Test Token Service
The Test Token Service ("test-token-tjenesten"), hereafter called TTT, is an API that is meant to simplify the use of tokens for testing purposes. With this API, you can obtain tokens that are signed with the same signing key as any "real" Access and ID tokens from the HelseID test environment.
Usage Patterns
TTT offers you two different usage patterns:
- if you own an API and want to test authentication of valid and invalid tokens
- if you are a system provider and want to test access to one or more APIs that require user login
How to Use TTT
In order to use the API, you must get an API-key for authentication in HelseID Selvbetjening (self-service). This key must be present in the header X-Auth-Key
in the kall to TTT.
Example of Use
Below, you will find examples of how the parameters in TTT can be adjusted. The overview shows what the JSON object sent to the endpoint in the API will look like. In order to get a test token from TTT, you must use the endpoint /v2/create-test-token-with-key
with a POST request.
For a code example of using TTT, check out TestTokenTool on GitHub.
You want to use TTT to obtain
- a generic token
{
"audience": "nhn:mynewapi"
}
Be advised that you must always use "audience" as a parameter
- a token with only mandatory claims
{
"audience": "nhn:mynewapi",
"withoutDefaultClientClaims": true,
"withoutDefaultUserClaims": true
}
- an invalid token to test an API (set only one of the possible parameters below)
{
"audience": "nhn:mynewapi",
"signJwtWithInvalidSigningKey": true,
"setInvalidIssuer": true
}
- an expired token to test an API (set either
expirationTimeInSeconds
, orexpirationTimeInDays
)
{
"audience": "nhn:mynewapi",
"expirationParameters": {
"setExpirationTimeAsExpired": true,
"expirationTimeInSeconds": 300,
"expirationTimeInDays": 1
}
}
- a token with a specific header
{
"audience": "nhn:mynewapi",
"headerParameters": {
"typ": "at+jwt"
}
}
- a token with specific client claims (set only those that are relevant)
{
"audience": "nhn:mynewapi",
"withoutDefaultClientClaims": true,
"withoutDefaultUserClaims": true,
"clientClaimsParameters": {
"scope": [
"openid",
"profile",
"read",
"mitt:supre:api/scope"
],
"clientId": "eeb808a2-6e6f-42ae-849a-505432cf128f",
"sfmJournalId": "ed30a6a5-4834-40be-a32b-1e4f5217e378",
"orgnrParent": "883974832",
"orgnrSupplier": "994598759",
"clientTenancy": true,
"clientAuthenticationMethodsReferences": "private_key_jwt",
"clientName": "Mitt Klientnavn",
"jti": "F4F832F0C68E24F0011F773B71CC6739"
}
}
Be advised that you must set "withoutDefaultClientClaims": true
to be able to set specific client claims.
- a token with specific user claims (set only those that are relevant)
{
"audience": "nhn:mynewapi",
"withoutDefaultUserClaims": true,
"userClaimsParameters": {
"pid": "06828399789",
"pidPseudonym": "PGzVzvP2JvlXV\u002B\u002BOJSJAQG5d99BH8QsikmxpdIAKSZk=",
"hprNumber": "565505933",
"name": "KVART GREVLING",
"givenName": "KVART",
"middleName": "",
"familyName": "GREVLING",
"identityProvider": "idporten-oidc",
"securityLevel": "4",
"assuranceLevel": "high",
"network": "internett",
"amr": "pwd",
"subject": "PGzVzvP2JvlXV\u002B\u002BOJSJAQG5d99BH8QsikmxpdIAKSZk=",
"sid": "0970F0ED60C552597BFC254150FA406D"
}
}
Be advised that you must set "withoutDefaultUserClaims": true
to be able to set specific user claims.
- a token with the user identity being fulled from Persontjenesten
{
"audience": "nhn:mittferskeapi",
"withoutDefaultUserClaims": true,
"userClaimsParameters": {
"pid": "06670157480"
},
"getPersonFromPersontjenesten": true,
"onlySetNameForPerson": true,
"getHprNumberFromHprregisteret": true,
"setSubject": true
}
- a DPoP proof assigned to the token
"audience": "nhn:mynewapi",
"createDPoPTokenWithDPoPProof": true,
"DPoPProofParameters": {
"htmClaimValue": "POST",
"htuClaimValue": "https://my.new.api.no"
}
- a token with altered DPoP parameters (values for
invalidDPoPProofParameters
areDontSetHtuClaimValue
,DontSetHtmClaimValue
,SetIatValueInThePast
,SetIatValueInTheFuture
,DontSetAthClaimValue
,DontSetAlgHeader
,DontSetJwkHeader
,DontSetJtiClaim
,SetAlgHeaderToASymmetricAlgorithm
,SetPrivateKeyInJwkHeader
,SetInvalidTypHeaderValue
, andSetAnInvalidSignature
)
{
"audience": "nhn:mynewapi",
"createDPoPTokenWithDPoPProof": true,
"dPoPProofParameters": {
"invalidDPoPProofParameters": "DontSetAthClaimValue",
"htmClaimValue": "POST",
"htuClaimValue": "https://mitt.ferske.api.no"
}
}
- a token using the "Tillitsrammeverk" method
{
"audience": "nhn:mynewapi",
"createTillitsrammeverkClaims": true,
"withoutDefaultUserClaims": true,
"userClaimsParameters": {
"pid": "06828399789",
"hprNumber": "565505933",
"name": "KVART GREVLING"
}
}
- a token with altered parameters for the "tillitsrammeverk" (set only those that are relevant)
{
"audience": "nhn:mynewapi",
"createTillitsrammeverkClaims": true,
"tillitsrammeverkClaimsParameters": {
"practitionerAuthorizationCode": "AA",
"practitionerAuthorizationText": "",
"practitionerLegalEntityId": "946469045",
"practitionerLegalEntityName": "Helse Først",
"practitionerPointOfCareId": "983658776",
"practitionerPointOfCareName": "Sjukehus AS",
"practitionerDepartmentId": "4206043",
"practitionerDepartmentName": "Avdeling 4",
"careRelationshipHealthcareServiceCode": "210",
"careRelationshipHealthcareServiceText": "Anestesiologi",
"careRelationshipPurposeOfUseCode": "TREAT",
"careRelationshipPurposeOfUseText": "Behandling",
"careRelationshipPurposeOfUseDetailsCode": "28",
"careRelationshipPurposeOfUseDetailsText": "Digitalt tilsyn",
"careRelationshipTracingRefId": "30F4AB40-DBC2-41A7-8AC4-181AD3FDC25B",
"patientsPointOfCareId": "983658776",
"patientsPointOfCareName": "Sjukehus AS",
"patientsDepartmentId": "4206043",
"patientsDepartmentName": "Avdeling 4"
},
"withoutDefaultUserClaims": true,
"userClaimsParameters": {
"pid": "06828399789",
"hprNumber": "565505933",
"name": "KVART GREVLING"
}
}
- a token with one or more API specific claims
{
"audience": "nhn:mynewapi",
"apiSpecificClaims": [
{"type": "e-helse:sfm.api/client/claims/sfm-id", "value":"e37233c0-e649-4b70-92bd-7f1e12eac897"},
{"type": "...", "value":"..."}
]
}