Skip to content

Feat: add enduser request API scopes for ID-porten/Maskinporten #2709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
howieandersen merged 6 commits into from
Mar 27, 2026
Merged

Feat: add enduser request API scopes for ID-porten/Maskinporten #2709

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
bc416f6
feat: add enduser request API scopes for ID-porten/Maskinporten
howieandersen Mar 27, 2026
9078601
fix: preserve ABAC authorization and correct scope logic for request …
howieandersen Mar 27, 2026
19af9d4
Add portal scope to enduser request authorization policies
howieandersen Mar 27, 2026
41ef768
Remove redundant controller-level portal scope authorization
howieandersen Mar 27, 2026
c393fa1
Fix RequestController tests to use space-separated scopes
howieandersen Mar 27, 2026
370da4e
Split test token generation into portal and system clients
howieandersen Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions ...AccessManagement/src/Altinn.AccessManagement.Api.Enduser/Controllers/RequestController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ IPDP Pdp
[HttpGet("sent")]
[FeatureGate(RequirementType.Any, AccessMgmtFeatureFlags.EnableRequestAssignmentResource, AccessMgmtFeatureFlags.EnableRequestAssignmentPackage)]
[Authorize(Policy = AuthzConstants.POLICY_ACCESS_MANAGEMENT_ENDUSER_READ)]
[Authorize(Policy = AuthzConstants.POLICY_ENDUSER_REQUESTS_READ)]
[AuditJWTClaimToDb(Claim = AltinnCoreClaimTypes.PartyUuid, System = AuditDefaults.EnduserApi)]
[ProducesResponseType<PaginatedResult<RequestDto>>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
[ProducesResponseType<AltinnProblemDetails>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
Expand All @@ -81,6 +82,7 @@ public async Task<IActionResult> GetSentRequests(
[HttpGet("received")]
[FeatureGate(RequirementType.Any, AccessMgmtFeatureFlags.EnableRequestAssignmentResource, AccessMgmtFeatureFlags.EnableRequestAssignmentPackage)]
[Authorize(Policy = AuthzConstants.POLICY_ACCESS_MANAGEMENT_ENDUSER_READ)]
[Authorize(Policy = AuthzConstants.POLICY_ENDUSER_REQUESTS_READ)]
[AuditJWTClaimToDb(Claim = AltinnCoreClaimTypes.PartyUuid, System = AuditDefaults.EnduserApi)]
[ProducesResponseType<PaginatedResult<RequestDto>>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
[ProducesResponseType<AltinnProblemDetails>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
Expand All @@ -106,6 +108,7 @@ public async Task<IActionResult> GetReceivedRequests(
[HttpGet("sent/count")]
[FeatureGate(RequirementType.Any, AccessMgmtFeatureFlags.EnableRequestAssignmentResource, AccessMgmtFeatureFlags.EnableRequestAssignmentPackage)]
[Authorize(Policy = AuthzConstants.POLICY_ACCESS_MANAGEMENT_ENDUSER_READ)]
[Authorize(Policy = AuthzConstants.POLICY_ENDUSER_REQUESTS_READ)]
[AuditJWTClaimToDb(Claim = AltinnCoreClaimTypes.PartyUuid, System = AuditDefaults.EnduserApi)]
[ProducesResponseType<int>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
[ProducesResponseType<AltinnProblemDetails>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
Expand All @@ -131,6 +134,7 @@ public async Task<IActionResult> GetSentRequestsCount(
[HttpGet("received/count")]
[FeatureGate(RequirementType.Any, AccessMgmtFeatureFlags.EnableRequestAssignmentResource, AccessMgmtFeatureFlags.EnableRequestAssignmentPackage)]
[Authorize(Policy = AuthzConstants.POLICY_ACCESS_MANAGEMENT_ENDUSER_READ)]
[Authorize(Policy = AuthzConstants.POLICY_ENDUSER_REQUESTS_READ)]
[AuditJWTClaimToDb(Claim = AltinnCoreClaimTypes.PartyUuid, System = AuditDefaults.EnduserApi)]
[ProducesResponseType<int>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
[ProducesResponseType<AltinnProblemDetails>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
Expand Down Expand Up @@ -184,6 +188,7 @@ public async Task<IActionResult> GetDraftRequest([FromQuery][Required] Guid id,
[HttpGet]
[FeatureGate(RequirementType.Any, AccessMgmtFeatureFlags.EnableRequestAssignmentResource, AccessMgmtFeatureFlags.EnableRequestAssignmentPackage)]
[Authorize(Policy = AuthzConstants.POLICY_ACCESS_MANAGEMENT_ENDUSER_READ)]
[Authorize(Policy = AuthzConstants.POLICY_ENDUSER_REQUESTS_READ)]
[AuditJWTClaimToDb(Claim = AltinnCoreClaimTypes.PartyUuid, System = AuditDefaults.EnduserApi)]
[ProducesResponseType<RequestDto>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
