Authorization

In order to be authorized to use the service the client must first be authenticated using HelseID or Helsenorge.

See curl examples of API requests to the service.

HelseID

A HelseID Bearer access token is required for authorization of organization and health care personell.

Note that the EPJ system must provide the org. nr. of the actual work place (point of care) of the health care personell when requesting the access token. This will make sure that the request is connected to the correct organization.

Claims

The client must do a token refresh/exchange with HelseID to set correct audience and scope for this service.

Claim	Description
scope	List containing "nhn:careplan/api".
aud	nhn:careplan
helseid://claims/client/claims/orgnr_parent	Org. nr. at the top level (legal entity). Required for all.
helseid://claims/client/claims/orgnr_child	Org. nr. at the lower level (point of care). Required for all.

Claims for HelseID can be found here.

Documentation to set single audience can be found here

Headers

Name	Description	Required
Authorization: Bearer	HelseID access token.	Yes
hit-user-role	Role of the logged in user (see below).	Yes
hit-source-system	Name and version of the EPJ system, 3-512 characters.	Yes
hit-access-basis	Basis for access (grunnlag/tjenstlig behov, see below).	Yes
hit-patient-pid	Patient national identification number (fnr/dnr).	Yes
hit-event-id	UUID or other id used to trace the request, max 128 characters.	No
content-type	Required for requests with body (POST/PUT).	Yes

hit-user-role

Information about the role of the logged in user. Must be a valid JSON data structure. We require that the content of the header is always URL encoded to make sure all types of characters are transmitted correctly to the server.

Example:

{
    "system": "urn:oid:2.16.578.1.12.4.1.1.9060",
    "code": "LE"
}

The content of the "system" field is the coding system (kodeverk) for the type of role the user got.

System	Description
urn:oid:2.16.578.1.12.4.1.1.9060	Volven coding system for HPR role. Used by EPJs.
kjernejournal_userrole	Custom coding system for Kjernejournal role. Only used by Kjernejournal.

The content of the "code" field is the role of the user. For HPR all roles must be according to Volven kodeverk 9060. Example HPR roles:

Code	Description
LE	Lege
SP	Sykepleier
PS	Psykolog

hit-access-basis

Which basis for access (grunnlag/tjenstlig behov) the user has to get access to data. "Forhøyet" must be used if requesting access to data which the patient has restricted access (sperring).

Note:
If the patient has not set restriction and the "Forhøyet"-values are used in this header, then you will recive an error. Overrule of restriction must only be done when the patient have actually set restriction. See status-endpoint.

Value	Use case
UNNTAK	Use for persons which has do not have to get consent from the patient, e.g. general practitioner (fastlege).
SAMTYKKE	The user has gotten consent from the patient to see data.
FORHOYET_SAMTYKKE	The patient has given consent to open restricted data (sperring).
AKUTT	Use when in an emergency situation where the patient is unable to give consent.
FORHOYET_AKUTT	Opens restricted data (sperring) in an emergency situation where the patient is unable to give consent.

hit-source-system

The name and version of the EPJ system, 3-512 characters. If the name contains Norwegian characters then the header content should be URL encoded to make sure all types of characters are transmitted correctly to the server.

Machine to machine token

A HelseID machine to machine token is a regular HelseID access token, but it does not contain the user pid claim or any other user data.

The main use case is to request certain endpoints without requiring the user to log into the EPJ or HelseID first. Whether to use it or not is up to the EPJ based on how the API is used.

The token must contain the following claims when HelseID machine to machine authorization:

Claim	Description
scope	List containing "nhn:careplan/api".
aud	nhn:careplan
helseid://claims/client/claims/orgnr_parent	Org. nr. at the top level (legal entity). Required for all.
helseid://claims/client/claims/orgnr_child	Org. nr. at the lower level (point of care). Required for all.

Note that a machine to machine token must not contain the claim "helseid://claims/identity/pid". If so you will get an error.

Only the headers "hit-patient-pid" and "hit-source-system" are required for machine to machine tokens. The "content-type" header must also be set depending on the HTTP method used (see above).

Machine to machine authorization is used in the /status endpoint.

Helsenorge

For an inhabitant an Helsenorge access token is required.

Read about inhabitant authentication - Helsenorge as OpenID Connect provider here.

Claims

Overview claims for Helsenorge is found here.

Claim	Description	Required
scp	Comma separated list which contains "kritiskinfo".	Yes
sub	See Helsenorge documentation.	Yes
act_sub	See Helsenorge documentation.	Yes
act_type	See Helsenorge documentation.	Yes

Headers

Name	Description	Required
Authorization: Bearer	Helsenorge token.	Yes
hit-event-id	UUID or other id used to trace the request, max 128 characters.	No

Error codes authorization

We're sending all error codes related to authorization in the response header nhn-error-code. These error codes has prefix "AUTH".

Error code	Cause
AUTH-0001	Invalid token signature.
AUTH-0002	Invalid token claim.
AUTH-0003	Invalid http header.
AUTH-0004	Invalid Helsenorge "grunnlag".
AUTH-0005	Internal technical error.
AUTH-0007	Error in Helsepersonellregisteret (HPR).
AUTH-0008	Error when reading public key.
AUTH-0009	Internal communication error.
AUTH-0010	Security related error, e.g. malicious content detected.
AUTH-0011	DPoP proof error.
AUTH-0012	The user does not have a valid HPR authorization.
AUTH-0013	Token has incorrect security level.