AccMgmt | Update resourceowner/authorizedparties OpenApi Spec

[jonkjetiloye]

Summary by CodeRabbit

• New Features

  • Added granular query parameters to filter authorized parties by roles, access packages, resources, instances, and party relationships.

• Improvements

  • Updated authentication scheme for the authorized parties endpoint.
  • Reworked request and response formats for clearer, more consistent payloads.
  • Standardized error and validation responses for improved observability and troubleshooting.
  • Simplified API surface by removing legacy header usage.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

.coderabbit.yaml has unrecognized properties

CodeRabbit is using all valid settings from your configuration. Unrecognized properties (listed below) have been ignored and may indicate typos or deprecated fields that can be removed.

⚠️ Parsing warnings (1)

Validation error: Unrecognized key(s) in object: 'auto_resolve_threads'

⚙️ Configuration instructions

• Please see the configuration documentation for more information.
• You can also validate your configuration using the online YAML validator.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Walkthrough

POST /resourceowner/authorizedparties in the OpenAPI spec was restructured: query parameters expanded, request body inlined, response and error schemas reorganized, and security schemes/scopes replaced and renamed.

Changes

Cohort / File(s)

Summary

API Specification Update static/swagger/altinn-platform-accessmanagement-v1-resourceowner.json

Updated POST /resourceowner/authorizedparties: expanded boolean query params (includeRoles, includeAccessPackages, includeResources, includeInstances, includePartiesViaKeyRoles), replaced previous Altinn2/header handling with includeAltinn3 and removed Ocp-Apim-Subscription-Key header, inlined request body as AuthorizedPartiesRequest, reorganized components/schemas (AuthorizedPartiesRequest, UrnAttribute, Subject, AuthorizedParty, AuthorizedPartyType, AuthorizedResource, ProblemDetails, ValidationProblemDetails), changed responses (200 description -> "OK", removed 400, 500 description -> "Internal Server Error"), introduced RequestBodies entry for AuthorizedPartiesRequest, and added/updated securitySchemes (MaskinportenDelegationsAuth, AuthorizedPartiesSOAuth) with operation security set to oauth2 scope AuthorizedPartiesSOAuth.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Areas requiring attention:

• Schema reference consistency: ensure all references updated to the new schema names and none remain pointing to removed/old refs.
• Query parameter semantics: confirm backend supports the new boolean flags and includeAltinn3 behavior.
• Security configuration: verify AuthorizedPartiesSOAuth and MaskinportenDelegationsAuth scopes and descriptions match authorization implementation.
• Response and error contracts: validate removal of 400 and the revised ProblemDetails/ValidationProblemDetails shapes won't break clients.
• Localization: check descriptions/titles in en-US, nb-NO, and nn-NO for completeness and consistency.

Poem

✨ A swagger shape rearranged with glee,
🔍 New params peek where refs used to be,
🔐 Scopes updated, schemas set anew,
📦 Requests inlined, responses revised too—
🎉 API refreshed, ready for review.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating the OpenAPI specification for the resourceowner/authorizedparties endpoint with expanded query parameters, restructured request/response models, and security configuration changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/updateAccMgmtResourceOwnerAuthorizedPartiesSwagger

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 63e672c and 01495ff.

📒 Files selected for processing (1)

• static/swagger/altinn-platform-accessmanagement-v1-resourceowner.json (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• static/swagger/altinn-platform-accessmanagement-v1-resourceowner.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript-typescript)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff48d43 and 63e672c.

📒 Files selected for processing (1)

• static/swagger/altinn-platform-accessmanagement-v1-resourceowner.json (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

static/**/*

⚙️ CodeRabbit configuration file

Check for links, markdown formatting, headings, grammar, and spelling in multiple languages (en-US, nb-NO, nn-NO).

Files:

• static/swagger/altinn-platform-accessmanagement-v1-resourceowner.json

🧠 Learnings (4)

📓 Common learnings

Learnt from: SandGrainOne
Repo: Altinn/altinn-studio-docs PR: 2262
File: static/swagger/altinn-platform-profile-v1.json:202-296
Timestamp: 2025-07-11T09:46:22.736Z
Learning: The file static/swagger/altinn-platform-profile-v1.json is mostly autogenerated and manually added to documentation. Any issues with this OpenAPI specification file need to be fixed in the source code that generates it, not directly in the file itself.

Learnt from: lvbachmann
Repo: Altinn/altinn-studio-docs PR: 2477
File: content/authorization/migration/servicemigrationplan/_index.nb.md:4-4
Timestamp: 2025-10-27T07:48:11.643Z
Learning: In content/authorization/migration/servicemigrationplan/_index.nb.md (Norwegian Bokmål), the use of "Altinn II" in the description and "Altinn 2" in the document body is intentional and reflects actual naming conventions. This terminology difference should not be flagged as an inconsistency.

📚 Learning: 2025-07-11T09:46:22.736Z

Learnt from: SandGrainOne
Repo: Altinn/altinn-studio-docs PR: 2262
File: static/swagger/altinn-platform-profile-v1.json:202-296
Timestamp: 2025-07-11T09:46:22.736Z
Learning: The file static/swagger/altinn-platform-profile-v1.json is mostly autogenerated and manually added to documentation. Any issues with this OpenAPI specification file need to be fixed in the source code that generates it, not directly in the file itself.

Applied to files:

• static/swagger/altinn-platform-accessmanagement-v1-resourceowner.json

📚 Learning: 2025-10-27T07:48:11.643Z

Learnt from: lvbachmann
Repo: Altinn/altinn-studio-docs PR: 2477
File: content/authorization/migration/servicemigrationplan/_index.nb.md:4-4
Timestamp: 2025-10-27T07:48:11.643Z
Learning: In content/authorization/migration/servicemigrationplan/_index.nb.md (Norwegian Bokmål), the use of "Altinn II" in the description and "Altinn 2" in the document body is intentional and reflects actual naming conventions. This terminology difference should not be flagged as an inconsistency.

Applied to files:

• static/swagger/altinn-platform-accessmanagement-v1-resourceowner.json

📚 Learning: 2025-08-13T07:02:55.898Z

Learnt from: Ahmed-Ghanam
Repo: Altinn/altinn-studio-docs PR: 2308
File: static/swagger/altinn-notifications-v1.json:186-247
Timestamp: 2025-08-13T07:02:55.898Z
Learning: The InstantOrdersController in the Altinn Notifications API uses different validation error handling than the regular orders endpoint - it uses 400 for all validation errors rather than separating them with 422 (Unprocessable Entity). The OpenAPI specification should reflect the actual controller implementation.

Applied to files:

• static/swagger/altinn-platform-accessmanagement-v1-resourceowner.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

static/swagger/altinn-platform-accessmanagement-v1-resourceowner.json (1)

252-525: Important: This specification file is autogenerated.

Per prior learnings from this repository, OpenAPI specification files in static/swagger/ are typically autogenerated from source code and manually maintained in documentation. If the issues flagged above require schema or security scheme corrections, ensure they are fixed in the source code generator first, rather than only in this spec file. This will prevent manual corrections from being overwritten on the next generation cycle.

Based on learnings from PR #2262, ensure consistency between this file and its source.