Add dialogporten>reference>authorization, add link from api>dialogpor…

…ten (#1822) * Add dialogporten>reference>authorization, add link from api>dialogporten * Drop anchor tag to dynamic content as this confuses link checker
Altinn · Oct 10, 2024 · d982783 · d982783
1 parent 8451f4c
commit d982783
Show file tree

Hide file tree

Showing 10 changed files with 431 additions and 11 deletions.
diff --git a/content/api/dialogporten/_index.en.md b/content/api/dialogporten/_index.en.md
@@ -0,0 +1,11 @@
+---
+title: Dialogporten API
+linktitle: Dialogporten
+description: API for Dialogporten functionality
+---
+
+Please refer to the following sections for Dialogporten API reference information
+
+* [OpenAPI specifications]({{<relref "../../dialogporten/reference/openapi">}})
+* [GraphQL specifications]({{<relref "../../dialogporten/reference/graphql">}})
+
diff --git a/content/dialogporten/getting-started/authorization/_index.md b/content/dialogporten/getting-started/authorization/_index.md
@@ -4,5 +4,12 @@ description: 'Learn how Dialogporten uses Altinn Authorization and provides its
 weight: 20
 ---
 
+## Introduction
+
+Dialogporten is fully integrated with ID-porten, Maskinporten and Altinn Authorization. Access to all dialogs are subject to the same access policy as the service they represent, which is fully manageable via roles, access packages and service rights in [Altinn Access Management]({{<relref "../../../authorization/what-do-you-get/accessmanagement">}}). 
+
+**Read more**
+* {{<link "../../reference/authorization">}}
+
 {{<children />}}
 
diff --git a/content/dialogporten/getting-started/authorization/attributes/_index.md b/content/dialogporten/getting-started/authorization/attributes/_index.md
@@ -1,7 +1,7 @@
 ---
 title: 'Authorization Attributes'
 description: 'Learn how dialogs in Dialogporten implements fine-grained access control using Altinn Authorization'
-weight: 10
+weight: 20
 ---
 
 ## Introduction

diff --git a/content/dialogporten/getting-started/authorization/dialog-tokens/_index.md b/content/dialogporten/getting-started/authorization/dialog-tokens/_index.md
@@ -1,7 +1,7 @@
 ---
 title: 'Dialog Tokens'
 description: 'Learn how dialog tokens can be used to simplify authorization and enable higher confidentiality'
-weight: 20
+weight: 30
 ---
 
 ## Introduction

diff --git a/content/dialogporten/getting-started/authorization/service-resource/_index.md b/content/dialogporten/getting-started/authorization/service-resource/_index.md
@@ -8,9 +8,9 @@ weight: 10
 
 All dialogs must refer to a main _service resource_. A service resource describes a particular digital service, and contains metadata such as a name, a description, what public actor owns and - most importantly - the authorization policy governing the use of that service. 
 
-Service resources reside in [Altinn Resource Registry]({{<relref "../../../../authorization/what-do-you-get/resourceregistry">}}), alongside other types of resources which utilize Altinn Authorization for access management and control. The authorization policies are expressed in [XACML]({{<relref "../../../../authorization/what-do-you-get/pdp">}}), which describes the access rules that governs all dialogs that refer to it. Dialogporten is integrated with Altinn Authorization, and will consult it for every request made to Dialogporten and enforce its decisions. The main service resource policy is thus used to control what information a given user can retrieve from Dialogporten. Access managers within organizations use these service resources, or groups of related service resources, when handling who should have access to do what on behalf of an organization.
+Service resources reside in [Altinn Resource Registry]({{<relref "../../../../authorization/what-do-you-get/resourceregistry">}}), alongside other types of resources which utilize Altinn Authorization for access management and control. The authorization policies are expressed in [XACML]({{<relref "../../../../authorization/guides/xacml/">}}), which describes the access rules that governs all dialogs that refer to it. Dialogporten is integrated with Altinn Authorization, and will consult it for every request made to Dialogporten and enforce its decisions. The main service resource policy is thus used to control what information a given user can retrieve from Dialogporten. Access managers within organizations use these service resources, or groups of related service resources, when handling who should have access to do what on behalf of an organization.
 
-For example, an action named "Go to signing" might refer to an _action_ called "sign" in the XACML policy for the main service resource. If the user does not posess this permission, the button may be grayed out and disabled. 
+For example, an action named "Go to signing" might refer to an _action_ called "sign" in the [XACML]({{<relref "../../../../authorization/guides/xacml/">}}) policy for the main service resource. If the user does not posess this permission, the button may be grayed out and disabled. 
 
