Feature/signing (#956)

* signing interface cardinality adr

* Feature/signing service (#810)

* adr for transaction handling

* scaffold signee service

* summary additions

* add telemetry

* When calling process next while in a signing task, if no action param is supplied, authorize it as a write action. Move deletion of stale data elements to ProcessTaskInitializer.

* add correspondance mock

* add method for sending notifications

* Expose endpoint for searching for person using ssn and last name. (#815)

* Expose endpoint for searching for person using ssn and last name.

* Use class and drop dto postfix.

* Move mapping to reponse class.

* Add success property to PersonSearchResult. Move person details into nested object.

* fix the pros and cons for adr 002

* Rename PersonSearchComponent to LookupPersonController.

* API Endpoint for getting org from Enhetsregisteret (#847)

* adds endpoint for getting an organisation from Enhetsregisteret

* renames OrganisationSearch -> Lookup

* Feature/singing bt (#868)

* temp

* feat: add phone and email to signee state

* split signee states on person/org, handle delegation before notification

* split signing notification and delegation to seperate services

* Move SigneeParty to Models folder

* update signeeConfig -> signeeParty

* split out method for processing signees to support retries

* restructure signeecontext, party and state

* update signing service to use new signingcontext structure

* split notification config based on the receiving system

* Make telemetry nullable in signing service.

* some more stuff

* Fix compilation error

* Touples in notification service. Sms number from registry. Store reason for sms/email failure.

* Extract SigningService interface. Various adjustments after mob session.

* For now: Add user action for initializing delegated signing.

---------

Co-authored-by: Bjørn Tore Gjerde <[email protected]>

* Feature/delegation client (#874)

* add model for delegation request

* add step builder for delegation request

* add scaffold for delegation client

* add scaffold to signing delegation service

* temp solution for const instead of magic strings

* add delegation client

* weird state

* update handling of party id to use party uuid

* rm sign delegate rights from access management client

* Remove duplicate Altinn.Platform.Storage.Interface package reference.

* Fix some warnings so it can be built successfully.

* Draf sulution for selecting the correct ISigneeProvider implementation.

* Improve missing signee provider exception message.

* Add singing services to ServiceCollectionExtensions.

* Rename OnSignatureTaskReceived to OnSignatureAccessRightsDelegated. Make Telemetry optional in SigningService.

* Use IOtions for platform settings in AccessManagementClient.

* Fix lookup person tests.

* SigningService: Move private methods below public ones.

* Validate app only as contributor on paymentInformation and signature while env  == development. (#940)

* update builder to standard set in correspondance (#909)

* update builder to standard set in correspondance (1/2)

* restructure: add builders folder

* formatting

* add TryGet method to retrieve app resource id

* cleanup

* formatting

* add custom exceptions

* use IOptions for plattformsettings

* simplify builder

* format

* trailing comma

* more formatting

* Update lookup controllers (#945)

* update controllers

* add 500 annotation for org lookup

* fix copy pasta

* update swagger

* lastname usage goes too deep (storage)

* update swagger

* update test paths

* use 200 OK when no hit

* typo

* log error

* format

* use the correct namespacing for the logger

* shorten method

* Draft controller code for getting the signee states.

* update swagger

* SigningController: Use problem details in bad request response.

* Feature/persist signee context (#980)

* WIP persisting signee contexts

* test data

* use party id instead of partyuuid in singing context

* wip: persist signature state

* wip: Make SigneeContext classes public because of json serialization/deserialization.

* set debug type to portable for core and api

* working state for persisting and reading signee context

* add missing xml comments

* update swagger

* make models internal

---------

Co-authored-by: Camilla Marie Dalan <[email protected]>
Co-authored-by: Bjørn Tore Gjerde <[email protected]>

* First version of "data elements to sign" endpoint.

* Fix merge error.

* Remove 404 from singing controller. Can't see that it returns 404.

* Update openapi spec.

