Altinn/altinn-authentication

Create OIDC provider endpoint in Altinn 2

Opened this issue · 0 comments

TheTechArch commented

Description

We want to move to a model where Altinn 2 works as an OIDC provider for Altinn 3. This will ensure a standard way to log in to the user. Today we have a custom integration between Altinn 2 and Altinn 3 with the use of an asp.net authentication cookie

This is a showstopper for easy use of the platform and causes issues for the test environment since cookies need to be shared across Altinn 2 and Altinn 3.

Considerations

This implementation should try to use current authentication integration and just make a new endpoint in MVC portal that handles the OIDC functionality. See flows below

Sequence flow user access app without being authenticated

image

Sequence flow when the user is already logged in to Altinn 2 when accessing Altinn 3 app

image

The authorization code should be a JWT token containing all information needed to create a id_token. It needs to be created in a way so it cant be used as a token for other.

Acceptance criteria

  • Altinn 2 OIDC provider needs to follow OIDC protocol
  • Altinn 2 performs client validation so only configured Altinn 3 can use it.
  • Redirect UI is validated
  • Well known endpoint is exposed
  • Code can not be used as token in Altinn 3
  • id_token from Altinn 2 contains all needed claims like userid, partyid, authenticaitonmethod, authenticationlevel
  • Single logout supported
  • Single login across Altinn 2 and Altinn 3.

Specification tasks

  • Development tasks are defined

Development tasks

  • Create authorization endpoint in Altinn 2 for OIDC
  • Create well known endpoint
  • Create token endpoint where clientID, client secret is validation

Test

Add test cases here as checkboxes that are being tested as part of the changes.

Definition of done

Verify that this issue meets DoD (Only for project members) before closing.

  • Documentation is updated (if relevant)
    • Technical documentation (docs.altinn.studio)
    • User documentation (altinn.github.io/docs)
  • QA
  • Manual test is complete (if relevant)
  • Automated test is implemented (if relevant)
  • All tasks in this userstory are closed (i.e. remaining tasks are moved to other user stories or marked obsolete)