Fix claims for SI and SRE users

elsand · elsand · commit 524e1671a3d7 · 2026-02-02T11:22:49.000+01:00
diff --git a/README.md b/README.md
@@ -28,6 +28,13 @@ The application requires authentication. See https://altinn.github.io/docs/api/r
 #### Legacy (Altinn 2) Enterprise user tokens (aka Maskinporten + Enterprise user authentication):
 `https://altinn-testtools-token-generator.azurewebsites.net/api/GetEnterpriseUserToken?env={environment}&orgNo={orgNo}&partyId={partyId}&userId={userId}&userName={userName}`
 
+#### Legacy (Altinn 2) self-identified user tokens
+`https://altinn-testtools-token-generator.azurewebsites.net/api/GetSelfIdentifiedUserToken?env={environment}&orgNo={orgNo}&partyId={partyId}&userId={userId}&userName={userName}`
+
+#### ID-porten self-registered email user tokens
+`https://altinn-testtools-token-generator.azurewebsites.net/api/GetSelfRegisteredEmailUserToken?env={environment}&orgNo={orgNo}&partyId={partyId}&userId={userId}&email={email}`
+
+
 #### Optional parameters:
 
 * `supplierOrgNo` (Enterprise tokens only)
diff --git a/TokenGenerator/GetSelfIdentifiedUserToken.cs b/TokenGenerator/GetSelfIdentifiedUserToken.cs
@@ -41,7 +41,6 @@ public async Task<ActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "
             requestValidator.ValidateQueryParam("partyId", false, uint.TryParse, out uint partyId, (uint)rnd.Next(5000000, 7000000));
             requestValidator.ValidateQueryParam("partyuuid", false, Guid.TryParse, out Guid partyUuid, Guid.NewGuid());
             requestValidator.ValidateQueryParam("username", false, tokenHelper.IsValidIdentifier, out string username, $"SIUser{rnd.Next(1000, 9999)}");
-            requestValidator.ValidateQueryParam("email", true, tokenHelper.IsValidEmail, out string email);
 
             requestValidator.ValidateQueryParam<uint>("ttl", false, uint.TryParse, out uint ttl, 1800);
 
@@ -50,7 +49,7 @@ public async Task<ActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "
                  return new BadRequestObjectResult(requestValidator.GetErrors());
             }
 
-            string token = await tokenHelper.GeSelfIdentifiedUserToken(env, scopes, userId, partyId, partyUuid, username, email, ttl);
+            string token = await tokenHelper.GetSelfIdentifiedUserToken(env, scopes, userId, partyId, partyUuid, username, ttl);
 
