Profile for OpenID/OAuth2

OpenID Connect extends OAuth2 by adding a layer that handles the identity of the user, which makes it possible for connected applications to identify the user. Information about the user is returned according to the standards of JSON Web Token (JWT) and is called ID Token.

The ID Token (id_token) can be used by the application to identify the user and the Access Token (access_token) and token_type always must be sent to the API service to access data.

OAuth2 HTTP Header Authorization: {token_type} {access_token}

OAuth2 flow types

Currently only Authorization Code Grant is supported

Configuration

The configuration of the authorisation service used by the developer portal is found as JSON at 

https://authorizer.openservices.cambio.se/auth/realms/master/.well-known/openid-configuration

To simplify the handling of multiple care giver's API services, it is recommended that the configuration always originates from this type of JSON link/resource.

The following information is needed in the configuration to be able to connect the application.

Attribute Link
issuer  https://authorizer.openservices.cambio.se/auth/realms/master
authorization_endpoint  https://authorizer.openservices.cambio.se/auth/realms/master/protocol/openid-connect/auth
token_endpoint  https://authorizer.openservices.cambio.se/auth/realms/master/protocol/openid-connect/token
jwks_uri  https://authorizer.openservices.cambio.se/auth/realms/master/protocol/openid-connect/certs

Indicate/Select IdP

To indicate a specific IdP to use for logging in, the query parameter kc_idp_hint can be used. Identification using CGI eID (test service using BankID) is set by setting kc_idp_hint to saml-cgi-eleg.

Example:

https://authorizer.openservices.cambio.se/auth/realms/master/protocol/openid-connect/auth?kc_idp_hint=saml-cgi-eleg&response_type=code&scope=...

Scope

To request the identity of the user openid must be set using scope. See each API documentation for suitable examples of scope.

Example of scope for ID token for Chemistry lab reports: scope=openid user/Observation-read

Steps to use ID Token

To use ID Token the application must perform the following steps:

Example of an ID token:

{
  "jti": "7bf3cb39-1969-4baf-86ae-a2a989b03217",
  "exp": 1497860852,
  "nbf": 0,
  "iat": 1497860792,
  "iss": "https://authorizer.openservices.cambio.se/auth/realms/master",
  "aud": "poc-app",
  "sub": "2cfef360-ce44-4318-a11d-078de116c0f4",
  "typ": "ID",
  "azp": "poc-app",
  "auth_time": 1497860791,
  "session_state": "fc852cff-20d2-4ea1-8a91-05919b5759f7",
  "acr": "1",
  "personal_identity_number": "198701012554",
  "given_name": "Ulla",
  "surname": "Alm"
}
        

Other resources

  • Spring Boot Starter - org.keycloak:keycloak-spring-security-adapter:3.1.0.Final
  • Java JWT bibliotek - com.auth0:java-jwt:3.2.0
  • JWT Debugger - https://jwt.io