 ## Advanced usage
 XACML offers great flexibility in how coarse or fine-grained the access control should be, and dialogs can contain actions and transmissions that can be matched by different rules defined within the policy of the service resource. Transmissions and actions can even refer to different service resources, giving the service owner more options in how the various parts of a dialog should be governed.  This is enabled through the use of [authorization attributes]({{<relref "../attributes">}})

diff --git a/content/dialogporten/getting-started/dialogs/_index.md b/content/dialogporten/getting-started/dialogs/_index.md
@@ -41,7 +41,7 @@ Attachments can be used on both transmission and dialog level.
 
 An _action_ describes an interaction that users can perform with or related to a dialog. Examples of actions are "Open", "Start signing", "Pay", "Confirm", "Learn more", "Cancel", etc. The list of relevant actions is part of the structured description of a dialog and can be changed at any time by the service provider through the API.
 
-An action is either a _"GUI" action_ or an _"API" action_. All actions - both GUI and API - have an identifier that maps to an _action_ (and optionally an [authorization attribute]({{<relref "../authorization/attributes">}})) in the authorization policy (XACML) associated with a [service resource]({{<relref "../authorization/service-resource">}}).
+An action is either a _"GUI" action_ or an _"API" action_. All actions - both GUI and API - have an identifier that maps to an _action_ (and optionally an [authorization attribute]({{<relref "../authorization/attributes">}})) in the authorization policy ([XACML]({{<relref "../../../../authorization/guides/xacml/">}})) associated with a [service resource]({{<relref "../authorization/service-resource">}}).
 
 ### GUI Actions
 

diff --git a/content/dialogporten/reference/authorization/_index.md b/content/dialogporten/reference/authorization/_index.md
@@ -4,5 +4,9 @@ description: 'Reference information about Dialogporten authorization mechanisms'
 weight: 30
 ---
 
+## Introduction
+
+See [getting started with authorization]({{<relref "../../getting-started/authorization">}}) for a functional overview of how Dialogporten implements authorization.
+
 {{<children />}}
 
diff --git a/content/dialogporten/reference/authorization/altinn-authorization/_index.md b/content/dialogporten/reference/authorization/altinn-authorization/_index.md
@@ -0,0 +1,41 @@
+---
+title: 'Altinn Authorization'
+description: 'Technical overview of how Dialogporten integrates with Altinn Authorization'
+weight: 1
+---
+
+## Introduction
+
+Dialogporten is fully integrated with Altinn Authorization, which is used for all authorization decisions made in Dialogporten. 
+
+For performance reasons, there are two different ways that Altinn Authorization is utilized. 
+
+## Authentication and coarse-grained authorization
+
+Dialogporten performs basic authentication and scope-based authorization via self-contained access tokens issued by Maskinporten and ID-porten, and optionally exhanged at Altinn Token Exchange. 
+
+**See also**
+* {{<link "../../../user-guides/authenticating">}}
+
+
+## Dialog list authorization
+
+All list views in Dialogporten utilizes the [Authorized Parties API]({{<relref "../../../../authorization/guides/integrating-link-service/#integration-with-api-for-authorized-parties-issuers">}}), that yields a list of all parties the authenticated user can represent along with all roles/access packages and service/instance rights that user has been granted for each party.
+
+Dialogporten maintains a map of which roles/access packages grant rights to each resource in the resource registry, and uses that to fetch only dialogs referring to service resources that the user has some kind of access to. Which actions (read, write, etc) are not considered - any right for the given party for the given resource is sufficient to see the dialog in the dialog list.
+
+As only one request (for a given party/service resource tuple) will have to be performed within a cache TTL window, re-sorting/filtering and pagination does not require additional requests to Altinn Authorization, and can therefor be performed quickly.
+
+## Dialog details authorization
+
+For dialog details, the [PDP API]({{<relref "../../../../authorization/guides/integrating-link-service/#integration-with-pdp">}}) is utilized, allow for fine-grained authorization of the various actions and transmissions defined within the dialog.
+
+All actions and transmissions are decorated with a `IsAuthorized` flag, which indicates to the end-user system whether or not the user has access. If not, all URLs are removed.
+
+{{<notice warning>}}
+While Dialogporten indicates that the action is unauthorized, and removes the URLs, the endpoint should still always perform authentication/authorization on incoming requests and not rely on Dialogporten simply obscuring access to the endpoints  
+{{</notice>}}
+
+
+{{<children />}}
+