SFM-id for multi-tenant clients

Context: Sentral forskrivningsmodul (SFM) uses the mechanism SFM-id for single-tenant clients using HelseID.

The functionality described in this document shows how a multi-tenant client can use this mechanism.

Submission of SFM-id

Clients (multi-tenant) can submit a structured claim in their request to HelseID. This claim can be sent either

  1. as a part of a Request object when making calls to the PAR endpoint (or the Authorization endpoint if the client has not yet adopted PAR), or
  2. as a part of client_assertion when making calls to the Token endpoint

The structured claim is composed as follows:

{
  "type": "nhn:sfm:journal-id",
  "value": {
     "journal_id": "1231231234-34213412-432423-4233"
  }
}

The value for type must always be nhn:sfm:journal-id, and the value for $.value.journal_id must be a UUID.

Note that the type nhn:sfm:journal-id uses a syntax with hyphens, while the claim journal_id uses a syntax with underscore.

Example call to HelseID

When submitting information in the Request object, the client must use the authorization_details claim:

"authorization_details":
[{
    "type": "nhn:sfm:journal-id",
    "value": {
      "journal_id": "ed30a6a5-4834-40be-a32b-1e4f5217e378"
    }
 },
 {
   "type":"helseid_authorization",
   "practitioner_role":
   {
     "organization":
     {
       "identifier":
       {
         "system":"urn:oid:1.0.6523",
         "type":"ENH",
         "value":"NO:ORGNR:<consumer organization number>:<consumer child organization number>",
       }
    }
  }
}]

When submitting information in client_assertion, the client should replace the claim type authorization_details with assertion_details, although authorization_details will still be accepted. Be aware that submitting both authorization_details and assertion_details is not allowed.

Claim in token

The claim from HelseID (in the Access token) looks like this:

{
  ...
  "nhn:sfm:journal-id" : "ed30a6a5-4834-40be-a32b-1e4f5217e378",
  ...
}

Error Messages

HelseID validates the values in the call to either the Token endpoint or the PAR endpoint, and will return HTTP code 400 (Bad Request) with error message invalid_request if the content is incorrect.

If the client does not have access to the scope nhn:sfm:journal-id, HelseID will return HTTP code 400 (Bad Request) with error message invalid_scope.

See the document Error Messages for descriptions of typical error messages from HelseID.