Claims

This document references the claims that HelseID will assign in a Token. Several of these claim types have their origin in specifications, while others are defined according to the needs of the health sector in Norway.

Claims in Tokens

In a response to the Token endpoint, HelseID issues two types of Token that contains claims:

  • An Access Token
  • An ID Token

If the Client uses the client_credentials-flow, HelseID will only issue an Access Token.

If the Client uses the authorization_code-flow for user logon, HelseID will issue both an Access Token and an ID Token.

The ID Token is meant for the Client, the Access Token is meant for the API.

The claims described below, will in most cases be placed in both types of Tokens.

Claims in the ID Token

Some claims are always placed in the ID Token, others are only placed by HelseID when the Client sends scopes in the request that permits access to the claims. These scopes are listed in the document Scopes.

Claims in the Access Token

Some claims are always placed in the Access Token, others are only placed by HelseID when

  1. the Client sends in scopes that gives access to an API, and
  2. the API wants to use the claim in the Access Token

This implies that the Client cannot impact which claims are placed in the Access Token. The claims in the Access Token are only decided by what claims the API has chosen.

An example: the API "Siffer-tjeneste" requires the claims helseid://claims/identity/pid, helseid://claims/identity/security_level, helseid://claims/hpr/hpr_number, og helseid://claims/client/claims/orgnr_parent. The API has the audience nhn:siffer-tjeneste, and one scope: nhn:siffer-tjeneste/primtall.

If a Client has access to the API siffer-tjeneste, it can use the scope nhn:siffer-tjeneste/primtall in order to retrieve an Access Token for usage against this API. The API "Siffer-tjeneste" must then inspect the Access Token and use it for authorization purposes.

Claims from HelseID that describes a logged-in user

These claim types describes the features of a logged-in user.

Name Example value Description
helseid://claims/identity/pid 11737291652 Personal identifier (PID)
helseid://claims/identity/security_level 3 The security level for which the user was logged in. Possible values are 2, 3 or 4.
helseid://claims/hpr/hpr_number 181000001 The health personnel number according to NHN’s coding standard
helseid://claims/identity/network helsenett Indicates whether an end user authenticated using a HelseID server on Internet or ’Helsenett’. Note that local infrastructure may route users from Helsenett to HelseID nodes exposed on the Internet. Possible values are ’internett’ and ’helsenett’.

Claims from HelseID that describes a client

These claim types describes the features of a client that has been authenticated by HelseID.

Name Example value Description
helseid://claims/client/client_name "Your client name here" The name of the client configuration as setup in HelseID Selvbetjening. This value can be used for logging purposes in APIs, but should not be used to for access control.
helseid://claims/client/claims/orgnr_parent 883974832 The parent organization for an end user or a client.
helseid://claims/client/claims/orgnr_child 892262462 The child organization (underenhet/behandlingssted) for an end user or a client.
helseid://claims/client/claims/orgnr_supplier 994598759 For a multi-tenant system this is the organization that has received a delegation to access HelseID on behalf of an organization.
helseid://claims/client/client_tenancy multi-tenant Indicates the type of system that requested the access token. Can have one of the following values: none, single-tenant, or multi-tenant.
client_amr private_key_jwt The type of secret used for authenticating the client. Possible values are client_secret or private_key_jwt.
nhn:tillitsrammeverk:parameters A JSON structure An "attest" from the Client, enriched with extra information from HelseID.
nhn:sfm:journal-id ed30a6a5-4834-40be-a32b-1e4f5217e378 A SFM-id, used by a multi-tenant Client

Standard claims

A token will also contain a set of standard claims originating from OpenID Connect and the JSON Web Token specification.

Claims from the OpenID Connect specification

These claims are obtained from the OpenID specification. You can find the description here. Some of the claims will only be set in the ID Token from HelseID.

Name Example value Description Only in ID Token
sub dXAUXjEAlVsoWcYVaR+fvzuXvnWQ7CYXqvr+DMuJ/0w= Subject - Identifier for the End-User at the Issuer. The value is a hash of the PID + salt.
amr [ "pwd" ] Authentication Methods References. A JSON array of strings that are identifiers for the authentication methods used in the authentication.
auth_time 1704116220000 The time when the user was authenticated, described as "epoch time".
client_id eeb808a2-6e6f-42ae-849a-505432cf128f Identifies the Client by a unique number.
sid 0970F0ED60C552597BFC254150FA406D Session ID
name FORSIKTIG IMPULSIV HANDELSMANN Full name of the logged-in user.
given_name FORSIKTIG The given name of the logged-in user.
family_name HANDELSMANN The family name of the logged-in user.
middle_name IMPULSIV The middle name of the logged-in user.
nonce 63849101571...WQ4OTI4MjVkNmU3 The nonce matches the parameter included in the original authorize request to the IDP. X
at_hash y9WtN9oBLG9q0J6NDbAHZQ Access Token hash value X
s_hash 5EpOYEdB22sp-7V9zGs4Bw State hash value X

Other claim types

Most of these claims are from the JWT specification. Some of these claims are only set in the Access Token from HelseID.

Name Example value Description Only in Access Token
iss https://helseid-sts.test.nhn.no Issuer
aud nhn:melde Audience: The name of the audience for the token. In an Access Token, this will be the name of an API, and in an ID Token, this will be a Client ID.
exp 1495545339 Expiration time for the Token, described as "epoch time".
nbf 1495545039 Not before, the Token cannot be used before this time, described as "epoch time".
iat 1495545039 Issued at time, the Token was issued at this time, described as "epoch time".
jti F4F832F0C68E24F0011F773B71CC6739 JWT ID - unique for each token issued by a specific provider within a given time period.
idp idporten-oidc The identity provider that authenticated the user.
scope [ “openid”, “profile”, “read” ] Authorization and identity scopes. X
cnf { "jkt": "aoezvIe32RdFpTP4FIxwBYb6VGX0dp3ecvoVjFkdXQk" } DPoP confirmation method, as described in the specification X

Deprecated claims

Some claims in HelseID are still in used, but will be deprecated in the near future. We reccomend that you do not use any of these claims.

Name Description
helseid://claims/identity/assurance_level The security level for which the user was logged in. This claim is deprecated, you should use the helseid://claims/identity/security_level claim (see above) instead, as it contains the same value as this claim.
helseid://claims/identity/pid_pseudonym Personal identifier pseudonymized with HMAC; this claim is deprecated, you should use the sub claim (see above) instead.
oldsub The value of this claim is deprecated. The value is a hash of the client_id + PID + salt.