* Adds self links to signing data elements (#986)

* adds self links to signing data elements

* updates oas

* Feature/signing delegation (#982)

* rename method

* add terlemetry to singing delegation

* use instancemuitator instead of instance

* lastname changes

* format

* temp fix for bad model

* add debug logging

* format

* domain model for application resource id

* format

* use app resource id

* add AppResourceId and simplify parameters to signing delegation

* debug logging

* lets try loggin again

* format

* update instantiation of AppIdentifier

* public

* use actual instance id

* inject taskId as param, due to being unable to resolve it

* add delegation builder test

* better logging for access management issues

* rm unused using

* better logging

* just log everything

* just log everything but better

* forgot one

* add summary for all public props

* use party uuid

* clarify vars, rm comments

* log response

* summaries

* add app and org delegation

* simplify delegation abstractions

* move appResourceId into a named namespace

* rm builders, use domain objects

* client cleanup

* add revoke signee rights

* format

* rm debug logging

* workaround -> work around

* block scoped variables

* rm debug logging of sensitive data

* delagate from current user

* use UserParty instead of Party

* simplify lastname handling (#1006)

* simplify lastname handling

* get lastname from fullname

* use invariant culture

* rm redundant semi

* update summary for PersonSignee.FullName

* adds party id to signing state response (#1009)

* Feature/signing notification (#1021)

* add traces and metrics to notifications for signing

* extract getUserLanguage from pdfService

* add metrics

* add default notification bodies

* remove language support from signing notification

* cleanup usings

* update default sms body

* Populate email request, clarify sms sender number

* Add default email subject

* Add reference for email tracking

* Consolidate sms and email notification interfaces

* move signing notification default to signingnotificationservice

* add signing notification service tests

* robustify, add more tests

* robustify, add more tests

* break -> continue + test

* typo

* pr feedback, try send email if sms fails

* typo

* Fix setting signing delegation state (#1034)

* fixes setting delegated status by inverting logic

* removes is

* add signing delegation tests (#1038)

* Download signDocuments and synchronize with SigneeContexts. (#1039)

* Download signDocuments and synchronize with SigneeContexts. Enables checking signature status.

* Download signature documents in parallell.

* Make sure to add sign document to on-the-fly signeeContexts.

* Move download signDocument into a method.

* Extract logic for creating SigneeContext from SignDocument to method.

* Add some validation to SigningProcessTask.Start and skip running signee initialization and process signees if there is  no point.

* Fix merge error.

* Use xUnit for asserts instead of FluentAssertions.

* Update swagger.json.

* Update SaveJsonSwagger.verified.txt.

* Send receipt for completed signing (#1042)

* implements default signing task validator (#1046)

* implements default signing task validator

* adds and fixes tests

* makes catcherror func private

* screams null instead of whispering. Also removes logger

* adds process bpmn param to turn off default signing task validation and added function docs

* makes SigningTaskValidator sealed and using is instead of double equals

* implements qa suggestions

* no signees -> empty list

* Pdf-sign (#1051)

* dummy commit

* create pdf in process task end for signing

* generate pdf if signing pdf data type is set

* add underscore separator in pdf name

* remove unreachable fallback

* use signing pdf data type

* hotfix look for either org or ssn for party lookup

* fixes hotfix for looking up party based on either org or person number

* delegate on behalf of io, org takes precedence (#1085)

* delegate on behalf of io, org takes precedence

* update tests to match stricter type requirements

* Signing on behalf of org and model changes (#1066)

* populates actual organisation number of selected party in sign document when signing

* refactors person and organisation signees to be a single signee object

* moves most of the logic for actually signing to signeeService

* updates signee contexts after signing

* makes SigneeContext inherit from SigneeParty and some cleanup

fixes possibly null reference

* fixes test and minor code improvements

* removes unused catcherror func

* adds QA suggested changes

* changes getsignee to use UserParty and logging information

* removes logging with json serializer that triggered error

* searches for party with either ssn or orgnr

* updates signdocument and signee context match and adds logs

* dont use strict mode for logger in tests

* using just party instead of user party for orgnr

* provide created signee context from sign document with both user and org party, some cleanup and logging

* adds org party default with person party fallback to created signee context form sign document

* minor fixes

---------

Co-authored-by: HauklandJ <[email protected]>

* Catch no partyuuid in signing access delegation (#1089)

* handles no party uuid with adding delegation error message to signee contexts instead of throwing

* fixes possible null reference assignment

* sets notification successful only if there are no error messages for sending notification on the signee state (#1090)

* fixes getting org number on sign (#1093)

* Change som var to explicit data type when data type can't be inferred on the right side.
Mainly to get a new non zero leading hash for new package. :P

* Delete old signee state in Start and Abandon. (#1052)

* Feature/signing refactor sign on behalf (#1106)

* WIP

* refactoring

* adds type discriminator to SigneeContext.Signee

* removes unnecessary party lookup

* fixes signingservicetests

* fixes signingdelegationservicetests

* fixes signingnotificationservicetests

* fixes signingtaskvalidatortests

* updates storage interface

* minor improvements to signeecontext

* updates verified responses

* returns orgparty for orgsignee

* looking for null or empty string instead of just null

* fixes null checks

* Feature/signing controller tests (#1109)

