Remove self identified users as a special case in Authenticated (#1241)

Author: martinothamar

src/Altinn.App.Api/Controllers/ActionsController.cs

@@ -109,7 +109,6 @@ public async Task<ActionResult<UserActionResponse>> Perform(
         {
             case Authenticated.User:
             case Authenticated.SystemUser:
-            case Authenticated.SelfIdentifiedUser:
                 break;
             default:
                 return Unauthorized();

src/Altinn.App.Api/Controllers/AuthorizationController.cs

@@ -79,16 +79,6 @@ public async Task<ActionResult> GetCurrentParty(bool returnPartyObject = false)
                 }
                 return Ok(reportee.PartyId);
             }
-            case Authenticated.SelfIdentifiedUser selfIdentified:
-            {
-                var details = await selfIdentified.LoadDetails();
-                if (returnPartyObject)
-                {
-                    return Ok(details.Party);
-                }
-
-                return Ok(details.Party.PartyId);
-            }
             case Authenticated.Org org:
             {
                 var details = await org.LoadDetails();

src/Altinn.App.Api/Controllers/PartiesController.cs

@@ -49,12 +49,6 @@ public async Task<IActionResult> Get(string org, string app, bool allowedToInsta
                 var details = await user.LoadDetails(validateSelectedParty: false);
                 return allowedToInstantiateFilter ? Ok(details.PartiesAllowedToInstantiate) : Ok(details.Parties);
             }
-            case Authenticated.SelfIdentifiedUser selfIdentified:
-            {
-                var details = await selfIdentified.LoadDetails();
-                IReadOnlyList<Party> parties = [details.Party];
-                return Ok(parties);
-            }
             case Authenticated.Org orgInfo:
             {
                 var details = await orgInfo.LoadDetails();
@@ -123,34 +117,6 @@ public async Task<IActionResult> ValidateInstantiation(string org, string app, [
 
                 return Ok(new InstantiationValidationResult { Valid = true });
             }
-            case Authenticated.SelfIdentifiedUser auth:
-            {
-                var details = await auth.LoadDetails();
-                if (details.Party.PartyId != partyId)
-                {
-                    return Ok(
-                        new InstantiationValidationResult
-                        {
-                            Valid = false,
-                            Message = "The user does not represent the supplied party",
-                            ValidParties = new List<Party> { details.Party },
-                        }
-                    );
-                }
-                if (!details.CanInstantiate)
-                {
-                    return Ok(
-                        new InstantiationValidationResult
-                        {
-                            Valid = false,
-                            Message = "The supplied party is not allowed to instantiate the application",
-                            ValidParties = new List<Party> { details.Party },
-                        }
-                    );
-                }
-
-                return Ok(new InstantiationValidationResult { Valid = true });
-            }
             case Authenticated.Org auth:
             {
                 var details = await auth.LoadDetails();
@@ -241,19 +207,6 @@ public async Task<IActionResult> UpdateSelectedParty(int partyId)
 
                 return Ok("Party successfully updated");
             }
-            case Authenticated.SelfIdentifiedUser auth:
-            {
-                if (auth.PartyId != partyId)
-                    return BadRequest($"User {auth.UserId} cannot represent party {partyId}.");
-
-                Response.Cookies.Append(
-                    _settings.GetAltinnPartyCookieName,
-                    partyId.ToString(CultureInfo.InvariantCulture),
-                    new CookieOptions { Domain = _settings.HostName }
-                );
-
-                return Ok("Party successfully updated");
-            }
             case Authenticated.Org auth:
             {
                 var details = await auth.LoadDetails();

src/Altinn.App.Api/Controllers/ProfileController.cs

@@ -37,11 +37,6 @@ public async Task<ActionResult> GetUser()
                 var details = await user.LoadDetails(validateSelectedParty: false);
                 return Ok(details.Profile);
             }
-            case Authenticated.SelfIdentifiedUser selfIdentifiedUser:
-            {
-                var details = await selfIdentifiedUser.LoadDetails();
-                return Ok(details.Profile);
-            }
             default:
                 return BadRequest($"Unknown authentication context: {context.GetType().Name}");
         }

