{"id":21364979,"url":"https://github.com/altinn/oed-authz","last_synced_at":"2026-03-05T08:32:27.437Z","repository":{"id":77875255,"uuid":"563106767","full_name":"Altinn/oed-authz","owner":"Altinn","description":null,"archived":false,"fork":false,"pushed_at":"2026-02-16T13:46:12.000Z","size":189,"stargazers_count":1,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-02-16T21:45:21.134Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Altinn.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2022-11-07T23:14:26.000Z","updated_at":"2026-02-16T13:46:21.000Z","dependencies_parsed_at":null,"dependency_job_id":"c847ffcf-40af-48eb-896e-90da168bf255","html_url":"https://github.com/Altinn/oed-authz","commit_stats":null,"previous_names":["altinn/oed-authz"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Altinn/oed-authz","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Altinn%2Foed-authz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Altinn%2Foed-authz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Altinn%2Foed-authz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Altinn%2Foed-authz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Altinn","download_url":"https://codeload.github.com/Altinn/oed-authz/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Altinn%2Foed-authz/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30115938,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T08:19:04.902Z","status":"ssl_error","status_checked_at":"2026-03-05T08:17:37.148Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-22T07:08:48.197Z","updated_at":"2026-03-05T08:32:27.420Z","avatar_url":"https://github.com/Altinn.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# oed-authz\nASP.NET Core Web API handling events for OED/DD roles, persisting them and providing av PIP API for Altinn Authorization. \nThis also exposes an API for external consumers requiring Maskinporten-authentication.\n\nSee https://oed-test-authz-app.azurewebsites.net/swagger/ for API documentation.\n\n## Using the API for external consumers (banks etc.)\n\nThere are two API endpoints; one for retrieving court assigned roles for a given estate, and one for retrieving proxy roles\nassigned from the heirs to others within the estate.\n\n### Court assigned roles\n\nFor court assigned roles use `/api/v1/authorization/roles/search`. This endpoint requires a Maskinporten-token with the scope; \n`altinn:dd:authlookup`. The following role codes will be made available\n\n* `urn:domstolene:digitaltdodsbo:formuesfullmakt` \n* `urn:domstolene:digitaltdodsbo:skifteattest` \n\n#### Example\n\nRequests must contain a `Authorization`-header with a Maskinporten-token using the `Bearer` scheme. The request body \nmust be a JSON object with `estateSsn`, or `recipientSsn`, or both, which must be 11-digit norwegian identification numbers. \n\n```jsonc\n// POST https://oed-test-authz-app.azurewebsites.net/api/v1/authorization/roles/search\n{\n \"estateSsn\": \"11111111111\"\n // \"recipientSsn\": \"22222222211\" // Only one of \"estateSsn\" and \"recipientSsn\" is required\n}\n```\n\nResponse:\n```jsonc\n{ \n \"roleAssignments\": [\n {\n \"estateSsn\": \"11111111111\",\n \"recipientSsn\": \"22222222211\",\n \"role\": \"urn:domstolene:digitaltdodsbo:skifteattest\",\n \"created\": \"2023-02-20T10:00:06.401416+00:00\"\n },\n {\n \"estateSsn\": \"11111111111\",\n \"recipientSsn\": \"22222222211\",\n \"role\": \"urn:domstolene:digitaltdodsbo:skifteattest\",\n \"created\": \"2023-02-20T10:00:06.401416+00:00\"\n }\n ]\n}\n```\n### Proxy roles\n\nWithin an estate, heirs with a probate certificate can assign proxies that may act on their behalf. These roles are not\nassigned by the court, but by the heirs themselves. To retrieve these proxy roles, use the endpoint `/api/v1/authorization/proxies/search`.\n\nThe following role codes are currently available:\n\n* `urn:altinn:digitaltdodsbo:skiftefullmakt:individuell` (granted to a specific heir from a specific heir)\n* `urn:altinn:digitaltdodsbo:skiftefullmakt:kollektiv` (granted to a specific heir from all heirs)\n\nNote that the `kollektiv` role is assigned if and only if all heirs with a probate certificate have appointed the same \nproxy. Thus, for a recipient to receive the `kollektiv` role, the response will also contain a `individuell` role for all \nheirs with a probate certificate to that same recipient (unless that recipient also has a probate certificate; there is \nno need to assign a proxy role to oneself). If at any point any of the heirs with a probate certificate revokes their \n`individuell` role, the `kollektiv` role will also be revoked.\n\nIf no relation (ie. role assignment) exists, an empty `roleAssignments` array will be returned.