             if (!string.IsNullOrEmpty(req.Query["dump"]))
             {
diff --git a/TokenGenerator/GetSelfRegisteredEmailUserToken.cs b/TokenGenerator/GetSelfRegisteredEmailUserToken.cs
@@ -0,0 +1,62 @@
+using System;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Azure.WebJobs;
+using Microsoft.Azure.WebJobs.Extensions.Http;
+using Microsoft.AspNetCore.Http;
+using System.Threading.Tasks;
+using Microsoft.Extensions.Options;
+using TokenGenerator.Services.Interfaces;
+
+namespace TokenGenerator
+{
+    public class GetSelfRegisteredEmailUserToken
+    {
+        private readonly IToken tokenHelper;
+        private readonly IRequestValidator requestValidator;
+        private readonly IAuthorization authorization;
+        private readonly Settings settings;
+
+        public GetSelfRegisteredEmailUserToken(IToken tokenHelper, IRequestValidator requestValidator, IAuthorization authorization, IOptions<Settings> settings)
+        {
+            this.tokenHelper = tokenHelper;
+            this.requestValidator = requestValidator;
+            this.authorization = authorization;
+            this.settings = settings.Value;
+        }
+
+        [FunctionName(nameof(GetSelfRegisteredEmailUserToken))]
+        public async Task<ActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "get", Route = null)] HttpRequest req)
+        {
+            ActionResult failedAuthorizationResult = await authorization.Authorize(settings.AuthorizedScopePersonal);
+            if (failedAuthorizationResult != null)
+            {
+                return failedAuthorizationResult;
+            }
+
+            var rnd = new Random();
+
+            requestValidator.ValidateQueryParam("env", true, tokenHelper.IsValidEnvironment, out string env);
+            requestValidator.ValidateQueryParam("userId", false, uint.TryParse, out uint userId);
+            requestValidator.ValidateQueryParam("scopes", false, tokenHelper.TryParseScopes, out string[] scopes, new[] { "altinn:portal/enduser" });
+            requestValidator.ValidateQueryParam("partyId", false, uint.TryParse, out uint partyId, (uint)rnd.Next(5000000, 7000000));
+            requestValidator.ValidateQueryParam("partyuuid", false, Guid.TryParse, out Guid partyUuid, Guid.NewGuid());
+            requestValidator.ValidateQueryParam("email", true, tokenHelper.IsValidEmail, out string email);
+
+            requestValidator.ValidateQueryParam<uint>("ttl", false, uint.TryParse, out uint ttl, 1800);
+
+            if (requestValidator.GetErrors().Count > 0)
+            {
+                 return new BadRequestObjectResult(requestValidator.GetErrors());
+            }
+
+            string token = await tokenHelper.GetSelfRegisteredEmailUserToken(env, scopes, userId, partyId, partyUuid, email, ttl);
+
+            if (!string.IsNullOrEmpty(req.Query["dump"]))
+            {
+                return new OkObjectResult(tokenHelper.Dump(token));
+            }
+
+            return new OkObjectResult(token);
+        }
+    }
+}
diff --git a/TokenGenerator/Services/Interfaces/IToken.cs b/TokenGenerator/Services/Interfaces/IToken.cs
@@ -14,7 +14,8 @@ public interface IToken
         Task<string> GetConsentToken(string env, string[] serviceCodes, IQueryCollection queryParameters, Guid authorizationCode, string offeredBy, string coveredBy, string handledBy, uint ttl);
         Task<string> GetPlatformToken(string env, string appClaim, uint ttl);
         Task<string> GetPlatformAccessToken(string env, string appClaim, uint ttl, string iss = "platform");
-        Task<string> GeSelfIdentifiedUserToken(string env, string[] scopes, uint userId, uint partyId, Guid partyUuid, string userName, string email, uint ttl);
+        Task<string> GetSelfIdentifiedUserToken(string env, string[] scopes, uint userId, uint partyId, Guid partyUuid, string userName, uint ttl);
+        Task<string> GetSelfRegisteredEmailUserToken(string env, string[] scopes, uint userId, uint partyId, Guid partyUuid, string email, uint ttl);
         Task<Dictionary<string, string>> GetTokenList(List<string> claimValues, Func<string, Task<string>> getToken);
 
         string Dump(string token);
diff --git a/TokenGenerator/Services/Token.cs b/TokenGenerator/Services/Token.cs
@@ -314,30 +314,75 @@ public async Task<string> GetPlatformAccessToken(string env, string appClaim, ui
             throw new ArgumentException("Invalid issuer");
         }
 