src/Altinn.App.Api/Controllers/StatelessDataController.cs

@@ -347,7 +347,6 @@ public async Task<ActionResult> PostAnonymous([FromQuery] string dataType, [From
             Party? party = currentAuth switch
             {
                 Authenticated.User auth => await auth.LookupSelectedParty(),
-                Authenticated.SelfIdentifiedUser auth => (await auth.LoadDetails()).Party,
                 Authenticated.Org auth => (await auth.LoadDetails()).Party,
                 Authenticated.ServiceOwner auth => (await auth.LoadDetails()).Party,
                 Authenticated.SystemUser auth => (await auth.LoadDetails()).Party,

src/Altinn.App.Core/Features/Action/SigningUserAction.cs

@@ -51,12 +51,7 @@ IAppMetadata appMetadata
     /// <exception cref="ApplicationConfigException"></exception>
     public async Task<UserActionResult> HandleAction(UserActionContext context)
     {
-        if (
-            context.Authentication
-            is not Authenticated.User
-                and not Authenticated.SelfIdentifiedUser
-                and not Authenticated.SystemUser
-        )
+        if (context.Authentication is not Authenticated.User and not Authenticated.SystemUser)
         {
             return UserActionResult.FailureResult(
                 error: new ActionError() { Code = "NoUserId", Message = "User id is missing in token" },
@@ -157,8 +152,6 @@ private static async Task<Signee> GetSignee(UserActionContext context)
                     OrganisationNumber = userProfile.Party.OrgNumber,
                 };
             }
-            case Authenticated.SelfIdentifiedUser selfIdentifiedUser:
-                return new Signee { UserId = selfIdentifiedUser.UserId.ToString(CultureInfo.InvariantCulture) };
             case Authenticated.SystemUser systemUser:
                 return new Signee
                 {

src/Altinn.App.Core/Features/Action/UniqueSignatureAuthorizer.cs

@@ -83,8 +83,6 @@ public async Task<bool> AuthorizeAction(UserActionAuthorizerContext context)
                 bool unauthorized = context.Authentication switch
                 {
                     Authenticated.User a => a.UserId.ToString(CultureInfo.InvariantCulture) == signee?.UserId,
-                    Authenticated.SelfIdentifiedUser a => a.UserId.ToString(CultureInfo.InvariantCulture)
-                        == signee?.UserId,
                     Authenticated.SystemUser a => a.SystemUserId[0] == signee?.SystemUserId,
                     _ => false,
                 };

src/Altinn.App.Core/Features/Auth/Authenticated.cs

@@ -58,13 +58,12 @@ public async Task<string> GetLanguage()
     {
         string language = LanguageConst.Nb;
 
-        if (this is not User and not SelfIdentifiedUser)
+        if (this is not User)
             return language;
 
         var profile = this switch
         {
             User user => await user.LookupProfile(),
-            SelfIdentifiedUser selfIdentifiedUser => (await selfIdentifiedUser.LoadDetails()).Profile,
             _ => throw new InvalidOperationException($"Unexpected case: {this.GetType().Name}"),
         };
 
@@ -93,13 +92,23 @@ public sealed class User : Authenticated
         /// </summary>
         public int UserId { get; }
 
+        /// <summary>
+        /// Username of the registered user, only relevant for self-identified/self-registered users.
+        /// E.g. BankID doesn't operate based on usernames, so this property would be null in that case.
+        /// </summary>
+        public string? Username { get; }
+
         /// <summary>
         /// Party ID
         /// </summary>
         public int UserPartyId { get; }
 