* logging object in signingservice with serialization

* adds SigningController tests

* adds updated swagger and response

* makes logging for debugging purposes logDebug

* fixes incorrect matching of signees with sign documents and adds tests for the case (#1128)

* Validate and update tlf and fixes hard crash (#1129)

* prevents crash on invalid phone number

* updates tests

* adds test for number without country code

* adds default country code if 8 digits and updates test accordingly

* uses PhoneNumbers package to validate before sending sms order

* fixes wrong notification sent status

* minor fix

* switches out phonenumber nuget with regex

* removes logging of whole exception that also crashes

* switches notficiationsent from bool to enum

* adds jsonproperynames to signingstateresponse

* fixes jsonproperty annotations from qa

* Adds timestamp to signee state DTO (#1130)

* adds timestamp to signee state dto

* removes dto naming and notificationsuccessful -> notificationstatus

* Draft: correspondance instead of notification for signing call to action (#1122)

* Add scaffolding for correspondance

* remove signing notification

* fix tests and format

* add link to app instance to body of correspondance message

* changes after rebase

* re-remove singingnotification

* fix tests after rebase, format

* add language support for signing call to action message

* split correspondace service into "receipt" and "call to action" services

* Add default texts to signing receipts

* add language support to notification received through correspondence

* mv TextResourceExtensions to Features/Extensions

* format

* add TextResourceExtensionsTests

* add a few tests

* update test

* test signing call to action service

* format

* fix test

* more signing cta tests

* some signing receipt service tests

* add GetContent tests for signing receipt correspondance

* Test signing correspondance send receipt

* cover more conditions for signing receipt

* rename textresources

* remember to save all files before committing

* stricter orgnumber check

* add logging

* format

* add ugly hacks to deal with testing in tt02

* rm debug log

* use org number instead of org name for service owner party lookup

* do not inject cdn client, create new instance instead

* correspondance -> correspondence

* rename correspondance -> correspondence

* reminder requires a lot more scaffolding, remove for now

* fallback for ttd serviceowner

* fix url

* update tests

* Add placeholder description to summary

* delete unused interface

* update text resource key name for sms

* move initialization of variable closer to use

* update reading of the sms body value to new property name

* update sms body property to new name

* update signeestate is -> hasbeen for usages

* update summary, and update test

* update test with new prop name

* update interface casing

* refactor getServiceOwnerParty into method

* uses string.isNullOrEmpty instead of is null for string null checks (#1144)

* Add display text to link replacement in correspondence message (#1145)

* Split SigneeParty in PersonSignee and OrganisationSignee (#1141)

* corrects sing -> sign

* splits signeeparty in personsignee and organisationsignee

* SigneesResultSignee -> ProvidedSignee and SigneeContextSignee -> Signee

* removes intizializeDelegatedSigningUserAction

* Wrap cts in using

* Feature/singing revoke on reject (#1147)

* fix url

* Implement 'ImplementableByApps' for ISigneeProvider

* add tests to urlhelper for access management (#1152)

* Add possibility to override sms and email for correspondence (#1155)

* add tests to urlhelper for access management

* move all correspondance response models to separate folder

* extend correspondance model with notification override capabilities

* add notification override to signing cta service

* update corespondence builders

* Swaps in `InstanceDataOfWorkInitializer`, updates controllers and tests

* fix build warnings

* Adjust custom notification with correspondence (#1160)

* logging

* include internal props in serialization

* rename symbols

* update property names after input from team melding that the swagger docs are wrong

* update notification choice logic

* log correspondence id

* format

* tests should not fail because of debug logs

* update models

* test driven development

* Rename prop

* plural

* Slightly less mocky testing

* moves sign action back to SigningUserAction and reimplement tests (#1172)

* Internal signing controller (#1174)

* makes SigningController internal

* removes redundant comment

* inherit more of the original implementation of IsController from ControllerFeatureProvider

* adds namespace to InternalControllerFeatureProvider

* fixes swagger files

* makes signing stuff internal (#1176)

* fix client (#1185)

* Authorize process next as 'sign' when the process task type is signing (#1161)

* Authorize process next as 'sign' when the process task type is signing and and no action was submitted. This is how storage authorizes it, and it means that the party that should run process next when everyone has signed, needs the 'sign' access right.

* Move process next authorization into separate class and define what kind of actions allow process next for each task type.

* Flip order of methods in AccessManagementClient.cs.

