:other-service", + "transmissions": [ + { + "id": "019275d5-0044-7b10-803a-fa5e6ac3f593", + "authorizationAttribute": "urn:altinn:resource:notice-of-coervice-fine", + ... + } + ] + ... +} +``` + +This allows for having fine-grained control over what parts of dialogs a given role is given access to, whilst avoiding duplicating policy rules across the policies governing access to various dialog types. -For now, refer to the [OpenAPI specification]({{}}). {{}} diff --git a/content/dialogporten/reference/authorization/dialog-tokens/_index.md b/content/dialogporten/reference/authorization/dialog-tokens/_index.md index f167c0e2271..85e347f7e86 100644 --- a/content/dialogporten/reference/authorization/dialog-tokens/_index.md +++ b/content/dialogporten/reference/authorization/dialog-tokens/_index.md @@ -1,12 +1,83 @@ --- title: 'Dialog Tokens' description: 'Reference information about dialog tokens' -weight: 1 +weight: 20 --- -{{}} +## Introduction + +See [getting started with dialog tokens]({{}}) for a functional overview of dialog tokens and what they can be used for. + +Dialog tokens allows for unproxied frontend requests to endpoints requiring authentication and authorization, without having to rely on ID-porten SSO and redirects. + +## Usage for end-user systems (OAuth clients) + +Dialog tokens are embedded withing the [single dialog response model]({{}}) (see `dialogToken`), and is a self-contained, signed JWT containing claims from the authenticated user and the dialog itself, including what actions and authorization attributes the user is authorized for. + +The dialog tokens should be transferred as-is as a bearer token in a `Authorization` HTTP header. The contents of the dialog token should normally not be considered by the clients, ie. the token should be treated as an opaque string. + +The altinn.no-portal will be using dialog tokens on all URLs associated with [write actions]({{}}) and [front channel embeds]({{}}). Other end user systems might also use the dialog token for API actions, subject to service specific protocols defined by the respective service owner. + +## Receving and verifying dialog tokens (OAuth resource servers) + +The resource server will with the help of dialog tokens be able to fully authenticate and authorize requests that are otherwise unauthenticated (ie. without cookies or any other state). The dialog tokens should be transferred as a bearer token using a `Authorization` HTTP header. + +Note that for clients that are browser-based, including the Altinn.no-portal, the resource server will also have to implement the [CORS-protocol](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) in order to handle requests + +### List of Dialogporten specific claims + +| Claim | Description | Example | +|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------| +| c | Authenticated as a consumer of Dialogporten. The prefix for either individuals (typically ID-porten), organizations (typically Maskinporten), or self-registered users. | `"urn:altinn:person:identifier-no::12018212345` `"urn:altinn:organization:identifier-no::991825827"` `"urn:altinn:party-identifier:username::someemail@example.com"` | +| l | Security level of authentication (4) | `4` | +| u | Optional. If a provider token in Maskinporten has been used, the authenticated provider's organization number will be given here. | `"urn:altinn:organization:identifier-no::991825827"` | +| p | Whom the consumer is acting on behalf of (if not themselves), i.e., who owns the relevant dialogue. | `"urn:altinn:person:identifier-no::12018212345"` `"urn:altinn:organization:identifier-no::991825827"` `"urn:altinn:party-identifier:username::someemail@example.com"` | +| i | Unique identifier of the dialogue. | `"e0300961-85fb-4ef2-abff-681d77f9960e"` | +| s | The service resource that the dialogue refers to. | `"urn:altinn:resource:super-simple-service"` | +| a | Authorized actions/authorization attributes. | `"read;write;sign;elementread,urn:altinn:subresource:authorizationattribute1"` | + +#### Example of decoded token + +```json +{ + "alg": "EdDSA", + "typ": "JWT", + "kid" : "dp-2023-01" +} +// . +{ + "c": "urn:altinn:person:identifier-no::12018212345", + "l": 4, + "u": "urn:altinn:organization:identifier-no::825827991", + "p": "urn:altinn:organization:identifier-no::991825827", + "i": "e0300961-85fb-4ef2-abff-681d77f9960e", + "s": "urn:altinn:resource:super-simple-service", + "a": "read;write;sign;elementread,urn:altinn:subresource:autorisasjonsattributt1", + "exp": 1672772834, + "iss": "https://dialogporten.no", + "nbf": 1672771934, + "iat": 1672771934 +} + +// . +// +``` +### Token signature cipher + +Dialog tokens utilizes a [Edwards-Curve Digital Signature Algorithm (EdDSA)](https://datatracker.ietf.org/doc/html/rfc8032) using the Ed25519 curve to sign the dialog tokens, making it possible to consumers to verify that the token has been issued by Dialogporten and trust the information in the claims. Also see [RFC 8037](https://datatracker.ietf.org/doc/html/rfc8037) for information about using EdDSA in JOSE contexts. + +### Well-known endpoints + +Dialogporten provides [OAuth 2.0 Authorization Server Metadata (RFC8414)](https://datatracker.ietf.org/doc/html/rfc8414) allowing for runtime key discovery, rotation and token validation. Consult the [OpenAPI specification]({{}}) (tag "Metadata") for the well-known URLs for the given environment. + +### Key sets and rotations +The JSON Web Key sets published on the well-known-endpoints will always contain at least two JWKs. All endpoints that accepts and verifies dialog tokens issued by Dialogporten, should allow tokens signed by any of the keys present in the key set for the given environment. + +The key set should be cached and refreshed with a frequency no more than 24 hours. Dialogporten will at any point introduce new keys into the key set, but will not sign any dialog tokens until the key has been published and available at the well-known endpoint for at least 48 hours. This will allow for consumers to refresh their caches and verify the signature of any token issued by Dialogporten. + +### Token validation recommendations +Please consult [RFC 8725](https://datatracker.ietf.org/doc/html/rfc8725) and the aforementioned RFCs for information about best practices for JWS signature validation. -For now, refer to the [OpenAPI specification]({{}}). {{}} diff --git a/static/css/custom.css b/static/css/custom.css index b59ce6d7e64..6d6d193fd3d 100644 --- a/static/css/custom.css +++ b/static/css/custom.css @@ -58,7 +58,7 @@ a[href^=http]:not([href*='altinn.no']):not([href*='basefarm.net']):not([href*='l a[href^=http]:not([href*='localhost']):not([href*='docs.altinn.studio']):not([href*='https://github.com/Altinn/altinn-studio/'])::after { display: inline-block; width: 1.3em; - background-image: url("https://altinn.no/images/arrowrightup.svg"); + background-image: url("../images/arrowrightup.svg"); background-repeat: no-repeat; background-size: 119% auto; vertical-align: middle; diff --git a/static/css/vscode-altinn-preview.css b/static/css/vscode-altinn-preview.css index d9633c8a8fd..ddbbe4816d1 100644 --- a/static/css/vscode-altinn-preview.css +++ b/static/css/vscode-altinn-preview.css @@ -117,7 +117,7 @@ a[href^=http]:not([href*='localhost']):not([href*='docs.altinn.studio']):not([hr { display: inline-block; width: 1.3em; - background-image: url(https://altinn.no/images/arrowrightup.svg); + background-image: url(../images/arrowrightup.svg); background-repeat: no-repeat; background-size: 119% auto; vertical-align: middle; diff --git a/static/swagger/altinn-platform-authentication-v1.json b/static/swagger/altinn-platform-authentication-v1.json index b7b426a8cde..a477c1465af 100644 --- a/static/swagger/altinn-platform-authentication-v1.json +++ b/static/swagger/altinn-platform-authentication-v1.json @@ -206,7 +206,6 @@ ], "summary": "Validates provided token.", "requestBody": { - "description": "Gets or sets the token", "content": { "application/x-www-form-urlencoded": { "schema": { @@ -345,17 +344,17 @@ "content": { "text/plain": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } }, "application/json": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } }, "text/json": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } } } @@ -387,17 +386,56 @@ "content": { "text/plain": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } }, "application/json": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } }, "text/json": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" + } + } + } + } + } + }, + "delete": { + "tags": [ + "RequestSystemUser" + ], + "summary": "Used by the Vendors to delete the chosen Request by guid", + "parameters": [ + { + "name": "requestId", + "in": "path", + "required": true, + "schema": { + "type": "string", + "format": "uuid" + } + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "text/plain": { + "schema": { + "$ref": "#/components/schemas/RequestSystemResponse" + } + }, + "application/json": { + "schema": { + "$ref": "#/components/schemas/RequestSystemResponse" + } + }, + "text/json": { + "schema": { + "$ref": "#/components/schemas/RequestSystemResponse" } } } @@ -446,17 +484,17 @@ "content": { "text/plain": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } }, "application/json": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } }, "text/json": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } } } @@ -496,17 +534,17 @@ "content": { "text/plain": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } }, "application/json": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } }, "text/json": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } } } @@ -548,17 +586,119 @@ "content": { "text/plain": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" + } + }, + "application/json": { + "schema": { + "$ref": "#/components/schemas/RequestSystemResponse" + } + }, + "text/json": { + "schema": { + "$ref": "#/components/schemas/RequestSystemResponse" + } + } + } + } + } + } + }, + "/systemuser/request/vendor/bysystem/{systemId}": { + "get": { + "tags": [ + "RequestSystemUser" + ], + "summary": "Retrieves a list of Status-Response-model for all Requests that the Vendor has for a given system they own.", + "operationId": "vendor/bysystem", + "parameters": [ + { + "name": "systemId", + "in": "path", + "description": "The system the Vendor wants the list for", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "token", + "in": "query", + "description": "Optional continuation token", + "schema": { + "$ref": "#/components/schemas/GuidOpaque" + } + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "text/plain": { + "schema": { + "$ref": "#/components/schemas/RequestSystemResponsePaginated" + } + }, + "application/json": { + "schema": { + "$ref": "#/components/schemas/RequestSystemResponsePaginated" + } + }, + "text/json": { + "schema": { + "$ref": "#/components/schemas/RequestSystemResponsePaginated" + } + } + } + } + } + } + }, + "/systemuser/request/{party}/{requestId}/reject": { + "post": { + "tags": [ + "RequestSystemUser" + ], + "summary": "Rejects the systemuser request", + "parameters": [ + { + "name": "party", + "in": "path", + "description": "the partyId", + "required": true, + "schema": { + "type": "integer", + "format": "int32" + } + }, + { + "name": "requestId", + "in": "path", + "description": "The UUID of the request to be rejected", + "required": true, + "schema": { + "type": "string", + "format": "uuid" + } + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "text/plain": { + "schema": { + "$ref": "#/components/schemas/RequestSystemResponse" } }, "application/json": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } }, "text/json": { "schema": { - "$ref": "#/components/schemas/CreateRequestSystemUserResponse" + "$ref": "#/components/schemas/RequestSystemResponse" } } } @@ -580,7 +720,7 @@ "schema": { "type": "array", "items": { - "$ref": "#/components/schemas/RegisterSystemResponse" + "$ref": "#/components/schemas/RegisteredSystemDTO" } } }, @@ -588,7 +728,7 @@ "schema": { "type": "array", "items": { - "$ref": "#/components/schemas/RegisterSystemResponse" + "$ref": "#/components/schemas/RegisteredSystemDTO" } } }, @@ -596,7 +736,7 @@ "schema": { "type": "array", "items": { - "$ref": "#/components/schemas/RegisterSystemResponse" + "$ref": "#/components/schemas/RegisteredSystemDTO" } } } @@ -605,7 +745,48 @@ } } }, - "/systemregister/system/{systemId}": { + "/systemregister/{systemId}": { + "get": { + "tags": [ + "SystemRegister" + ], + "summary": "Retrieves a Registered System frontend DTO for the systemId.", + "parameters": [ + { + "name": "systemId", + "in": "path", + "description": "The Id of the Registered System", + "required": true, + "schema": { + "type": "string" + } + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "text/plain": { + "schema": { + "$ref": "#/components/schemas/RegisteredSystemDTO" + } + }, + "application/json": { + "schema": { + "$ref": "#/components/schemas/RegisteredSystemDTO" + } + }, + "text/json": { + "schema": { + "$ref": "#/components/schemas/RegisteredSystemDTO" + } + } + } + } + } + } + }, + "/systemregister/vendor/{systemId}": { "get": { "tags": [ "SystemRegister" @@ -628,17 +809,17 @@ "content": { "text/plain": { "schema": { - "$ref": "#/components/schemas/RegisterSystemResponse" + "$ref": "#/components/schemas/RegisteredSystem" } }, "application/json": { "schema": { - "$ref": "#/components/schemas/RegisterSystemResponse" + "$ref": "#/components/schemas/RegisteredSystem" } }, "text/json": { "schema": { - "$ref": "#/components/schemas/RegisterSystemResponse" + "$ref": "#/components/schemas/RegisteredSystem" } } } @@ -666,17 +847,17 @@ "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SystemRegisterRequest" + "$ref": "#/components/schemas/RegisterSystemRequest" } }, "text/json": { "schema": { - "$ref": "#/components/schemas/SystemRegisterRequest" + "$ref": "#/components/schemas/RegisterSystemRequest" } }, "application/*+json": { "schema": { - "$ref": "#/components/schemas/SystemRegisterRequest" + "$ref": "#/components/schemas/RegisterSystemRequest" } } } @@ -744,7 +925,7 @@ } } }, - "/systemregister/system/{systemId}/rights": { + "/systemregister/{systemId}/rights": { "get": { "tags": [ "SystemRegister" @@ -792,48 +973,30 @@ } } } - }, - "put": { + } + }, + "/systemregister/vendor": { + "post": { "tags": [ "SystemRegister" ], - "summary": "Updates the rights on a registered system", - "parameters": [ - { - "name": "systemId", - "in": "path", - "description": "The human readable string id", - "required": true, - "schema": { - "type": "string" - } - } - ], + "summary": "Create a new System", "requestBody": { - "description": "A list of rights", + "description": "The descriptor model of a new Registered System", "content": { "application/json": { "schema": { - "type": "array", - "items": { - "$ref": "#/components/schemas/Right" - } + "$ref": "#/components/schemas/RegisterSystemRequest" } }, "text/json": { "schema": { - "type": "array", - "items": { - "$ref": "#/components/schemas/Right" - } + "$ref": "#/components/schemas/RegisterSystemRequest" } }, "application/*+json": { "schema": { - "type": "array", - "items": { - "$ref": "#/components/schemas/Right" - } + "$ref": "#/components/schemas/RegisterSystemRequest" } } } @@ -844,17 +1007,20 @@ "content": { "text/plain": { "schema": { - "$ref": "#/components/schemas/SystemRegisterUpdateResult" + "type": "string", + "format": "uuid" } }, "application/json": { "schema": { - "$ref": "#/components/schemas/SystemRegisterUpdateResult" + "type": "string", + "format": "uuid" } }, "text/json": { "schema": { - "$ref": "#/components/schemas/SystemRegisterUpdateResult" + "type": "string", + "format": "uuid" } } } @@ -862,28 +1028,48 @@ } } }, - "/systemregister/system": { - "post": { + "/systemregister/vendor/{systemId}/rights": { + "put": { "tags": [ "SystemRegister" ], - "summary": "Create a new System", + "summary": "Updates the rights on a registered system", + "parameters": [ + { + "name": "systemId", + "in": "path", + "description": "The human readable string id", + "required": true, + "schema": { + "type": "string" + } + } + ], "requestBody": { - "description": "The descriptor model of a new Registered System", + "description": "A list of