\n\n#### Example\n\nRequests must contain a `Authorization`-header with a Maskinporten-token using the `Bearer` scheme. The request body\nmust be a JSON object with `estateSsn`, or `recipientSsn`, or both, which must be 11-digit norwegian identification numbers. \n\n```jsonc\n// POST https://oed-test-authz-app.azurewebsites.net/api/v1/authorization/proxies/search\n{\n \"estateSsn\": \"11111111111\" // this estate has two heirs with probate certificates; 22222222211 and 33333333311\n}\n```\n\nResponse:\n```jsonc\n{ \n \"proxyAssignments\": [\n {\n \"estateSsn\": \"11111111111\",\n \"heirSsn\": null, // Assigned from the estate itself (ie no particular heir); can act on behalf of all heirs \n \"recipientSsn\": \"44444444411\",\n \"role\": \"urn:altinn:digitaltdodsbo:skiftefullmakt:kollektiv\",\n \"created\": \"2023-02-20T10:00:06.401416+00:00\"\n },\n {\n // Assigned from the individual heir; can act on behalf of that heir\n \"estateSsn\": \"11111111111\",\n \"heirSsn\": \"22222222211\",\n \"recipientSsn\": \"44444444411\",\n \"role\": \"urn:altinn:digitaltdodsbo:skiftefullmakt:individuell\",\n \"created\": \"2023-02-20T10:00:06.401416+00:00\"\n },\n {\n // Assigned from the individual heir; can act on behalf of that heir\n \"estateSsn\": \"11111111111\",\n \"heirSsn\": \"33333333311\",\n \"recipientSsn\": \"44444444411\",\n \"role\": \"urn:altinn:digitaltdodsbo:skiftefullmakt:individuell\",\n \"created\": \"2023-02-20T10:00:06.401416+00:00\"\n }\n ]\n}\n```\n\n## Internal Altinn usage \n\n### PIP API\n\nThis API is meant for Altinn Authorization to use as a PIP (Policy Information Point) extension for the context handler to \nretrieve roles when a given policy refers to roles of type `urn:digitaltdodsbo:rolecode`.\n\nSupply a `PipRequest`-body with one or both the `from` and `to` properties set to norwegian identification numbers for the deceased \n(estate) and heir (recipient), respectively to the endpoint `/api/v1/pip`. One of the parameters can be omitted to get a list of \nall relations for the given from/to. This will include additional roles compared to the API for external consumers, and will\nalso include `urn:altinn:digitaltdodsbo:skiftefullmakt:kollektiv` (but not `urn:altinn:digitaltdodsbo:skiftefullmakt:individuell`\nas this assignment is within the context of a single estate).\n\nThis requires a Maskinporten-token with the scope `altinn:dd:internal`\n\n#### Example\n\n```jsonc\n// POST https://oed-test-authz-app.azurewebsites.net/api/v1/pip\n{\n \"from\": \"11111111111\",\n // \"to\": \"22222222211\" // Only one of \"from\" and \"to\" is required\n}\n```\n\nResponse:\n```jsonc\n{\n \"roleAssignments\": [\n {\n \"urn:digitaltdodsbo:rolecode\": \"urn:domstolene:digitaltdodsbo:formuesfullmakt\",\n \"from\": \"11111111111\",\n \"to\": \"22222222211\",\n \"created\": \"2023-02-20T10:00:06.401416+00:00\"\n },\n {\n \"urn:digitaltdodsbo:rolecode\": \"urn:domstolene:digitaltdodsbo:arving:ektefelleEllerPartner\",\n \"from\": \"11111111111\",\n \"to\": \"22222222211\",\n \"created\": \"2023-02-20T10:00:06.401416+00:00\"\n },\n {\n \"urn:digitaltdodsbo:rolecode\": \"urn:domstolene:digitaltdodsbo:skifteattest\",\n \"from\": \"11111111111\",\n \"to\": \"22222222211\",\n \"created\": \"2023-02-20T10:00:06.401416+00:00\"\n },\n // ... some rows omitted for brevity\n {\n \"urn:digitaltdodsbo:rolecode\": \"urn:altinn:digitaltdodsbo:skiftefullmakt:kollektiv\",\n \"from\": \"11111111111\",\n \"to\": \"44444444411\",\n \"created\": \"2023-02-20T10:00:06.401416+00:00\"\n }\n }\n}\n```\n\n## DD proxies administration API\n\nThere's an RPC API for managing `urn:altinn:digitaltdodsbo:skiftefullmakt` roles for internal consumers only. \nThis is used by Digitat Dødsbo to grant and revoke roles for proxies. \n\nThis endpoint requires a Maskinporten-token with the scope `altinn:dd:internal`. Only roles within the \n`urn:altinn:digitaltdodsbo:skiftefullmakt` namespace can be managed.\n\n### Getting assignments\n\nSee the external proxy API for getting a list of assignments. The `altinn:dd:internal` scope is also authorized for that\nendpoint.\n\n### Adding an assignment\n\nPost the body below to the `add` endpoint. `created` can be omitted, and will be set to the current time if omitted.\n\n```jsonc\n// POST https://oed-test-authz-app.azurewebsites.net/api/v1/authorization/proxies/add\n{\n \"add\": {\n \"estateSsn\": \"11111111111\"\n \"heirSsn\": \"22222222211\",\n \"recipientSsn\": \"44444444411\",\n \"urn:digitaltdodsbo:rolecode\": \"urn:altinn:digitaltdodsbo:skiftefullmakt:individuell\",\n \"created\": \"2023-02-20T10:00:06.401416+00:00\"\n }\n}\n// Response: 201 Created, with the estate with all current proxy assignments (as with /proxies/search)\n```\n\n### Deleting an assignment\n\nPost the body below to the `remove` endpoint. \n\n```http\n// POST https://oed-test-authz-app.azurewebsites.net/api/v1/authorization/proxies/remove\n{\n \"remove\": {\n \"estateSsn\": \"11111111111\"\n \"heirSsn\": \"22222222211\",\n \"recipientSsn\": \"44444444411\",\n \"urn:digitaltdodsbo:rolecode\": \"urn:altinn:digitaltdodsbo:skiftefullmakt:individuell\"\n }\n}\n Response: 204 No Content \n```\n\n## Local development setup\n\n1. Install PostgreSQL 13 or later\n2. Install pgAdmin\n4. Create a database locally with name `oedauthz`\n3. Create the user `oedpgadmin` (only used for migrations), set password to `secret`. Give all privileges to `oedauthz`\n4. Create the user `oedpguser`, set password to `secret`. Give usage privileges to `oedauthz`.\n5. Run/debug the project\n\nThis should build and migrate the database. Open https://localhost/swagger for Swagger UI.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faltinn%2Foed-authz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faltinn%2Foed-authz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faltinn%2Foed-authz/lists"}