Profile for OpenID/OAuth2
OpenID Connect extends OAuth2 by adding a layer that handles the identity of the user, which makes it possible for connected applications to identify the user. Information about the user is returned according to the standards of JSON Web Token (JWT) and is called ID Token.
The ID Token (id_token
) can be used by the application to identify the user and the
Access Token (access_token
) and token_type always must be sent to the API service to
access data.
OAuth2 HTTP Header Authorization: {token_type} {access_token}
OAuth2 flow types
Currently only Authorization Code Grant is supported
Configuration
The configuration of the authorisation service used by the developer portal is found as JSON at
https://authorizer.openservices.cambio.se/auth/realms/master/.well-known/openid-configuration
To simplify the handling of multiple care giver's API services, it is recommended that the configuration always originates from this type of JSON link/resource.
The following information is needed in the configuration to be able to connect the application.
Indicate/Select IdP
To indicate a specific IdP to use for logging in, the query parameter kc_idp_hint
can
be used. Identification using CGI eID (test service using BankID) is set by setting kc_idp_hint
to saml-cgi-eleg
.
Example:
https://authorizer.openservices.cambio.se/auth/realms/master/protocol/openid-connect/auth?kc_idp_hint=saml-cgi-eleg&response_type=code&scope=...
Scope
To request the identity of the user openid
must be set using scope
. See each
API documentation for suitable examples of scope
.
Example of scope
for ID token for Chemistry lab reports: scope=openid user/Observation-read
Steps to use ID Token
To use ID Token the application must perform the following steps:
Example of an ID token:
{ "jti": "7bf3cb39-1969-4baf-86ae-a2a989b03217", "exp": 1497860852, "nbf": 0, "iat": 1497860792, "iss": "https://authorizer.openservices.cambio.se/auth/realms/master", "aud": "poc-app", "sub": "2cfef360-ce44-4318-a11d-078de116c0f4", "typ": "ID", "azp": "poc-app", "auth_time": 1497860791, "session_state": "fc852cff-20d2-4ea1-8a91-05919b5759f7", "acr": "1", "personal_identity_number": "198701012554", "given_name": "Ulla", "surname": "Alm" }
Other resources
- Spring Boot Starter -
org.keycloak:keycloak-spring-security-adapter:3.1.0.Final
- Java JWT bibliotek -
com.auth0:java-jwt:3.2.0
- JWT Debugger - https://jwt.io