[ProducesResponseType<AltinnProblemDetails>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
Expand Down Expand Up @@ -212,6 +217,7 @@ public async Task<IActionResult> GetRequest(
[FeatureGate(AccessMgmtFeatureFlags.EnableRequestAssignmentResource)]
[AuditJWTClaimToDb(Claim = AltinnCoreClaimTypes.PartyUuid, System = AuditDefaults.EnduserApi)]
[Authorize(Policy = AuthzConstants.POLICY_ACCESS_MANAGEMENT_ENDUSER_WRITE)]
[Authorize(Policy = AuthzConstants.POLICY_ENDUSER_REQUESTS_WRITE)]
[ProducesResponseType<RequestDto>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
[ProducesResponseType<AltinnProblemDetails>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
Expand Down Expand Up @@ -274,6 +280,7 @@ public async Task<IActionResult> CreateResourceRequest(
[FeatureGate(AccessMgmtFeatureFlags.EnableRequestAssignmentPackage)]
[AuditJWTClaimToDb(Claim = AltinnCoreClaimTypes.PartyUuid, System = AuditDefaults.EnduserApi)]
[Authorize(Policy = AuthzConstants.POLICY_ACCESS_MANAGEMENT_ENDUSER_WRITE)]
[Authorize(Policy = AuthzConstants.POLICY_ENDUSER_REQUESTS_WRITE)]
[ProducesResponseType<RequestDto>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
[ProducesResponseType<AltinnProblemDetails>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
Expand Down Expand Up @@ -333,6 +340,7 @@ public async Task<IActionResult> CreatePackageRequest(
[FeatureGate(RequirementType.Any, AccessMgmtFeatureFlags.EnableRequestAssignmentResource, AccessMgmtFeatureFlags.EnableRequestAssignmentPackage)]
[AuditJWTClaimToDb(Claim = AltinnCoreClaimTypes.PartyUuid, System = AuditDefaults.EnduserApi)]
[Authorize(Policy = AuthzConstants.POLICY_ACCESS_MANAGEMENT_ENDUSER_WRITE)]
[Authorize(Policy = AuthzConstants.POLICY_ENDUSER_REQUESTS_WRITE)]
[ProducesResponseType<RequestDto>(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<IActionResult> ConfirmRequest(
Expand All @@ -351,6 +359,7 @@ public async Task<IActionResult> ConfirmRequest(
[FeatureGate(RequirementType.Any, AccessMgmtFeatureFlags.EnableRequestAssignmentResource, AccessMgmtFeatureFlags.EnableRequestAssignmentPackage)]
[AuditJWTClaimToDb(Claim = AltinnCoreClaimTypes.PartyUuid, System = AuditDefaults.EnduserApi)]
[Authorize(Policy = AuthzConstants.POLICY_ACCESS_MANAGEMENT_ENDUSER_WRITE)]
[Authorize(Policy = AuthzConstants.POLICY_ENDUSER_REQUESTS_WRITE)]
[ProducesResponseType<RequestDto>(StatusCodes.Status200OK)]
[ProducesResponseType(StatusCodes.Status404NotFound)]
public async Task<IActionResult> WithdrawRequest(
Expand All @@ -369,6 +378,7 @@ public async Task<IActionResult> WithdrawRequest(
[FeatureGate(RequirementType.Any, AccessMgmtFeatureFlags.EnableRequestAssignmentResource, AccessMgmtFeatureFlags.EnableRequestAssignmentPackage)]
[AuditJWTClaimToDb(Claim = AltinnCoreClaimTypes.PartyUuid, System = AuditDefaults.EnduserApi)]
[Authorize(Policy = AuthzConstants.POLICY_ACCESS_MANAGEMENT_ENDUSER_WRITE)]
[Authorize(Policy = AuthzConstants.POLICY_ENDUSER_REQUESTS_WRITE)]
[ProducesResponseType<RequestDto>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
[ProducesResponseType<AltinnProblemDetails>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
Expand All @@ -390,6 +400,7 @@ public async Task<IActionResult> RejectRequest(
[FeatureGate(RequirementType.Any, AccessMgmtFeatureFlags.EnableRequestAssignmentResource, AccessMgmtFeatureFlags.EnableRequestAssignmentPackage)]
[AuditJWTClaimToDb(Claim = AltinnCoreClaimTypes.PartyUuid, System = AuditDefaults.EnduserApi)]
[Authorize(Policy = AuthzConstants.POLICY_ACCESS_MANAGEMENT_ENDUSER_WRITE)]
[Authorize(Policy = AuthzConstants.POLICY_ENDUSER_REQUESTS_WRITE)]
[ProducesResponseType<RequestDto>(StatusCodes.Status200OK, MediaTypeNames.Application.Json)]
[ProducesResponseType<AltinnProblemDetails>(StatusCodes.Status400BadRequest, MediaTypeNames.Application.Json)]
[ProducesResponseType(StatusCodes.Status401Unauthorized)]
Expand Down
20 changes: 20 additions & 0 deletions ...apps/Altinn.AccessManagement/src/Altinn.AccessManagement.Core/Constants/AuthzConstants.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -170,6 +170,26 @@ public static class AuthzConstants
/// </summary>
public const string SCOPE_ENDUSER_CONNECTIONS_TOOTHERS_WRITE = "altinn:accessmanagement/enduser:connections:toothers.write";