* make IsValidContributors internal and only allow serviceowner auth

* Process next: Use AuthorizeAction multiple times instead of AuthorizeActions (#1208)

* Feature/signing roles (#1194)

* Add GetRoles method to Authorization client

* add GetAuthorizedOrganisations endpoint

* Add telemetry to authorization client GetRoles method

* extract method

* add mock for auth client

* format

* Add response dto

* update swagger snaphot

* update test setup to include new dependency

* add signing controller tests

* add signing service test

* mv GetAuthorizedOrganisations GetAuthorizedOrganisationSignees

* mv authorised authorized

* update swagger test expected snapshot

* use IAthenticationContext instead of IHttpContextAccessor

* use pdp multi part request to get key role organisations

* filter permitted

* cleanup

* update test

* add tempt tt02 debug logging

* do actions optionally on behalf of an org

* stringly typed

* rm unused using as this apparently crashed the github runners which are more strcit than building locally

* update swagger verified for snapshot

* add logging

* update test

* more logging

* found the issue...

* handle on behalf of

* rm getRoles from auth client as this is no longer used

* rm unused using

* rm solved TODO

* rm noisy logging

* make method static..

* Sonar feedback (#1223)

* Don't use string interpolation in logging message templates.

* Remove this unnecessary check for null.

* format

* rm todos

* condition always evaluates to true

* mark class as static

* rm todo comments

* 'int' should not be explicitly used as the underlying type of enum

* remove unused local variable

* persist correspondence id in signeestate (#1235)

* persist correspondence id in signeestate

* log correspondence receipt id

* Don't use default validator by default.

* Validate after running user action handler in process next (#1231)

* Reload instance data after SignDataelements has been called.

* Until we support the correct spelling of AllowedContributers, the error message should also contain the typo.

* Update CorrespondenceClient with API changes (#1083)

* Deserialises validation errors if present in reply from API server

* WIP

* Elevate `OrganisationOrPersonIdentifier` and friends out of Correspondence namespace

* Removes Name/DisplayName props and other Correspondence tweaks as required

* Fixes tests and refactors for a bit more sanity

* Removes CorrespondenceRecipient

* Renames Create->Parse for `Party` parsing

* Convenience operators

* Removes `Experimental` warning for Correspondence Client

* Bugfix: Used checkedAction to find userActionHandler, which ment sign action handler was always ran for signing process next.

* Fix bad merge.

* [Signing] Renaming and internal namespace for internal classes (#1240)

* organisation -> organization and internal namespace

* renames SigneesResult to SigneeProviderResult

* renames SigneeState for SigneeContext to SigneeContextState

* renames Signee in SigneeProviderResult back to ProvidedSignee because of clash with Signee model from Storage

* updates OAS

* renames rest of organisation -> organization in signing folder

* [Signing] Creates SigneeContextsManager and adds tests  (#1246)

* extracts some methods in SigningService to a new SigneeContextsManager class

* adds tests

* fixes wrong service being used in controller

* adds more tests to SigningDelegationService

* deduplicate SigningDelegationService

* adds tests for SigningController GetDataElements

* adds more tests for SigningService

* [Signing] Create SignDocumentManager and tests (#1249)

* extracts signdocumentmanager from signingservice

* makes SynchronizeSigneeContextsWithSignDocuments immutable

* update SigningServiceTests

* adds tests for SignDocumentManager

* breaks up SynchronizeSigneeContextsWithSignDocuments into smaller functions

* poboo -> p (#1248)

* poboo -> p

* test

* british english expectation in frontend...

* update swagger tests

* more british english, bloody ell

* uses getsigneecontexts from signingservice instead of singeecontextsmanager (#1250)

* When task type doesn't have specific mapping to actions that allow process next, use task type as default. Ment to be used for custom task types. (#1255)

* Refactoring moving some code (#1259)

* Feature/signing mob feedback (#1271)

* Tiny adjustments in SigningController.

* Move SigneeProviderResult.