rights", "content": { "application/json": { "schema": { - "$ref": "#/components/schemas/SystemRegisterRequest" + "type": "array", + "items": { + "$ref": "#/components/schemas/Right" + } } }, "text/json": { "schema": { - "$ref": "#/components/schemas/SystemRegisterRequest" + "type": "array", + "items": { + "$ref": "#/components/schemas/Right" + } } }, "application/*+json": { "schema": { - "$ref": "#/components/schemas/SystemRegisterRequest" + "type": "array", + "items": { + "$ref": "#/components/schemas/Right" + } } } } @@ -894,20 +1080,17 @@ "content": { "text/plain": { "schema": { - "type": "string", - "format": "uuid" + "$ref": "#/components/schemas/SystemRegisterUpdateResult" } }, "application/json": { "schema": { - "type": "string", - "format": "uuid" + "$ref": "#/components/schemas/SystemRegisterUpdateResult" } }, "text/json": { "schema": { - "type": "string", - "format": "uuid" + "$ref": "#/components/schemas/SystemRegisterUpdateResult" } } } @@ -1209,75 +1392,86 @@ } } } - } - }, - "components": { - "schemas": { - "AttributePair": { - "required": [ - "id", - "value" + }, + "/systemuser/vendor/bysystem/{systemId}": { + "get": { + "tags": [ + "SystemUser" ], - "type": "object", - "properties": { - "id": { - "minLength": 1, - "type": "string" - }, - "value": { - "minLength": 1, - "type": "string" + "summary": "Retrieves a list of SystemUsers the Vendor has for a given system they own.", + "operationId": "vendor/systemusers/bysystem", + "parameters": [ + { + "name": "systemId", + "in": "path", + "description": "The system the Vendor wants the list for", + "required": true, + "schema": { + "type": "string" + } + }, + { + "name": "token", + "in": "query", + "description": "Optional continuation token", + "schema": { + "$ref": "#/components/schemas/StringOpaque" + } } - }, - "additionalProperties": false - }, - "CreateRequestSystemUser": { + ], + "responses": { + "200": { + "description": "OK", + "content": { + "text/plain": { + "schema": { + "$ref": "#/components/schemas/SystemUserPaginated" + } + }, + "application/json": { + "schema": { + "$ref": "#/components/schemas/SystemUserPaginated" + } + }, + "text/json": { + "schema": { + "$ref": "#/components/schemas/SystemUserPaginated" + } + } + } + } + } + } + } + }, + "components": { + "schemas": { + "AttributePair": { "required": [ - "partyOrgNo", - "rights", - "systemId" + "id", + "value" ], "type": "object", "properties": { - "externalRef": { - "type": "string", - "nullable": true - }, - "systemId": { + "id": { "minLength": 1, "type": "string" }, - "partyOrgNo": { + "value": { "minLength": 1, "type": "string" - }, - "rights": { - "type": "array", - "items": { - "$ref": "#/components/schemas/Right" - } - }, - "redirectUrl": { - "type": "string", - "nullable": true } }, "additionalProperties": false }, - "CreateRequestSystemUserResponse": { + "CreateRequestSystemUser": { "required": [ - "id", "partyOrgNo", "rights", - "status", "systemId" ], "type": "object", "properties": { - "id": { - "type": "string", - "format": "uuid" - }, "externalRef": { "type": "string", "nullable": true @@ -1296,10 +1490,6 @@ "$ref": "#/components/schemas/Right" } }, - "status": { - "minLength": 1, - "type": "string" - }, "redirectUrl": { "type": "string", "nullable": true @@ -1441,6 +1631,18 @@ "additionalProperties": false, "description": "Represents the well known discovery document described by \"OpenID Connect Discovery 1.0 incorporating errata set 1\"\r\nURL: https://openid.net/specs/openid-connect-discovery-1_0.html (and other specifications)" }, + "GuidOpaque": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "Gets the inner value.", + "format": "uuid" + } + }, + "additionalProperties": false, + "description": "\r\n\r\n An opaque value is a value that can be transmitted to another party\r\n without divulging any type information or expectations about the value.