Claims
This document references the Claims that HelseID will assign in a Token. Several of these Claim types have their origin in specifications, while others are defined according to the needs of the health sector in Norway.
Claims in Tokens
In a response to the Token Endpoint, HelseID issues two types of Token that contains Claims:
- An Access Token
- An ID Token
If the Client uses the client_credentials-flow, HelseID will only issue an Access Token.
If the Client uses the authorization_code-flow for user logon, HelseID will issue both an Access Token and an ID Token.
The ID Token is meant for the Client, the Access Token is meant for the API.
The Claims described below, will in most cases be placed in both types of Tokens.
Claims in the ID Token
Some Claims are always placed in the ID Token, others are only placed by HelseID when the Client sends scopes in the request that permits access to the Claims. These scopes are listed in the document Scopes.
Claims in the Access Token
Some Claims are always placed in the Access Token, others are only placed by HelseID when
- the Client sends in scopes that gives access to an API, and
- the API wants to use the claim in the Access Token
This implies that the Client cannot impact which Claims are placed in the Access Token, this is only decided by the Claims the API has chosen.
An example: the API "Siffer-tjeneste" requires the claims
helseid://claims/identity/pid, helseid://claims/identity/security_level, helseid://claims/hpr/hpr_number, og helseid://claims/client/claims/orgnr_parent. The API has the audience nhn:siffer-tjeneste, and one scope: nhn:siffer-tjeneste/primtall.
If a Client has access to the API siffer-tjeneste, it can use the scope nhn:siffer-tjeneste/primtall in order to retrieve an Access Token for usage against this API. The API "Siffer-tjeneste" must then inspect the Access Token and use it for authorization purposes.
Claims from HelseID that describes a logged-on user
These Claim types describes the features of a logged-on user.
| Name | Example value | Description |
|---|---|---|
helseid://claims/identity/pid |
11737291652 | Personal identifier (PID) |
helseid://claims/identity/pid_pseudonym |
Personal identifier pseudonymized with HMAC; this claim is deprecated, you should use the sub claim instead. |
|
helseid://claims/identity/security_level |
3 | The security level for which the user was logged on. Possible values are 2, 3 or 4. |
helseid://claims/identity/assurance_level |
The security level for which the user was logged on. This claim is deprecated, you should use the helseid://claims/identity/security_level claim instead, as it contains the same value as this Claim. |
|
helseid://claims/hpr/hpr_number |
181000001 | The health personnel number according to NHN’s coding standard |
helseid://claims/identity/network |
helsenett | Indicates whether an end user authenticated using a HelseID server on Internet or ’Helsenett’. Note that local infrastructure may route users from Helsenett to HelseID nodes exposed on the Internet. Possible values are ’internett’ and ’helsenett’. |
Claims from HelseID that describes a client
These Claim types describes the features of a client that has been authenticated by HelseID.
| Name | Example value | Description | Only in Access Token |
|---|---|---|---|
helseid://claims/client/client_name |
"Your client name here" | The name of the client configuration as setup in HelseID Selvbetjening. This value can be used for logging purposes in APIs, but should not be used to for access control. | |
helseid://claims/client/claims/orgnr_parent |
883974832 | The parent organization for an end user or a client. | |
helseid://claims/client/claims/orgnr_child |
892262462 | The child organization (underenhet/behandlingssted) for an end user or a client. | |
helseid://claims/client/claims/orgnr_supplier |
994598759 | For a multi-tenant system this is the organization that has received a delegation to access HelseID on behalf of an organization. | |
helseid://claims/client/client_tenancy |
multi-tenant | Indicates the type of system that requested the access token. Can have one of the following values: none, single-tenant, or multi-tenant. |
|
client_amr |
private_key_jwt | The type of secret used for authenticating the client. Possible values are client_secret or private_key_jwt. |
|
nhn:tillitsrammeverk:parameters |
A JSON structure | An "attest" from the Client, enriched with extra information from HelseID. | X |
nhn:sfm:journal-id |
ed30a6a5-4834-40be-a32b-1e4f5217e378 | A SFM-id, used by a multi tenant Client | X |
Standard claims
A token will also contain a set of standard claims originating from OpenID Connect and the JSON Web Token specification.
Claims from the OpenID Connect specification
These claims are obtained from the OpenID specification. You can find the description here. Some of the claims will only be set in the ID Token from HelseID.
| Name | Example value | Description | Only in ID Token |
|---|---|---|---|
sub |
dXAUXjEAlVsoWcYVaR+fvzuXvnWQ7CYXqvr+DMuJ/0w= | Subject - Identifier for the End-User at the Issuer. The value is a hash of the PID + salt. | |
amr |
[ "pwd" ] | Authentication Methods References. A JSON array of strings that are identifiers for the authentication methods used in the authentication. | |
auth_time |
1704116220000 | The time when the user was authenticated, described as "epoch time". | |
client_id |
eeb808a2-6e6f-42ae-849a-505432cf128f | Identifies the Client by a unique number. | |
sid |
0970F0ED60C552597BFC254150FA406D | Session ID | |
name |
FORSIKTIG IMPULSIV HANDELSMANN | Full name of the logged-on user. | |
given_name |
FORSIKTIG | The given name of the logged-on user. | |
family_name |
HANDELSMANN | The family name of the logged-on user. | |
middle_name |
IMPULSIV | The middle name of the logged-on user. | |
nonce |
63849101571...WQ4OTI4MjVkNmU3 | The nonce matches the parameter included in the original authorize request to the IDP. | X |
at_hash |
y9WtN9oBLG9q0J6NDbAHZQ | Access Token hash value | X |
s_hash |
5EpOYEdB22sp-7V9zGs4Bw | State hash value | X |
Other claim types
Most of these claims are from the JWT specification. Some of these claims are only set in the Access Token from HelseID.
| Name | Example value | Description | Only in Access Token |
|---|---|---|---|
iss |
https://helseid-sts.test.nhn.no |
Issuer | |
aud |
nhn:melde |
Audience: The name of the audience for the token. In an Access Token, this will be the name of an API, and in an ID Token, this will be a Client ID. | |
exp |
1495545339 | Expiration time for the Token, described as "epoch time". | |
nbf |
1495545039 | Not before, the Token cannot be used before this time, described as "epoch time". | |
iat |
1495545039 | Issued at time, the Token was issued at this time, described as "epoch time". | |
jti |
F4F832F0C68E24F0011F773B71CC6739 | JWT ID - unique for each token issued by a specific provider within a given time period. | |
idp |
idporten-oidc |
The identity provider that authenticated the user. | |
scope |
[ “openid”, “profile”, “read” ] | Authorization and identity scopes. | X |
cnf |
{ "jkt": "aoezvIe32RdFpTP4FIxwBYb6VGX0dp3ecvoVjFkdXQk" } |
DPoP confirmation method, as described here | X |
oldsub |
ODIALYidSBGR0dAQi0R+jXTPPR5BdEpWDKTGUKVC9YE= | The value of this claim is deprecated. The value is a hash of the client_id + PID + salt. |