* Use delegate for CatchError functions

* mv systemSignee systemUserSignee

* using stream

---------

Co-authored-by: Bjørn Tore Gjerde <[email protected]>

* Use American spelling in signing (#1272)

* converts british to american spelling for signing things that we can change

* updates oas verified json

* Rename provided signees (#1273)

* renam provided signees

* move abtract inheretors out of abstract class to not required a static using

* update correspondance configuration for ISigneeProvider (#1274)

* update correspondance configuration for ISigneeProvider

* create a local reference variable for notification rather that contactdetails in SigneeContextManager

* Add a remark to InboxMessage.BodyTextResourceKey, explaining the link override

* mv contactDetails CommunicationConfig

* clarify summary texts

* Use translation service for correspondence (#1276)

* Use translation service for correspondence

* add helper method to TranslationService to get the first hit when multiple keys are supplied

* Do not use lenient method when key is guaranteed not null

* format

* format

* merge from main snuck in a package downgrade for storage interfaces, revert

* rm auth shortcut for on behalf of instance owner (#1245)

* rm auth shortcut for on behalf of instance owner

* rm

* mv s z

* Update telemetry (#1281)

* Upodate telemetry

* throw signingException if lookup instance owner fails

* Cancellation token for signing (#1286)

* scaffolding for cancellation token coverage

* just scaffold

* missed one ct forward

* forward ct

* create cts for signing controller

* add ct to process and action controllers

* fix casing in comments

* proper mock setup with cts

* fallback to default ct in IUserAction to avoid breaking change

* format

* Change ISigneeProvider.GetSigneesAsync to accept a record with parameters instead of just a instance parameter. Also supply IInstanceDataAccessor instead of the Instance directly.

* Ensure exactly one signee provider.

* Change ISigneeProvider.GetSigneesAsync to accept a record with parameters instead of just a instance parameter. Also supply IInstanceDataAccessor instead of the Instance directly.

* Remove some unnecessary taskId params.

* Rename GetSigneesAsync's parameter class.

* $InstanceUrl -> $instanceUrl$ (#1292)

* update storage interface to 4.0.10 (#1293)

* update storage interface to 4.0.10

* support allowedContributors

* supress warning

* supress

* Don't throw AuthenticationContextException in ProcessEngineAuthorizer. (#1299)

* Remove async suffix from ISigneeProvider. (#1302)

* Validate minimum amount of signatures instead of minimum one. (#1304)

* remove html tags from default message (#1303)

* Remove unused code.

* Add default value for ct in SigningUserAction, as interface defines.

* Adjust allowed contributors dev time error message.

* update default text for email (#1307)

---------

Co-authored-by: Bjørn Tore Gjerde <[email protected]>
Co-authored-by: Bjørn Tore Gjerde <[email protected]>
Co-authored-by: Camilla Marie Dalan <[email protected]>
Co-authored-by: Daniel Skovli <[email protected]>
Co-authored-by: Martin Othamar <[email protected]>
Co-authored-by: Martin Othamar <[email protected]>

Author: 5 people

Directory.Packages.props

@@ -9,7 +9,7 @@
     <PackageVersion Include="Altinn.Common.EFormidlingClient" Version="1.3.3" />
     <PackageVersion Include="Altinn.Common.PEP" Version="4.1.2" />
     <PackageVersion Include="Altinn.Platform.Models" Version="1.6.1" />
-    <PackageVersion Include="Altinn.Platform.Storage.Interface" Version="4.0.6" />
+    <PackageVersion Include="Altinn.Platform.Storage.Interface" Version="4.0.10" />
     <PackageVersion Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.4.0" />
     <PackageVersion Include="Azure.Identity" Version="1.13.2" />
     <PackageVersion Include="Azure.Monitor.OpenTelemetry.Exporter" Version="1.3.0" />

doc/adr/001-signing-interface.md

@@ -0,0 +1,42 @@
+# Internal handling of the signing interface
+
+-   Status: Proposed
+-   Deciders: Johannes Haukland, Bjørn Tore on behalf of Team Apps
+-   Date: 2024-09-25
+
+## Result
+
+Chosen alternative A2: Unlimited implementations per app.
+
+## Problem context
+
+Apps will expose an interface to app developers for signing logic. The implementation of the interface will
+contain logic which derives the relevant signees in the application context.
+
+## Decision drivers
+
+-   B1: Support multiple signees per process task.
+-   B2: Support runtime signees decision for app end users.
+-   B3: Support different signees for different process tasks.
+-   B4: It should be clear how to implement in Altinn Studio.
+-   B5: Nice to have: Keep complexity for app developers low.
+
+## Alternatives considered
+
+-   A1: Maximum one implementation of the interface per app.
+-   A2: Unlimited implementations per app, process task connected to implementation id with `</altinn:signLogicId>` in `<altinn:signatureConfig>`
+
+## Pros and cons
+
+### A1
+
+-   Good, because B1, B2 and B3 is supported.
+-   Bad, because the implementation of the interface must include paths for different tasks to support B3. This undermines B5
+-   Bad, because the implementation in Altinn studio would be complex
+    -   Adding another signing task would require Studio to append a conditional path to the existing interface implementation
+
+### A2
+
+-   Good, because B1, B2 and B3 is supported.
+-   Good, because implementation for studio is trivial, supporting B4.
+-   Bad, because more process configuration is required to support B3. This undermines B5