\r\n \r\n\r\n\r\n Opaque values are typically usefull in APIs where the server wants to\r\n be able to return a value that the client later needs to send back to\r\n the server, but where the server does not want to expose the type of\r\n the value to the client. For instance, in a pagination scenario, the\r\n server can use an opaque int to do pagination by page number, while\r\n allowing itself to later change the implementation to use a cursor\r\n instead of a page number without breaking the API.\r\n " + }, "IntrospectionResponse": { "type": "object", "properties": { @@ -1512,6 +1714,18 @@ "additionalProperties": false, "description": "Represents a Json Wen Key set as described by \"JSON Web Key (JWK) draft-ietf-jose-json-web-key-41\"\r\nURL: https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41" }, + "PaginatedLinks": { + "type": "object", + "properties": { + "next": { + "type": "string", + "description": "Link to the next page of items (if any).", + "nullable": true + } + }, + "additionalProperties": false, + "description": "Pagination links." + }, "ProblemDetails": { "type": "object", "properties": { @@ -1539,7 +1753,69 @@ }, "additionalProperties": { } }, - "RegisterSystemResponse": { + "RegisterSystemRequest": { + "required": [ + "clientId", + "description", + "id", + "name", + "vendor" + ], + "type": "object", + "properties": { + "id": { + "type": "string", + "nullable": true + }, + "vendor": { + "$ref": "#/components/schemas/VendorInfo" + }, + "name": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "nullable": true + }, + "description": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "nullable": true + }, + "rights": { + "type": "array", + "items": { + "$ref": "#/components/schemas/Right" + }, + "nullable": true + }, + "isDeleted": { + "type": "boolean" + }, + "clientId": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true + }, + "isVisible": { + "type": "boolean" + }, + "allowedRedirectUrls": { + "type": "array", + "items": { + "type": "string", + "format": "uri" + }, + "nullable": true + } + }, + "additionalProperties": false + }, + "RegisteredSystem": { "required": [ "description", "name", @@ -1595,6 +1871,13 @@ "softDeleted": { "type": "boolean" }, + "clientId": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true + }, "isVisible": { "type": "boolean" }, @@ -1609,42 +1892,25 @@ }, "additionalProperties": false }, - "Right": { - "type": "object", - "properties": { - "action": { - "type": "string", - "nullable": true - }, - "resource": { - "type": "array", - "items": { - "$ref": "#/components/schemas/AttributePair" - }, - "nullable": true - } - }, - "additionalProperties": false - }, - "SystemRegisterRequest": { + "RegisteredSystemDTO": { "required": [ - "clientId", "description", - "id", "name", - "vendor" + "systemId", + "systemVendorOrgNumber" ], "type": "object", "properties": { - "id": { + "systemId": { "type": "string", "nullable": true }, - "vendor": { - "type": "object", - "additionalProperties": { - "type": "string" - }, + "systemVendorOrgNumber": { + "type": "string", + "nullable": true + }, + "systemVendorOrgName": { + "type": "string", "nullable": true }, "name": { @@ -1661,37 +1927,110 @@ }, "nullable": true }, - "singleRights": { + "rights": { "type": "array", "items": { "$ref": "#/components/schemas/Right" }, "nullable": true + } + }, + "additionalProperties": false + }, + "RequestSystemResponse": { + "required": [ + "id", + "partyOrgNo", + "rights", + "status", + "systemId" + ], + "type": "object", + "properties": { + "id": { + "type": "string", + "format": "uuid" }, - "isDeleted": { - "type": "boolean" + "externalRef": { + "type": "string", + "nullable": true }, - "clientId": { + "systemId": { + "minLength": 1, + "type": "string" + }, + "partyOrgNo": { + "minLength": 1, + "type": "string" + }, + "rights": { "type": "array", "items": { - "type": "string" + "$ref": "#/components/schemas/Right" + } + }, + "status": { + "minLength": 1, + "type": "string" + }, + "redirectUrl": { + "type": "string", + "nullable": true + }, + "confirmUrl": { + "type": "string", + "nullable": true + } + }, + "additionalProperties": false + }, + "RequestSystemResponsePaginated": { + "type": "object", + "properties": { + "data": { + "type": "array", + "items": { + "$ref": "#/components/schemas/RequestSystemResponse" }, + "description": "The