         /// <summary>
         /// The party the user has selected through party selection
+        /// If the current request is related to an active instance, this value is not relevant.
+        /// The selected party ID is always whatever the user has selected in the party selection screen.
+        /// Party selection is used for instantiating new instances. The selected party ID becomes the instance owner party ID
+        /// when instantiating.
         /// </summary>
         public int SelectedPartyId { get; }
 
@@ -118,6 +127,11 @@ public sealed class User : Authenticated
         /// </summary>
         public bool InAltinnPortal { get; }
 
+        /// <summary>
+        /// True if the user is self-identified/self-registered.
+        /// </summary>
+        public bool IsSelfIdentified => AuthenticationLevel == 0;
+
         private Details? _extra;
         private readonly Func<int, Task<UserProfile?>> _getUserProfile;
         private readonly Func<int, Task<Party?>> _lookupParty;
@@ -127,6 +141,7 @@ public sealed class User : Authenticated
 
         internal User(
             int userId,
+            string? username,
             int userPartyId,
             int authenticationLevel,
             string authenticationMethod,
@@ -136,6 +151,7 @@ ref ParseContext context
             : base(ref context)
         {
             UserId = userId;
+            Username = username;
             UserPartyId = userPartyId;
             SelectedPartyId = selectedPartyId;
             AuthenticationLevel = authenticationLevel;
@@ -307,90 +323,6 @@ await _getUserProfile(UserId)
         }
     }
 
-    /// <summary>
-    /// The logged in client is a user (e.g. Altinn portal/ID-porten) with auth level 0.
-    /// This means that the user has authenticated with a username/password, which can happen using
-    /// * Altinn "self registered users"
-    /// * ID-porten through Ansattporten ("low"), MinID self registered eID
-    /// These have limited access to Altinn and can only represent themselves.
-    /// </summary>
-    public sealed class SelfIdentifiedUser : Authenticated
-    {
-        /// <summary>
-        /// Username
-        /// </summary>
-        public string Username { get; }
-
-        /// <summary>
-        /// User ID
-        /// </summary>
-        public int UserId { get; }
-
-        /// <summary>
-        /// Party ID
-        /// </summary>
-        public int PartyId { get; }
-
-        /// <summary>
-        /// Method of authentication, e.g. "idporten" or "maskinporten"
-        /// </summary>
-        public string AuthenticationMethod { get; }
-
-        private Details? _extra;
-        private readonly Func<int, Task<UserProfile?>> _getUserProfile;
-        private readonly ApplicationMetadata _appMetadata;
-
-        internal SelfIdentifiedUser(
-            string username,
-            int userId,
-            int partyId,
-            string authenticationMethod,
-            ref ParseContext context
-        )
-            : base(ref context)
-        {
-            Username = username;
-            UserId = userId;
-            PartyId = partyId;
-            AuthenticationMethod = authenticationMethod;
-            // Since they are self-identified, they are always 0
-            AuthenticationLevel = 0;
-            _getUserProfile = context.GetUserProfile;
-            _appMetadata = context.AppMetadata;
-        }
-
-        /// <summary>
-        /// Authentication level
-        /// </summary>
-        public int AuthenticationLevel { get; }
-
-        /// <summary>
-        /// Detailed information about a logged in user
-        /// </summary>
-        public sealed record Details(Party Party, UserProfile Profile, bool RepresentsSelf, bool CanInstantiate);
-
-        /// <summary>
-        /// Load the details for the current user.
-        /// </summary>
-        /// <returns></returns>
-        public async Task<Details> LoadDetails()
-        {
-            if (_extra is not null)
-                return _extra;
-
-            var userProfile =
-                await _getUserProfile(UserId)
-                ?? throw new AuthenticationContextException(
-                    $"Could not get user profile for logged in self identified user: {UserId}"
-                );
-
-            var party = userProfile.Party;
-            var canInstantiate = InstantiationHelper.IsPartyAllowedToInstantiate(party, _appMetadata.PartyTypesAllowed);
-            _extra = new Details(party, userProfile, RepresentsSelf: true, canInstantiate);
-            return _extra;
-        }
-    }
-
     /// <summary>
     /// The logged in client is an organisation (but they have not authenticated as an Altinn service owner).
     /// Authentication has been done through Maskinporten.
@@ -690,13 +622,6 @@ internal static Authenticated FromLocalTest(
             throw new AuthenticationContextException("Missing party ID for user token");
 
