-
Notifications
You must be signed in to change notification settings - Fork 2
Authentication and Authorization
The Rotte REST API is user specific, i.e. the scope of commands and queries are determined by the user's organization specified in the attached access token.
The Rotte REST API is secured using codeflow with Danmarks Miljøportal's identity provider. This means that you need to operate with a federated authentication provider set up in Danmarks Miljøportal's identity provider - typically AD and ADFS - to get issued a user token with the necessary claim types required to access relevant Rotte API methods.
In order to communicate with the API, the code has to use the OAUTH codeflow against the endpoint. That means you have to contact DMP for registration on the DMP useradm for both test and production environments.
Roles will not be needed in order to access the endpoint. The REST endpoint decides access rights purely based on the CVR number in your token. CVRs related to Extermination Companies will just have rights to manage their own data. CVRs related to Municipalities will have rights to manage any data that happens within their municipality borders. CVRs related to Miljøstyrelsen will have rights to review data from all authorities as well as set up some of the system's metadata. CVRs related to Danmarks Miljøportal will have read rights to most data.
The Swagger page will contain more detailed information regarding the access any of the above user types get to data via the API. You can find links to the Swagger page of each environment on this wiki's home page.
Please contact Danmarks Miljøportal's support at support@miljoeportal.dk to get a client id and client secret for authorization.
Danmarks Miljøportal's identity provider supports OpenID Connect, a simple identity layer on top of the OAuth 2.0 protocol, which allows computing clients to verify the identity of an end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner. In technical terms, OpenID Connect specifies a RESTful HTTPS API, using JSON as a data format.
OpenID Connect allows a range of clients, including Web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. The specification suite is extensible, supporting optional features such as encryption of identity data, discovery of OpenID Providers, and session management.
OpenID Connect defines a discovery mechanism, called OpenID Connect Discovery, where an OpenID server publishes its metadata at a well-known URL. The discovery documents are available on the following URL's for the test and production environment respectively.
https://log-in.test.miljoeportal.dk/runtime/oauth2/.well-known/openid-configuration
https://log-in.miljoeportal.dk/runtime/oauth2/.well-known/openid-configuration
The identity provider supports the OAuth 2.0 / OpenID Connect flow Authorization code. The Authorization Code grant type is used by confidential and public clients to exchange an authorization code for an access token.
When the user returns to the client via the redirect URL, the application will get the authorization code from the URL that can be used to request an access token (and refresh token if needed).