SFM-id for multi-tenant clients
Context: Sentral forskrivningsmodul (SFM) uses the mechanism SFM-id for single-tenant clients using HelseID.
The functionality described in this document shows how a multi-tenant client can use this mechanism.
Submission of SFM-id
Clients (multi-tenant) can submit a structured claim in their request to HelseID. This claim can be sent either
- as a part of a Request object when making calls to the PAR endpoint (or the Authorization endpoint if the client has not yet adopted PAR), or
- as a part of client_assertion when making calls to the Token endpoint
The structured claim is composed as follows:
{
"type": "nhn:sfm:journal-id",
"value": {
"journal_id": "1231231234-34213412-432423-4233"
}
}
The value for type
must always be nhn:sfm:journal-id
, and the value for $.value.journal_id
must be a UUID.
Note that the type nhn:sfm:journal-id
uses a syntax with hyphens, while the claim journal_id
uses a syntax with underscore.
Example call to HelseID
When submitting information in the Request object, the client must use the authorization_details
claim:
"authorization_details":
[{
"type": "nhn:sfm:journal-id",
"value": {
"journal_id": "ed30a6a5-4834-40be-a32b-1e4f5217e378"
}
},
{
"type":"helseid_authorization",
"practitioner_role":
{
"organization":
{
"identifier":
{
"system":"urn:oid:1.0.6523",
"type":"ENH",
"value":"NO:ORGNR:<consumer organization number>:<consumer child organization number>",
}
}
}
}]
When submitting information in client_assertion
, the client should replace the claim type authorization_details
with assertion_details
, although authorization_details
will still be accepted. Be aware that submitting both authorization_details
and assertion_details
is not allowed.
Claim in token
The claim from HelseID (in the Access token) looks like this:
{
...
"nhn:sfm:journal-id" : "ed30a6a5-4834-40be-a32b-1e4f5217e378",
...
}
Error Messages
HelseID validates the values in the call to either the Token endpoint or the PAR endpoint, and will return HTTP code 400 (Bad Request) with error message invalid_request
if the content is incorrect.
If the client does not have access to the scope nhn:sfm:journal-id
, HelseID will return HTTP code 400 (Bad Request) with error message invalid_scope
.
See the document Error Messages for descriptions of typical error messages from HelseID.