items.", "nullable": true }, - "isVisible": { - "type": "boolean" + "links": { + "$ref": "#/components/schemas/PaginatedLinks" + } + }, + "additionalProperties": false, + "description": "A paginated Altinn.Platform.Authentication.Model.ListObject`1." + }, + "Right": { + "type": "object", + "properties": { + "action": { + "type": "string", + "nullable": true }, - "allowedRedirectUrls": { + "resource": { "type": "array", "items": { - "type": "string", - "format": "uri" + "$ref": "#/components/schemas/AttributePair" }, "nullable": true } }, "additionalProperties": false }, + "StringOpaque": { + "type": "object", + "properties": { + "value": { + "type": "string", + "description": "Gets the inner value.", + "nullable": true + } + }, + "additionalProperties": false, + "description": "\r\n\r\n An opaque value is a value that can be transmitted to another party\r\n without divulging any type information or expectations about the value.\r\n \r\n\r\n\r\n Opaque values are typically usefull in APIs where the server wants to\r\n be able to return a value that the client later needs to send back to\r\n the server, but where the server does not want to expose the type of\r\n the value to the client. For instance, in a pagination scenario, the\r\n server can use an opaque int to do pagination by page number, while\r\n allowing itself to later change the implementation to use a cursor\r\n instead of a page number without breaking the API.\r\n " + }, "SystemRegisterUpdateResult": { "type": "object", "properties": { @@ -1751,6 +2090,24 @@ }, "additionalProperties": false }, + "SystemUserPaginated": { + "type": "object", + "properties": { + "data": { + "type": "array", + "items": { + "$ref": "#/components/schemas/SystemUser" + }, + "description": "The items.", + "nullable": true + }, + "links": { + "$ref": "#/components/schemas/PaginatedLinks" + } + }, + "additionalProperties": false, + "description": "A paginated Altinn.Platform.Authentication.Model.ListObject`1." + }, "SystemUserRequestDto": { "type": "object", "properties": { @@ -1790,6 +2147,16 @@ } }, "additionalProperties": false + }, + "VendorInfo": { + "type": "object", + "properties": { + "ID": { + "type": "string", + "nullable": true + } + }, + "additionalProperties": false } } } diff --git a/static/swagger/altinn-resource-registry-v1.json b/static/swagger/altinn-resource-registry-v1.json index 67bef95ec39..5223b3d444c 100644 --- a/static/swagger/altinn-resource-registry-v1.json +++ b/static/swagger/altinn-resource-registry-v1.json @@ -56,8 +56,7 @@ "security": [ { "oauth2": [ - "AccessListRead", - "Admin" + "PlatformComponentOnly" ] } ] @@ -1579,7 +1578,7 @@ "security": [ { "oauth2": [ - "StudioDesignerAccess" + "Admin" ] } ] @@ -1624,7 +1623,50 @@ "security": [ { "oauth2": [ - "StudioDesignerAccess" + "Admin" + ] + } + ] + } + }, + "/altinn2export/setserviceeditionexpired": { + "get": { + "tags": [ + "Altinn2Export" + ], + "summary": "Sets a given service expired to hide delegation functionality. Proxy for bridge functionality. Called by Altinn Studio and used as part of the migration of delegation process", + "parameters": [ + { + "name": "externalServiceCode", + "in": "query", + "schema": { + "type": "string" + } + }, + { + "name": "externalServiceEditionCode", + "in": "query", + "schema": { + "type": "integer", + "format": "int32" + } + } + ], + "responses": { + "200": { + "description": "OK" + }, + "401": { + "description": "Unauthorized" + }, + "403": { + "description": "Forbidden" + } + }, + "security": [ + { + "oauth2": [ + "Admin" ] } ] @@ -1880,6 +1922,7 @@ } ], "requestBody": { + "description": "The XACML policy file", "content": { "multipart/form-data": { "schema": { @@ -1935,6 +1978,7 @@ } ], "requestBody": { + "description": "The XACML policy file", "content": { "multipart/form-data": { "schema": { @@ -2106,6 +2150,56 @@ } } }, + "/resource/updated": { + "get": { + "tags": [ + "Resource" + ], + "summary": "Gets the updated resources since the provided last updated time (inclusive)", + "operationId": "updated", + "parameters": [ + { + "name": "since", + "in": "query", + "description": "Date time used for filtering", + "schema": { + "type": "string", + "format": "date-time" + } + }, + { + "name": "token", + "in": "query", + "description": "Opaque continuation token containing ResourceUrn,SubjectUrn pair to skip past on rows matching \"since\" exactly", + "schema": { + "$ref": "#/components/schemas/UpdatedResourceSubjectsContinuationTokenOpaque" + } + }, + { + "name": "limit", + "in": "query", + "description": "Maximum number of pairs returned (1-1000, default: 1000)", + "schema": { + "type": "integer", + "format": "int32", + "default": 1000 + } + } + ], + "responses": { + "200": { + "description": "OK", + "content": { + "application/json": { + "schema": { + "$ref": "#/components/schemas/UpdatedResourceSubjectPaginated" + } + } + } + } + } + } + }, "/resource/orgs": { "get": { "tags": [ @@ -3017,6 +3111,14 @@ "type": "integer", "format": "int32" }, + "ResourceAccessListMode": { + "enum": [ + 0, + 1 + ], + "type": "integer", + "format": "int32" + }, "ResourceIdentifier": { "type": "object", "additionalProperties": false @@ -3174,8 +3276,8 @@ }, "nullable": true }, - "limitedByRRR": { - "type": "boolean" + "accessListMode": { + "$ref": "#/components/schemas/ResourceAccessListMode" }, "selfIdentifiedUserEnabled": { "type": "boolean" @@ -3208,7 +3310,8 @@ "properties": { "value": { "type": "string", - "description": "Gets the inner value." + "description": "Gets the inner value.", + "nullable": true } }, "additionalProperties": false, @@ -3254,6 +3357,79 @@ "additionalProperties": false, "description": "A paginated Altinn.ResourceRegistry.Models.ListObject`1." }, + "UpdatedResourceSubject": { + "type": "object", + "properties": { + "subjectUrn": { + "type": "string", + "format": "uri", + "nullable": true + }, + "resourceUrn": { + "type": "string", + "format": "uri", + "nullable": true + }, + "updatedAt": { + "type": "string", + "format": "date-time" + }, + "deleted": { + "type": "boolean" + } + }, + "additionalProperties": false + }, + "UpdatedResourceSubjectPaginated": { + "required": [ + "data", + "links" + ], + "type": "object", + "properties": { + "data": { + "type": "array", + "items": { + "$ref": "#/components/schemas/UpdatedResourceSubject" + }, + "description": "The items." + }, + "links": { + "$ref": "#/components/schemas/PaginatedLinks" + } + }, + "additionalProperties": false, + "description": "A paginated Altinn.ResourceRegistry.Models.ListObject`1." + }, + "UpdatedResourceSubjectsContinuationToken": { + "type": "object", + "properties": { + "resourceUrn": { + "type": "string", + "description": "The resourceUrn.", + "format": "uri", + "nullable": true + }, + "subjectUrn": { + "type": "string", + "description": "The subjectUrn.", + "format": "uri", + "nullable": true + } + }, + "additionalProperties": false, + "description": "Continuation token for updated resource subjects. Used with \"since\" value to serve\r\nas tiebreaker when paginating over resource subjects having the same \"updatedAt\" value\r\nsplit across pages" + }, + "UpdatedResourceSubjectsContinuationTokenOpaque": { + "type": "string", + "properties": { + "value": { + "$ref": "#/components/schemas/UpdatedResourceSubjectsContinuationToken" + } + }, + "additionalProperties": false, + "description": "\r\n\r\n An opaque value is a value that can be transmitted to another party\r\n without divulging any type information or expectations about the value.\r\n \r\n\r\n\r\n Opaque values are typically usefull in APIs where the server wants to\r\n be able to return a value that the client later needs to send back to\r\n the server, but where the server does not want to expose the type of\r\n the value to the client. For instance, in a pagination scenario, the\r\n server can use an opaque int to do pagination by page number, while\r\n allowing itself to later change the implementation to use a cursor\r\n instead of a page number without breaking the API.\r\n " + }, "UpsertAccessListResourceConnectionDto": { "type": "object", "properties": {