Technical documentation
In the links below, you will find documents containing the technical documentation for HelseID::
- Identity providers: Manage logging into HelseID
- Client patterns (single- or multi-tenant)
- Technical reference:
- Technical mechanisms
- The profile for Tillitsrammeverk
Usage patterns
This scenario applies if you only need to log on to a user through HelseID and use the ID Token that is returned to do authentication or authorization.
In this case, you need a logged-in user through the use of the OpenID Connect protocol, and you must use the authorization code flow against HelseID. You can find sample code for this pattern at at this site.
A special case
This scenario applies if you are going to consume one or more REST APIs that do not require user login, and that are secured with HelseID. Examples of this are
- Persontjenesten
- Helseindikator eller Careplan in Kjernejournal
- A proprietary REST API
In this case, you do not need a logged-in user, and can use the Client Credential flow against the HelseID. You can find sample code for this pattern at this site.
Special case
- A few APIs in NHN require organization numbers with sub units. You can add an additional claim containing the organization number of a sub unit using this mechanism.
This scenario applies if you are going to consume one or more REST APIs that require user login, and which are secured with HelseID.
In this case, you need a logged-in user through the use of the OpenID Connect protocol, and you must use the authorization code flow against HelseID. You can find sample code for this pattern at this site.
Usage patterns
Special cases
- You can use a smart card in order to log on a user. HelseID supports the use of both Buypass and Commfides
- If you want to call two different APIs within the same login session, you can use this mechanism to obtain a downscaled Access Token for each API.
- A few APIs in NHN require organization number with a sub unit. You can add an additional claim containing the organization number of a sub unit using this mechanism.
This scenario applies if you want to protect access to a (possibly proprietary) REST API using HelseID. You can see a simple example of how it is done in our sample code.
Use of.DPoP (Demonstrating Proof of Possession) is mandatory for new APIs that will use HelseID. Read more about this in this document.
Special cases
- If you need to call a back-end REST API, you can use the Token Exchange method
- We recommend that you do not use a child organization number from the Access Token as an access control mechanism.