doc/adr/002-signing-transaction-handling.md

@@ -0,0 +1,58 @@
+# How we handle transactions for signing
+
+-   Status: Proposed
+-   Deciders: Johannes Haukland, Bjørn Tore on behalf of Team Apps
+-   Date: 02.10.2024
+
+## Result
+
+A2: State - We store transaction state. We retry, skipping the previously succesful steps.
+
+## Problem context
+
+When we talk about a transaction in this context we mean several ordered steps.
+We use two categories to describe a step in the context of a transaction:
+
+1. Idempotent - Completing the step multiple times has the same effect as doing it once
+   Example: Assigning a role to a person.
+2. Non-Idempotent
+   Example: Sending a notification to a person.
+
+In the case of signing we have two transactions:
+
+#### Setting signees transaction
+
+1. Delegate right to action **sign** on the signing task.
+2. Send a notification to the signee using the correspondence API
+
+#### Signing
+
+1. A signee signs data elements
+2. The person in charge of moving the process out of the sign task is notified using the correspondence API
+
+We will refer to step 1 as the **action** and step 2 as the **message**
+
+## Decision drivers
+
+-   B1: We must not send a **message** unless the **action** is successful
+-   B2: We must guarantee "at least once delivery" of the **message** if the **action** is successful
+-   B3: We should guarantee "exactly once delivery" of the **message** if the **action** is successful
+-   B4: We should not rollback idempotent steps if they are to be redone.
+
+## Alternatives considered
+
+-   A1: Rollback - We use a transaction scope. If a step fails then we rollback the previous steps. We retry the transction.
+-   A2: State - We store transaction state. We retry, skipping the previously succesful steps.
+
+## Pros and cons
+
+List the pros and cons with the alternatives. This should be in regards to the decision drivers.
+
+### A1
+
+-   Good, because this alternative adheres to all descision drivers
+-   Bad, because it does not fullfill the B4 decision driver, leading to unnecessary traffic.
+
+### A2
+
+-   Good, because it adheres to all **must** decision drivers.

doc/adr/template.md

@@ -0,0 +1,45 @@
+# A short descriptive title - what is the outcome of this adr?
+
+-   Status: Proposed | Accepted | Exceeded by "adr-name"
+-   Deciders: People | Team
+-   Date: Proposal date
+
+## Result
+
+Which alternative was chosen. Do not include any reasoning here.
+
+## Problem context
+
+The problem you want to solve, any relevant context.
+
+## Decision drivers
+
+A list of decision drivers. These are points which can differ in importance. If a point is "nice to have" rather than
+"need to have", then prefix the description.
+
+Examples
+
+-   B1: The solution make it easier for app developers to develop an app.
+-   B2: Nice to have: The solution should be simple to implement for out team.
+
+## Alternatives considered
+
+List the alternatives that were considered as a solution to the problem context.
+
+-   A1: A solution to the problem.
+-   A2: Another solution to the problem
+
+## Pros and cons
+
+List the pros and cons with the alternatives. This should be in regards to the decision drivers.
+
+### A1
+
+-   Good, because this alternative adheres to B1.
+    -   Optional explanation as to how.
+-   Bad, because it does not fullfill the B2 decision driver.
+
+### A2
+
+-   Good, because this alternative adheres to B2.
+-   Bad, because it does not fullfill the B1 decision driver.

src/Altinn.App.Api/Altinn.App.Api.csproj

@@ -11,6 +11,7 @@
 
     <!-- SonarCloud requires a ProjectGuid to separate projects. -->
     <ProjectGuid>{E8F29FE8-6B62-41F1-A08C-2A318DD08BB4}</ProjectGuid>
+    <DebugType>portable</DebugType>
   </PropertyGroup>
 
