OAuth 2.0 and authentication

While OAuth 2.0 is not an authentication protocol, Dataporten offers a simple and convenient userinfo endpoint providing basic information about the end user.

The endpoint will return information about the user depending on the scopes the application has.

The userinfo endpoint is:

https://auth.dataporten.no/userinfo

Here is an example request:

GET /userinfo HTTP/1.1
Host: auth.dataporten.no
Authorization: Bearer 083a7ef0-ea97-49ec-8804-379dc1e9b54c
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
    "user": {
        "userid": "76a7a061-3c55-430d-8ee0-6f82ec42501f",
        "userid_sec": ["feide:andreas@uninett.no"],
        "name": "Andreas \u00c5kre Solberg",
        "email": "andreas.solberg@uninett.no",
        "profilephoto": "p:a3019954-902f-45a3-b4ee-bca7b48ab507"
    },
    "audience": "e8160a77-58f8-4006-8ee5-ab64d17a5b1e"
}

When using the userinfo endpoint to authenticate the user, the application MUST verify that the audience property matches the client id of the application.

With only the profile and userid scopes, the accessible user properties becomes:

{
    "userid": "76a7a061-3c55-430d-8ee0-6f82ec42501f",
    "profilephoto": "p:a3019954-902f-45a3-b4ee-bca7b48ab507",
    "name": "Andreas \u00c5kre Solberg"
}

User Profile photo

If the application has obtained the profilephoto public handle of the user, the application may fetch the profile photo from:

https://api.dataporten.no/userinfo/v1/user/media/{profilephoto handle}

In example: https://api.dataporten.no/userinfo/v1/user/media/p:a3019954-902f-45a3-b4ee-bca7b48ab507

The profile photo is often square, and 128 x 128px. If the original dimension is not 1:1, the longest edge will be 128px, and other will be shorter maintaining the same aspect ratio.

Extended userinfo from Feide directories

A separate userinfo endpoint is available for extracting more details directly from the user's Feide directory. This is only available for Feide users. You will need to contact UNINETT kontakt@uninett.no to request access to some special scopes to extract information from this endpoint.

The data structure at this endpoint is very similar to the attribute set returned from Feide in the SAML 2.0 Response.

More information will be added later. This part of the documentation is somewhat limited. Stay tuned for updates, and please send us an request for more information about this.

OpenID Connect

OpenID Connect is a simple authentication/identity layer on top of OAuth. OpenID Connect is a rather new emerging protocol with significant momentum and promising future.

More about using OpenID Connect

Security considerations

Please read the OAuth 2.0 Security Advisory section.

  • Be careful to register only protected and real redirect_uri values.
  • Use the state parameter in the authorization request to link the response to the request.
  • Make sure you validate the audience property.
  • Validate the certificate on the token endpoint and the userinfo endpoint.
  • Consider OpenID Connect to further increase security on authentication.

Logout

In the application, include a logout link that performs the following:

  • First, kills the local session for the current user.
  • Then, redirects the user to https://auth.dataporten.no/logout.
  • The user will then automatically be logged out from the Dataporten core platform, as well as the authentication source Feide, IDporten or similar, and the end user will be shown a page telling the user he/she is now successfully logged out.
  • Notice that the end user will not be automatically logged out from other Dataporten Applications.

Contact kontakt@uninett.no to get test users' username and password to test your application.