Test Token Service

The Test Token Service ("test-token-tjenesten"), hereafter called TTT, is an API that is meant to simplify the use of tokens for testing purposes. With this API, you can obtain tokens that are signed with the same signing key as the "real" tokens from the HelseID test environment.

Usage Patterns

TTT offers you two different usage patterns:

  1. if you own an API and want to test authentication of valid and invalid tokens
  2. if you are a system provider and want to test access to one or more APIs that require user login

How to Use TTT

As of today, this is the procedure for using TTT. We are working on a new procedure to simplify this process.

To use the API, you must:

  • Generate a key pair (private key and public key)
  • Create a client configuration in HelseID Self Service TEST that gives you access to TTT (see below). This requires that you have user access in HelseID Self Service TEST.

Procedure in HelseID Self Service TEST:

  1. Select "Ta i bruk HelseID"
  2. Click on "Ny klientkonfigurasjon"
  3. Under "Søk etter fagsystem", search for "HelseID"
  4. Choose "HelseID TTT-klient"
  5. Tick the box for «Test-token-tjeneste…» and enter the name of the audience you wish to use test tokens with
  6. Click on "Gå videre"
  7. Click on "Nøkkelpar (avansert)"
  8. Click on "Laste opp en offentlig nøkkel"
  9. Use "Last opp fil", and add the jwk_pub.json file from the previous step
  10. Look up the client configuration you have created, and copy the Client ID value
  11. Place this client ID in the configuration file config.json under the Authentication:ClientId parameter
  12. The client configuration requires (for now) approval; you must wait for this before you can use the client.

Example of Use

Below, you will find examples of how the parameters in TTT can be adjusted. The overview shows what the JSON object sent to the endpoint in the API will look like.

For a code example of using TTT, check out TestTokenTool on GitHub.

You want to use TTT to obtain

  • a generic token
{ }
  • a token with only mandatory claims
{
  "withoutDefaultGeneralClaims": true,
  "withoutDefaultUserClaims": true
}
  • an invalid token to test an API (set only one of the possible parameters below)
{
  "signJwtWithInvalidSigningKey": true,
  "setInvalidIssuer": true,
  "setInvalidAudience": true
}
  • an expired token to test an API (set only one of the possible parameters below)
{
  "expirationParameters": {
    "setExpirationTimeAsExpired": true,
    "expirationTimeInSeconds": 300,
    "expirationTimeInDays": 0
  }
}
  • a token with a specific header
{
  "headerParameters": {
    "typ": "at+jwt"
  }
}
  • a token with specific client claims (set only those that are relevant)
{
  "issuerEnvironment": "Test",
  "generalClaimsParameters": {
    "scope": [
      “openid”, 
      “profile”, 
      “read”,
      “mitt:supre:api/scope”
    ],
    "clientId": "eeb808a2-6e6f-42ae-849a-505432cf128f",
    "sfmJournalId": "ed30a6a5-4834-40be-a32b-1e4f5217e378",
    "orgnrParent": "883974832",
    "orgnrSupplier": "994598759",
    "clientTenancy": true,
    "clientAuthenticationMethodsReferences": "private_key_jwt",
    "clientName": "Mitt Klientnavn",
    "jti": "F4F832F0C68E24F0011F773B71CC6739"
  }
}
  • a token with specific user claims (set only those that are relevant)
{
  "userClaimsParameters": {
    "pid": "06828399789",
    "pidPseudonym": "PGzVzvP2JvlXV\u002B\u002BOJSJAQG5d99BH8QsikmxpdIAKSZk=",
    "hprNumber": "565505933",
    "name": "KVART GREVLING",
    "givenName": "KVART",
    "middleName": "",
    "familyName": "GREVLING",
    "identityProvider": "idporten-oidc",
    "securityLevel": "4",
    "assuranceLevel": "high",
    "network": "internett",
    "amr": "pwd",
    "subject": "PGzVzvP2JvlXV\u002B\u002BOJSJAQG5d99BH8QsikmxpdIAKSZk=",
    "sid": "0970F0ED60C552597BFC254150FA406D"
  }
  "getPersonFromPersontjenesten": true,
  "onlySetNameForPerson": true,
  "getHprNumberFromHprregisteret": true,
  "setPidPseudonym": true,
  "setSubject": true
}
  • a DPoP token
{
  "createDPoPTokenWithDPoPProof": true
}
  • a token with altered DPoP parameters (set only those that are relevant)
{
  "dPoPProofParameters": {
    "htuClaimValue": "https://eksempelapi.nhn.no/api",
    "htmClaimValue": "POST",
    "privateKeyForProofCreation": {
      "kty": "RSA",
      "n": "0VULJlIGn4SM-Y0ZTYOKSpr3KyCbVXK...mVIKTMrAvt72UphUFUkqEwM0Jat2ECuRbOC2VhhovPooYYHNRHvvpQ0",
      "e": "AQAB",
      "alg": "RS512"
  },
    "invalidDPoPProofParameters": "SetIatValueInThePast"
  }
}
  • a token using the "tillitsrammeverk"
{
  "createTillitsrammeverkClaims": true
}
  • a token with altered parameters for the "tillitsrammeverk" (set only those that are relevant)
{
  "tillitsrammeverkClaimsParameters": {
    "practitionerAuthorizationCode": "AA",
    "practitionerAuthorizationText": "",
    "practitionerLegalEntityId": "946469045",
    "practitionerLegalEntityName": "Helse Først",
    "practitionerPointOfCareId": "983658776",
    "practitionerPointOfCareName": "Sjukehus AS",
    "practitionerDepartmentId": "4206043",
    "practitionerDepartmentName": "Avdeling 4",
    "careRelationshipHealthcareServiceCode": "210", 	
    "careRelationshipHealthcareServiceText": "Anestesiologi",
    "careRelationshipPurposeOfUseCode": "TREAT",
    "careRelationshipPurposeOfUseText": "Behandling",
    "careRelationshipPurposeOfUseDetailsCode": "28",
    "careRelationshipPurposeOfUseDetailsText": "Digitalt tilsyn",
    "careRelationshipTracingRefId": "30F4AB40-DBC2-41A7-8AC4-181AD3FDC25B",
    "patientsPointOfCareId": "983658776",
    "patientsPointOfCareName": "Sjukehus AS",
    "patientsDepartmentId": "4206043",
    "patientsDepartmentName": "Avdeling 4"
  }
}
  • a token with one or more API specific claims
{
  "apiSpecificClaims": [
    {"type": "e-helse:sfm.api/client/claims/sfm-id", "value":"e37233c0-e649-4b70-92bd-7f1e12eac897"},
    {"type": "...", "value":"..."},
  ]
}