   <ItemGroup>

src/Altinn.App.Api/Controllers/ActionsController.cs

@@ -60,6 +60,7 @@ IAuthenticationContext authenticationContext
     /// <param name="instanceOwnerPartyId">unique id of the party that this the owner of the instance</param>
     /// <param name="instanceGuid">unique id to identify the instance</param>
     /// <param name="actionRequest">user action request</param>
+    /// <param name="ct">Cancellation token, populated by the framework</param>
     /// <param name="language">The currently used language by the user (or null if not available)</param>
     /// <returns><see cref="UserActionResponse"/></returns>
     [HttpPost]
@@ -75,6 +76,7 @@ public async Task<ActionResult<UserActionResponse>> Perform(
         [FromRoute] int instanceOwnerPartyId,
         [FromRoute] Guid instanceGuid,
         [FromBody] UserActionRequest actionRequest,
+        CancellationToken ct,
         [FromQuery] string? language = null
     )
     {
@@ -134,7 +136,8 @@ public async Task<ActionResult<UserActionResponse>> Perform(
             actionRequest.ButtonId,
             actionRequest.Metadata,
             language,
-            currentAuth
+            currentAuth,
+            actionRequest.OnBehalfOf
         );
         IUserAction? actionHandler = _userActionService.GetActionHandler(action);
         if (actionHandler is null)
@@ -152,7 +155,7 @@ public async Task<ActionResult<UserActionResponse>> Perform(
             );
         }
 
-        UserActionResult result = await actionHandler.HandleAction(userActionContext);
+        UserActionResult result = await actionHandler.HandleAction(userActionContext, ct);
 
         if (result.ResultType is ResultType.Failure)
         {

src/Altinn.App.Api/Controllers/ProcessController.cs

@@ -10,8 +10,8 @@
 using Altinn.App.Core.Internal.Process.Elements;
 using Altinn.App.Core.Internal.Process.Elements.AltinnExtensionProperties;
 using Altinn.App.Core.Internal.Validation;
-using Altinn.App.Core.Models;
 using Altinn.App.Core.Models.Process;
+using Altinn.App.Core.Models.UserAction;
 using Altinn.App.Core.Models.Validation;
 using Altinn.Platform.Storage.Interface.Models;
 using Microsoft.AspNetCore.Authorization;
@@ -40,6 +40,7 @@ public class ProcessController : ControllerBase
     private readonly IProcessEngine _processEngine;
     private readonly IProcessReader _processReader;
     private readonly InstanceDataUnitOfWorkInitializer _instanceDataUnitOfWorkInitializer;
+    private readonly IProcessEngineAuthorizer _processEngineAuthorizer;
 
     /// <summary>
     /// Initializes a new instance of the <see cref="ProcessController"/>
@@ -52,7 +53,8 @@ public ProcessController(
         IAuthorizationService authorization,
         IProcessReader processReader,
         IProcessEngine processEngine,
-        IServiceProvider serviceProvider
+        IServiceProvider serviceProvider,
+        IProcessEngineAuthorizer processEngineAuthorizer
     )
     {
         _logger = logger;
@@ -63,6 +65,7 @@ IServiceProvider serviceProvider
         _processReader = processReader;
         _processEngine = processEngine;
         _instanceDataUnitOfWorkInitializer = serviceProvider.GetRequiredService<InstanceDataUnitOfWorkInitializer>();
+        _processEngineAuthorizer = processEngineAuthorizer;
     }
 
     /// <summary>
@@ -275,6 +278,7 @@ [FromRoute] Guid instanceGuid
     /// <param name="app">application identifier which is unique within an organisation</param>
     /// <param name="instanceOwnerPartyId">unique id of the party that is the owner of the instance</param>
     /// <param name="instanceGuid">unique id to identify the instance</param>
+    /// <param name="ct">Cancellation token, populated by the framework</param>
     /// <param name="elementId">obsolete: alias for action</param>
     /// <param name="language">Signal the language to use for pdf generation, error messages...</param>
     /// <param name="processNext">The body of the request containing possible actions to perform before advancing the process</param>
@@ -287,6 +291,7 @@ public async Task<ActionResult<AppProcessState>> NextElement(
         [FromRoute] string app,
         [FromRoute] int instanceOwnerPartyId,
         [FromRoute] Guid instanceGuid,
+        CancellationToken ct,
         [FromQuery] string? elementId = null,
         [FromQuery] string? language = null,
         [FromBody] ProcessNext? processNext = null
@@ -329,16 +334,7 @@ public async Task<ActionResult<AppProcessState>> NextElement(
                 );
             }
 
