Skip to content

Maskinporten reference

Claims

See the Access Token reference in Maskinporten for a list of all claims.

Runtime Variables & Credentials

Your application will automatically be injected with environment variables at runtime.

Variables for acquiring tokens

These variables are used to 🎯 consume an external API.

Name Description
MASKINPORTEN_CLIENT_ID Client ID that uniquely identifies the client in Maskinporten.
MASKINPORTEN_CLIENT_JWK Private JWK (RSA) for the client.
MASKINPORTEN_SCOPES Whitespace-separated string of scopes registered for the client.
MASKINPORTEN_WELL_KNOWN_URL The well-known URL for the metadata discovery document
MASKINPORTEN_ISSUER issuer from the metadata discovery document.
MASKINPORTEN_TOKEN_ENDPOINT token_endpoint from the metadata discovery document.

Variables for validating tokens

These variables are used to 🎯 secure your API.

Name Description
MASKINPORTEN_WELL_KNOWN_URL The well-known URL for the metadata discovery document
MASKINPORTEN_ISSUER issuer from the metadata discovery document.
MASKINPORTEN_JWKS_URI jwks_uri from the metadata discovery document.

Scope Naming

All scopes within Maskinporten consist of a prefix and a subscope:

scope := <prefix>:<subscope>

For example:

scope := nav:trygdeopplysninger

Prefix

The prefix is set to nav for all scopes.

Subscope

A subscope should describe the resource to be exposed as accurately as possible. It consists of three parts; product, separator and name:

subscope := <product><separator><name>
product

A product should be a logical grouping of the resource, such as trygdeopplysninger or pensjon.

separator

The default separator is :. If name contains /, the default separator is instead /.

If the separator field is configured, it will override the default separator.

name

The name may also be postfixed to separate between access levels. For instance, you could separate between write access:

name := trygdeopplysninger.write

...and read access:

name := trygdeopplysninger.read

Example scope

If name does not contain any / (forward slash), the separator is set to : (colon).

For the following scope definition:

nais.yaml
spec:
  maskinporten:
    enabled: true
    scopes:
      exposes:
        # `nav:arbeid:some.scope.read`
        - name: "some.scope.read"
          enabled: true
          product: "arbeid"

the subscope is then:

subscope := arbeid:some.scope.read

which results in the fully qualified scope:

scope := nav:arbeid:some.scope.read

If name contains a / (forward slash), the separator is set to / (forward slash).

For the following scope definition:

nais.yaml
spec:
  maskinporten:
    enabled: true
    scopes:
      exposes:
        # `nav:arbeid/some/scope.read`
        - name: "some/scope.read"
          enabled: true
          product: "arbeid"

the subscope is then:

subscope := arbeid/some/scope.read

which results in the fully qualified scope:

scope := nav:arbeid/some/scope.read

Spec

See the 📚 NAIS application reference.