/// <summary>
/// Policy tag for authorizing enduser requests API read access
/// </summary>
public const string POLICY_ENDUSER_REQUESTS_READ = "POLICY_ENDUSER_REQUESTS_READ";

/// <summary>
/// Policy tag for authorizing enduser requests API write access
/// </summary>
public const string POLICY_ENDUSER_REQUESTS_WRITE = "POLICY_ENDUSER_REQUESTS_WRITE";

/// <summary>
/// Enduser scope giving access to read operations on requests
/// </summary>
public const string SCOPE_ENDUSER_REQUESTS_READ = "altinn:accessmanagement/enduser:requests.read";

/// <summary>
/// Enduser scope giving access to write operations on requests
/// </summary>
public const string SCOPE_ENDUSER_REQUESTS_WRITE = "altinn:accessmanagement/enduser:requests.write";

/// <summary>
/// Scope giving access to getting authorized parties for a given subject.
/// </summary>
Expand Down
5 changes: 3 additions & 2 deletions src/apps/Altinn.AccessManagement/src/Altinn.AccessManagement/AccessManagementHost.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -340,8 +340,9 @@ private static void ConfigureAuthorization(this WebApplicationBuilder builder)
new ConditionalScope(ConditionalScope.FromOthers, AuthzConstants.SCOPE_PORTAL_ENDUSER, AuthzConstants.SCOPE_ENDUSER_CONNECTIONS_FROMOTHERS_WRITE),
new ConditionalScope(ConditionalScope.ToOthers, AuthzConstants.SCOPE_PORTAL_ENDUSER, AuthzConstants.SCOPE_ENDUSER_CONNECTIONS_TOOTHERS_WRITE)
))
.AddPolicy(AuthzConstants.POLICY_ENDUSER_CONNECTIONS_WRITE_TOOTHERS, policy => policy.AddRequirements(new ScopeAccessRequirement([AuthzConstants.SCOPE_PORTAL_ENDUSER, AuthzConstants.SCOPE_ENDUSER_CONNECTIONS_TOOTHERS_WRITE]))
);
.AddPolicy(AuthzConstants.POLICY_ENDUSER_CONNECTIONS_WRITE_TOOTHERS, policy => policy.Requirements.Add(new ScopeAccessRequirement([AuthzConstants.SCOPE_PORTAL_ENDUSER, AuthzConstants.SCOPE_ENDUSER_CONNECTIONS_TOOTHERS_WRITE])))
.AddPolicy(AuthzConstants.POLICY_ENDUSER_REQUESTS_READ, policy => policy.Requirements.Add(new ScopeAccessRequirement([AuthzConstants.SCOPE_ENDUSER_REQUESTS_READ])))
.AddPolicy(AuthzConstants.POLICY_ENDUSER_REQUESTS_WRITE, policy => policy.Requirements.Add(new ScopeAccessRequirement([AuthzConstants.SCOPE_ENDUSER_REQUESTS_WRITE])));

builder.Services.AddScoped<IAuthorizationHandler, AccessTokenHandler>();
builder.Services.AddScoped<IAuthorizationHandler, ClaimAccessHandler>();
Expand Down
Loading