-            string checkedAction = EnsureActionNotTaskType(processNext?.Action ?? altinnTaskType);
-
-            bool authorized = await AuthorizeAction(
-                checkedAction,
-                org,
-                app,
-                instanceOwnerPartyId,
-                instanceGuid,
-                currentTaskId
-            );
+            bool authorized = await _processEngineAuthorizer.AuthorizeProcessNext(instance, processNext?.Action);
 
             if (!authorized)
             {
@@ -347,22 +343,47 @@ public async Task<ActionResult<AppProcessState>> NextElement(
                     new ProblemDetails()
                     {
                         Status = StatusCodes.Status403Forbidden,
-                        Detail = $"User is not authorized to perform action {checkedAction} on task {currentTaskId}",
+                        Detail =
+                            $"User is not authorized to perform process next. Task ID: {currentTaskId}. Task type: {altinnTaskType}. Action: {processNext?.Action ?? "none"}.",
                         Title = "Unauthorized",
                     }
                 );
             }
 
-            _logger.LogDebug("User is authorized to perform action {Action}", checkedAction);
+            _logger.LogDebug(
+                "User successfully authorized to perform process next. Task ID: {CurrentTaskId}. Task type: {AltinnTaskType}. Action: {ProcessNextAction}.",
+                currentTaskId,
+                altinnTaskType,
+                LogSanitizer.Sanitize(processNext?.Action ?? "none")
+            );
+
+            string checkedAction = processNext?.Action ?? ConvertTaskTypeToAction(altinnTaskType);
 
             var request = new ProcessNextRequest()
             {
                 Instance = instance,
                 User = User,
                 Action = checkedAction,
+                ActionOnBehalfOf = processNext?.ActionOnBehalfOf,
                 Language = language,
             };
 
+            if (processNext?.Action is not null)
+            {
+                UserActionResult userActionResult = await _processEngine.HandleUserAction(request, ct);
+                if (userActionResult.ResultType is ResultType.Failure)
+                {
+                    var failedUserActionResult = new ProcessChangeResult()
+                    {
+                        Success = false,
+                        ErrorMessage = $"Action handler for action {request.Action} failed!",
+                        ErrorType = userActionResult.ErrorType,
+                    };
+
+                    return GetResultForError(failedUserActionResult);
+                }
+            }
+
             // If the action is 'reject' the task is being abandoned, and we should skip validation, but only if reject has been allowed for the task in bpmn.
             if (checkedAction == "reject" && _processReader.IsActionAllowedForTask(currentTaskId, checkedAction))
             {
@@ -521,17 +542,9 @@ instance.Process.EndEvent is null
             && counter++ < MaxIterationsAllowed
         )
         {
-            string altinnTaskType = EnsureActionNotTaskType(instance.Process.CurrentTask.AltinnTaskType);
+            bool authorizeProcessNext = await _processEngineAuthorizer.AuthorizeProcessNext(instance);
 
-            bool authorized = await AuthorizeAction(
-                altinnTaskType,
-                org,
-                app,
-                instanceOwnerPartyId,
-                instanceGuid,
-                instance.Process.CurrentTask.ElementId
-            );
-            if (!authorized)
+            if (!authorizeProcessNext)
             {
                 return Forbid();
             }
@@ -552,7 +565,7 @@ instance.Process.EndEvent is null
                 {
                     Instance = instance,
                     User = User,
-                    Action = altinnTaskType,
+                    Action = ConvertTaskTypeToAction(instance.Process.CurrentTask.AltinnTaskType),
                     Language = language,
                 };
                 var result = await _processEngine.Next(request);
@@ -704,30 +717,12 @@ private ObjectResult ExceptionResponse(Exception exception, string message)
         );
     }
 
-    private async Task<bool> AuthorizeAction(
-        string action,
-        string org,
-        string app,
-        int instanceOwnerPartyId,
-        Guid instanceGuid,
-        string? taskId = null
-    )
-    {
-        return await _authorization.AuthorizeAction(
-            new AppIdentifier(org, app),
-            new InstanceIdentifier(instanceOwnerPartyId, instanceGuid),
-            HttpContext.User,
-            action,
-            taskId
-        );
-    }
-
     private async Task<List<UserAction>> AuthorizeActions(List<AltinnAction> actions, Instance instance)
     {
         return await _authorization.AuthorizeActions(instance, HttpContext.User, actions);
     }
 
-    private static string EnsureActionNotTaskType(string actionOrTaskType)
+    private static string ConvertTaskTypeToAction(string actionOrTaskType)
     {
         switch (actionOrTaskType)
         {
@@ -736,6 +731,8 @@ private static string EnsureActionNotTaskType(string actionOrTaskType)
                 return "write";
             case "confirmation":
                 return "confirm";
+            case "signing":
+                return "sign";
             default:
                 // Not any known task type, so assume it is an action type
                 return actionOrTaskType;