Using HelseID and accesstoken
HelseID is based on OAuth 2.0 and will be a solution for the health sector that offers:
- Common login solution
- Anchor confidence in the sector
- Securing APIs
The solution is based on a client (a specific system installed in a specific organization) being pre-registered with HelseID and can request a certificate (token) from HelseID which confirms that the system is what it claims to be. The token is a JSON Web Token (JWT) that contains codes that confirm the publisher and system. The token can also be enriched with information about the logged in person, and supports logging in via ID-porten at level high (level 4). The token is signed by HelseID and can be verified.
By requesting an access token, a system can thus use an API, and if the security mechanisms are otherwise good, the API provider can trust the content. Because the system issues the token (to the person offering the API), it is the token that defines which API / resource it is intended to provide access to. The access token has a relatively short service life.
To use SFM, the EPJ client will request a token with SFM as audience, and when correctly configured this will include an SFM-id identifying the client to SFM:
aud: e-helse:sfm.api
e-helse:sfm.api/client/claims/sfm-id: <ID>
The client can also request a refresh token that has a longer lifespan, and can use this to renew the access token as long as the refresh token is alive.
SFM is built in such a way that API calls that come in, or functions that are done in the GUI entail registration of information or notices in central systems that are to be done on behalf of the client / user who uses SFM. SFM is therefore configured in HelseID to be able to perform a "token exchange", ie to exchange a token with an audience for SFM, to a token that gives access to e.g. Reseptformidleren (prescription broker). The token will then contain information about the original client, about SFM who has changed the token and audience to provide access to the Reseptformidleren API.
For more information about HelseID (Norwegian): https://www.nhn.no/helseid/hvordan-ta-i-bruk-helseid/
For developers: https://helseid.atlassian.net/wiki/spaces/HELSEID/pages/217382951/How+do+I+as+a+developer+get+started+with+HelseID
For more information on the JWT token: https://jwt.io/
Example application: https://github.com/ThulaSource/HelseIdSampleApp