TokenX¶
TokenX is NAIS' own implementation of OAuth 2.0 Token Exchange.
This allows internal applications to act on behalf of a citizen that originally authenticated with ID-porten, while maintaining the zero trust security model between applications throughout a request chain.
NAIS provides support for declarative registration and configuration of TokenX resources. These cover two distinct use cases:
Consume an API¶
To consume an API secured with TokenX on behalf of a citizen, you'll need to exchange their token for a new token.
The new token preserves the citizen's identity context and is only valid for the specific API you want to access.
graph LR
Consumer["User / Consumer API"] --"request with\ncitizen token"--> Application[Your app]
Application --1. exchange \ncitizen token---> TokenX
TokenX --2. return new token\nfor Other API---> Application
Application --3. use new token---> Other["Other API"]
Learn how to consume an internal API on behalf of a citizen
Secure your API¶
To secure your API with TokenX, you'll need to grant consumers access to your application.
Once configured, your consumers can exchange a token with TokenX to consume your API.
Your application code must verify inbound requests by validating the included tokens.