Skip to content

Feat: add enduser request API scopes for ID-porten/Maskinporten#2709

Merged
howieandersen merged 6 commits intomainfrom
feature/sluttbrukersystem_scopes_tilgang_enduser_request_api
Mar 27, 2026
Merged

Feat: add enduser request API scopes for ID-porten/Maskinporten#2709
howieandersen merged 6 commits intomainfrom
feature/sluttbrukersystem_scopes_tilgang_enduser_request_api

Conversation

@howieandersen
Copy link
Copy Markdown
Contributor

@howieandersen howieandersen commented Mar 27, 2026
edited
Loading

Added new scope-based authorization policies (POLICY_ENDUSER_REQUESTS_READ and POLICY_ENDUSER_REQUESTS_WRITE) that combine the portal scope with request-specific scopes for ID-porten/Maskinporten integration.

Updated all endpoints in RequestController to use these granular policies instead of the generic access management policies, enabling fine-grained authorization for end-user systems accessing the request API.

Description

Created new scope constants in AuthzConstants.cs:

  • SCOPE_ENDUSER_REQUESTS_READ = "altinn:accessmanagement/enduser:requests.read"
  • SCOPE_ENDUSER_REQUESTS_WRITE = "altinn:accessmanagement/enduser:requests.write"

Created new policy constants in AuthzConstants.cs:

  • POLICY_ENDUSER_REQUESTS_READ
  • POLICY_ENDUSER_REQUESTS_WRITE

Set up new scope policies in AccessManagementHost.cs:

  • Both policies accept EITHER altinn:portal/enduser OR the specific request scope
  • This provides flexibility while maintaining the requirement that one of these scopes must be present

Updated all RequestController endpoints with dual authorization:

  • 5 read endpoints now require BOTH POLICY_ENDUSER_REQUESTS_READ (scope check) AND POLICY_ACCESS_MANAGEMENT_ENDUSER_READ (ABAC party access check)
  • 6 write endpoints now require BOTH POLICY_ENDUSER_REQUESTS_WRITE (scope check) AND POLICY_ACCESS_MANAGEMENT_ENDUSER_WRITE (ABAC party access check)
  • Authorization attributes ordered for performance: fast scope checks before expensive ABAC checks

Result: End-user systems with Maskinporten/ID-porten can now access the request API with proper granular

Related Issue(s)

Verification

  • Your code builds clean without any errors or warnings
  • Manual testing done (required)
  • Relevant automated test added (if you find this hard, leave it and we'll help out)
  • All tests run green

Documentation

  • User documentation is updated with a separate linked PR in altinn-studio-docs. (if applicable)

@howieandersen
feat: add enduser request API scopes for ID-porten/Maskinporten
bc416f6 
- Add SCOPE_ENDUSER_REQUESTS_READ and SCOPE_ENDUSER_REQUESTS_WRITE constants
- Create policies combining portal scope with request-specific scopes
- Update RequestController endpoints to use new granular authorization policies
Copilot AI review requested due to automatic review settings March 27, 2026 11:18
@howieandersen howieandersen changed the title feat: add enduser request API scopes for ID-porten/Maskinporten Feature: 2620 add enduser request API scopes for ID-porten/Maskinporten Mar 27, 2026
@howieandersen howieandersen changed the title Feature: 2620 add enduser request API scopes for ID-porten/Maskinporten Feat: add enduser request API scopes for ID-porten/Maskinporten Mar 27, 2026
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces dedicated end-user (ID-porten/Maskinporten) OAuth scopes and authorization policies for the enduser request API, and updates the RequestController endpoints to use the new policies for read/write access.

Changes:

  • Added new scope constants for enduser request read/write access.
  • Added new authorization policies intended to require combined portal + request scopes.
  • Updated RequestController endpoints to use the new request read/write policies.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 13 comments.

File Description
src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/AccessManagementHost.cs Registers new scope-based authorization policies for enduser request read/write.
src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Constants/AuthzConstants.cs Adds new scope and policy constants for enduser request API access.
src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Api.Enduser/Controllers/RequestController.cs Switches request endpoints from the prior policies to the new request read/write policies.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@howieandersen
fix: preserve ABAC authorization and correct scope logic for request …
9078601 
…endpoints

Security fixes for request API authorization:

1. Restored ABAC-based party access checks by keeping both authorization
   policies on each endpoint:
   - POLICY_ACCESS_MANAGEMENT_ENDUSER_READ/WRITE enforces party-level ABAC
   - POLICY_ENDUSER_REQUESTS_READ/WRITE enforces scope requirements

   Without the ABAC policy, users with correct scopes could access/modify
   requests for any party, bypassing party authorization checks.

2. Fixed scope combination logic - removed portal scope from new request
   policies since ScopeAccessRequirement treats scope arrays as OR (any-of)
   not AND (all-of). The portal scope is already enforced at controller level,
   so endpoints now properly require:
   - Portal scope (controller-level)
   - Request scope (method-level)
   - Party access rights (ABAC policy)

These changes ensure proper defense-in-depth authorization with scope-based
access control AND attribute-based party authorization.
@howieandersen howieandersen requested a review from Copilot March 27, 2026 12:08
Copilot AI reviewed Mar 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@howieandersen
Fix RequestController tests to use space-separated scopes
c393fa1 
Changed test token generation to use a single scope claim with space-separated values instead of multiple separate scope claims. ScopeAccessHandler only reads the first scope claim, so multiple claims caused authorization failures.

Also replaced incorrect policy name constants with proper scope constants and added the new SCOPE_ENDUSER_REQUESTS_READ and SCOPE_ENDUSER_REQUESTS_WRITE scopes required by updated endpoints.
@howieandersen
Split test token generation into portal and system clients
370da4e 
- CreatePortalClient: Portal scope only (currently unused)
- CreateSystemClient: Request scopes only (used in all tests)
- Fixed scope claim format: single space-separated string instead of multiple claims
- Tests now reflect realistic production token patterns where portal and system scopes never coexist

Portal client available for future regression testing but current tests focus on validating new system
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 27, 2026

Quality Gate Failed Quality Gate failed for 'Authorization Altinn.AccessManagement'

Failed conditions
11.8% Duplication on New Code (required ≤ 10%)

See analysis details on SonarQube Cloud

@howieandersen howieandersen merged commit cd656a9 into main Mar 27, 2026
9 of 10 checks passed
@howieandersen howieandersen deleted the feature/sluttbrukersystem_scopes_tilgang_enduser_request_api branch March 27, 2026 15:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jonkjetiloye jonkjetiloye jonkjetiloye approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@howieandersen @jonkjetiloye