         ParseAuthLevel(context.AuthLevelClaim, out authLevel);
-        if (authLevel == 0)
-        {
-            if (!context.UsernameClaim.IsValidString(out var usernameClaimValue))
-                throw new AuthenticationContextException("Missing username claim for self-identified user token");
-
-            return new SelfIdentifiedUser(usernameClaimValue, userId, partyId.Value, "localtest", ref context);
-        }
 
         int selectedPartyId = partyId.Value;
         if (getSelectedParty() is { } selectedPartyStr)
@@ -706,8 +631,17 @@ internal static Authenticated FromLocalTest(
 
             selectedPartyId = selectedParty;
         }
-
-        return new User(userId, partyId.Value, authLevel, "localtest", selectedPartyId, ref context);
+        context.UsernameClaim.IsValidString(out var usernameClaimValue);
+
+        return new User(
+            userId,
+            usernameClaimValue,
+            partyId.Value,
+            authLevel,
+            "localtest",
+            selectedPartyId,
+            ref context
+        );
     }
 
     internal record struct ParseContext(
@@ -936,7 +870,7 @@ internal static Authenticated From(
         return NewUser(ref context);
     }
 
-    static Authenticated NewUser(ref ParseContext context)
+    static Authenticated.User NewUser(ref ParseContext context)
     {
         if (!context.UserIdClaim.Exists)
             throw new AuthenticationContextException("Missing user ID claim for user token");
@@ -959,19 +893,6 @@ static Authenticated NewUser(ref ParseContext context)
             throw new AuthenticationContextException("Missing or invalid authentication method claim for user token");
 
         ParseAuthLevel(context.AuthLevelClaim, out var authLevel);
-        if (authLevel == 0)
-        {
-            if (!context.UsernameClaim.IsValidString(out var usernameClaimValue))
-                throw new AuthenticationContextException("Missing username claim for self-identified user token");
-
-            return new SelfIdentifiedUser(
-                usernameClaimValue,
-                userId.Value,
-                partyId.Value,
-                authMethodClaimValue,
-                ref context
-            );
-        }
 
         int selectedPartyId = partyId.Value;
         if (context.GetSelectedParty() is { } selectedPartyStr)
@@ -982,7 +903,17 @@ ref context
             selectedPartyId = selectedParty;
         }
 
-        return new User(userId.Value, partyId.Value, authLevel, authMethodClaimValue, selectedPartyId, ref context);
+        context.UsernameClaim.IsValidString(out var usernameClaimValue);
+
+        return new User(
+            userId.Value,
+            usernameClaimValue,
+            partyId.Value,
+            authLevel,
+            authMethodClaimValue,
+            selectedPartyId,
+            ref context
+        );
     }
 
     static Org NewOrg(ref ParseContext context)

src/Altinn.App.Core/Features/Telemetry/TelemetryActivityExtensions.cs

@@ -373,14 +373,6 @@ internal static Activity SetProblemDetails(this Activity activity, ProblemDetail
                 activity.SetTag(Labels.UserAuthenticationInAltinnPortal, auth.InAltinnPortal);
                 break;
             }
-            case Authenticated.SelfIdentifiedUser auth:
-            {
-                activity.SetUserId(auth.UserId);
-                activity.SetUserPartyId(auth.PartyId);
-                activity.SetAuthenticationMethod(auth.AuthenticationMethod);
-                activity.SetAuthenticationLevel(auth.AuthenticationLevel);
-                break;
-            }
             case Authenticated.Org auth:
             {
                 activity.SetOrganisationNumber(auth.OrgNo);