LogoLogo
  • Technical Direction
  • Technical overview
    • Technical Implementation
    • API Design Guide
      • Data Definitions and Standards
      • Data Transfer Objects
      • Documentation
      • Environments
      • Error Handling
      • Example API Service
      • GraphQL Naming Conventions
      • Methods
      • Naming Conventions
      • Once Only Principle
      • Pagination
      • Resource Oriented Design
      • REST Request
      • REST Response
      • Security
      • Versioning
    • Ísland.is Public Web Data Flow
    • Code Reviews
    • Code Standards
    • Monorepo
    • Project Management
    • Teamwork
    • Architectural Decision Records
      • Use Markdown Architectural Decision Records
      • Use NX
      • Continuous Integration
      • CSS
      • Branching and Release Strategy
      • Error Tracking and Monitoring
      • What API Management Tool to Consider
      • Viskuausan Static Site Generator
      • Use OAuth 2.0 and OpenID Connect As Protocols for Authentication and Authorization
      • Unified Naming Strategy for Files and Directories
      • CMS
      • Open Source License
      • What Chart Library Should We Use Across Island.is?
      • What Feature Flag Service/application Should We Use at Island.is?
      • Logging, Monitoring and APM Platform
      • ADR Template
    • Log Management Policy
  • Products
    • Island.is Authentication Service
      • Terminology
      • Integration Options
      • Authentication Flows
      • Authorising API Endpoints
      • Session Lifecycle
      • Scopes and Tokens
      • Delegations
      • Configuration
      • Tools and Examples
      • Environments
      • Test IAS with Postman
      • Using the IAS admin portal
    • Notifications / Hnipp
      • New Notification Setup Guide
      • Notifications service workflow overview
      • Email notifications
    • Pósthólfið
      • Security Checklist
      • Introduction
      • Skjalatilkynning API
      • Skjalaveita API
      • Sequence Diagram
      • Interfaces
    • Straumurinn (X-Road)
      • Architecture Guidelines for Service Providers and Consumers
      • Setting up an X-Road Security Server
        • Network Configuration
      • X-Road - Uppfærsla á öryggisþjónum
      • Straumurinn - Notkun og umsýsla
      • X-Road Central - current version
  • Development
    • Getting Started
    • Generating a New Project
    • Definition of done
    • Devops
      • Continuous Delivery
      • Database
      • Dockerizing
      • Environment Setup
      • Logging
      • Metrics
      • NextJS Custom Server
      • Observability
      • Operations Base Principles
      • Security
      • Service Configuration
      • Support
    • AWS Secrets
    • Feature Flags
    • Documentation Contributions
    • Defining Monorepo Boundaries With Tags
    • OpenAPI
    • Code Generation
    • Workspace Settings (Deprecated)
    • External Contributions
  • REFERENCE
    • Problems
      • 400 Validation Failed
      • 400 Attempt Failed
      • 403 Bad Subject
      • 400 500 Template API Error
    • Glossary
  • Misc
    • Guide: Adding a Payment Step to an Application
    • Guide: Enable Organisations to Make Requests to an Application
    • README Template
Powered by GitBook
On this page

Was this helpful?

  1. Products
  2. Island.is Authentication Service

Authorising API Endpoints

PreviousAuthentication FlowsNextSession Lifecycle

Last updated 1 year ago

Was this helpful?

Tokens issued by IAS are which are cryptographically signed to prevent tampering.

If you are creating a Resource Server that accepts Access Tokens issued by IAS you MUST validate tokens properly:

  1. The Client calls the Resource Server with an Authorization header containing a bearer JWT Access Token issued by IAS.

  2. The Resource Server checks if it has a cached RSA public key matching the incoming Access Token. If not, it requests a JSON Web Key Set (JWKS) from IAS.

  3. IAS returns all of the public keys for its tokens in a JWKS response.

  4. The Resource Server MUST validate the signature of the Access Token JWT using the RSA public key from the JWKS.

  5. The Resource Server MUST validate Access Token Claims to see if it was issued (”iss”) by IAS, that it is valid (”nbf” and ”exp”) and at least one Resource Server's scope is listed in the token’s "scope" claim.

  6. The Resource Server MAY further authorise the requested resources based on Claims from the Access Token, eg “scope” and “nationalId”.

  7. The Resource Server returns the requested Resources.

Library Configuration

Authorisation libraries often support the following parameters to validate bearer tokens:

  • Scope which scope is required to call the endpoint.

  • Issuer or Authority, the base URL of IAS (see below).

  • If your library does not supports OIDC discovery:

    • JWKS Endpoint, for IAS this is ${Issuer}/.well-known/openid-configuration/jwks

JSON Web Tokens (JWT)
Authorising APIs Flow