-        public async Task<string> GeSelfIdentifiedUserToken(string env, string[] scopes, uint userId, uint partyId, Guid partyUuid, string userName, string email, uint ttl)
+        public async Task<string> GetSelfIdentifiedUserToken(string env, string[] scopes, uint userId, uint partyId, Guid partyUuid, string userName, uint ttl)
         {
             var header = await GetJwtHeader(env);
             var dateTimeOffset = new DateTimeOffset(DateTime.UtcNow);
+            var sidJti = RandomString(43);
+
+            // https://github.com/Altinn/dialogporten/issues/3362#issuecomment-3834123082
             var payload = new JwtPayload
             {
-                // NOTE! This is an interim solution until the full list of claims is defined.
-                { "nameid", (int)userId },
+                { "sub", partyUuid.ToString() },
+                { "sid", sidJti },
+                { "iss", GetIssuer(null, env) },
+                { "urn:altinn:party:uuid", partyUuid.ToString() },
+                { "jti", sidJti },
+                { "urn:altinn:partyid", (int)partyId },
                 { "urn:altinn:userid", (int)userId },
                 { "urn:altinn:username", userName },
+                { "orignaliss", "altinn2" },
+                { "acr", "idporten-loa-low" },
+                { "urn:altinn:authlevel", 0 },
+                { "amr", new[] { "SelfIdentified" } },
+                { "urn:altinn:authenticatemethod", "SelfIdentified" },
+                { "scope", string.Join(' ', scopes) },
+                { "nbf", dateTimeOffset.ToUnixTimeSeconds() },
+                { "exp", dateTimeOffset.ToUnixTimeSeconds() + ttl },
+                { "iat", dateTimeOffset.ToUnixTimeSeconds() },
+
+                { "actual_iss", "altinn-test-tools" },
+
+            };
+
+            var securityToken = new JwtSecurityToken(header, payload);
+            var handler = new JwtSecurityTokenHandler();
+
+            return handler.WriteToken(securityToken);
+        }
+
+        public async Task<string> GetSelfRegisteredEmailUserToken(string env, string[] scopes, uint userId, uint partyId, Guid partyUuid, string email, uint ttl)
+        {
+            var header = await GetJwtHeader(env);
+            var dateTimeOffset = new DateTimeOffset(DateTime.UtcNow);
+            var sidJti = RandomString(43);
+
+            // https://github.com/Altinn/dialogporten/issues/3362#issuecomment-3834123082
+            var payload = new JwtPayload
+            {
+                { "sub", partyUuid.ToString() },
+                { "sid", sidJti },
+                { "iss", GetIssuer(null, env) },
                 { "urn:altinn:party:uuid", partyUuid.ToString() },
+                { "jti", sidJti },
                 { "urn:altinn:partyid", (int)partyId },
-                { "urn:altinn:authenticatemethod", "SelfIdentified" },
+                { "urn:altinn:userid", (int)userId },
+                { "urn:altinn:username", "epost:" + email },
+                { "orignaliss", "idporten" },
+                { "email", email },
+                { "urn:altinn:party:external-identifer", "urn:altinn:person:idporten-email:" + email },
+                { "acr", "selfregistered-email" },
                 { "urn:altinn:authlevel", 0 },
-                { "jti", RandomString(43) },
+                { "amr", new[] { "Selfregistered-email" } },
+                { "urn:altinn:authenticatemethod", "IdportenEpost" },
+                { "auth_time", dateTimeOffset.ToUnixTimeSeconds() },
                 { "scope", string.Join(' ', scopes) },
                 { "nbf", dateTimeOffset.ToUnixTimeSeconds() },
                 { "exp", dateTimeOffset.ToUnixTimeSeconds() + ttl },
                 { "iat", dateTimeOffset.ToUnixTimeSeconds() },
-                { "iss", GetIssuer(null, env) },
+
                 { "actual_iss", "altinn-test-tools" },
-                // These are the salient claims from https://docs.digdir.no/docs/idporten/oidc/oidc_func_emaillogin.html
-                { "arm", new[] { "Selfregistered-email" } },
-                { "email", email }
+
             };
 
             var securityToken = new JwtSecurityToken(header, payload);

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,6 @@ public async Task<ActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "`
`41`	`41`	`requestValidator.ValidateQueryParam("partyId", false, uint.TryParse, out uint partyId, (uint)rnd.Next(5000000, 7000000));`
`42`	`42`	`requestValidator.ValidateQueryParam("partyuuid", false, Guid.TryParse, out Guid partyUuid, Guid.NewGuid());`
`43`	`43`	`requestValidator.ValidateQueryParam("username", false, tokenHelper.IsValidIdentifier, out string username, $"SIUser{rnd.Next(1000, 9999)}");`
`44`		`- requestValidator.ValidateQueryParam("email", true, tokenHelper.IsValidEmail, out string email);`
`45`	`44`
`46`	`45`	`requestValidator.ValidateQueryParam<uint>("ttl", false, uint.TryParse, out uint ttl, 1800);`
`47`	`46`
`@@ -50,7 +49,7 @@ public async Task<ActionResult> Run([HttpTrigger(AuthorizationLevel.Anonymous, "`
`50`	`49`	`return new BadRequestObjectResult(requestValidator.GetErrors());`
`51`	`50`	`}`
`52`	`51`
`53`		`- string token = await tokenHelper.GeSelfIdentifiedUserToken(env, scopes, userId, partyId, partyUuid, username, email, ttl);`
	`52`	`+ string token = await tokenHelper.GetSelfIdentifiedUserToken(env, scopes, userId, partyId, partyUuid, username, ttl);`
`54`	`53`
`55`	`54`	`if (!string.IsNullOrEmpty(req.Query["dump"]))`
`56`	`55`	`{`