Instructions for e-service developers

HarID uses OpenID Connect with OAuth 2.0 protocol for authentication and authorization. For security implications of getting the implementation correct, we strongly encourage you to use OAuth 2.0 libraries when interacting with HarID endpoints. Best practice would be to use well written code provided by others - it will help you protect yourself and your users. Please review OpenID Connect libraries for additional information.

Technical configuration parameters in JSON format:

Test environment: https://test.harid.ee/.well-known/openid-configuration
Live environment: https://harid.ee/.well-known/openid-configuration

 

E-service registration

Before you can start sending OpenID/OAuth requests, you have to register your e-service.
Please contact with HarID support (harid@hitsa.ee) and provide following information:

1. Your organisation name and registration number.
2. Your E-service return urls where HarID forwards back (you can add multiple urls if needed).

After that we can add you to our test-environment (test.harid.ee) and provide you with our OpenID client credentials.

OpenID/OAuth technical info

Technical configuration parameters in JSON format:

You can get the latest info for live environment at: https://harid.ee/.well-known/openid-configuration
{
    "issuer": "https://harid.ee",
    "authorization_endpoint": "https://harid.ee/et/authorizations/new",
    "jwks_uri": "https://harid.ee/jwks.json",
    "response_types_supported": [
        "code", "token", "id_token", "code token", "code id_token", "id_token token", "code id_token token"
    ],
    "subject_types_supported": [ "public" ],
    "id_token_signing_alg_values_supported": [ "RS256" ],
    "token_endpoint": "https://harid.ee/et/access_tokens",
    "userinfo_endpoint": "https://harid.ee/et/user_info",
    "registration_endpoint": "https://harid.ee/et/connect/client",
    "scopes_supported": [
       "personal_code", "phone", "email", "profile", "openid", "roles", "session_type"
    ], "grant_types_supported": [ "authorization_code", "implicit" ],
    "request_object_signing_alg_values_supported": [ "HS256", "HS384", "HS512" ],
    "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ],
    "claims_supported": [ "sub", "iss", "name", "email", "phone_number", "personal_code", "roles" ]
}

 

Data attributes

 

Exchange code for access token and ID token:

access_token

A token that can be sent to HarID.

id_token

Identity information (JWT) about the user that is digitally signed by HarID.

expires_in

The remaining lifetime of the access token.

token_type

Identifies the type of token returned. At this time, this field always has the value 'Bearer'.

 

Obtain user information from the ID token:

Example response in json format:

{
  "sub": "5727bdad-6f71-4b99-8730-6d66170afa41",
  "name": "Example User",
  "given_name": "Example",
  "family_name": "User",
  "email": "user@example.com",
  "email_verified": true,
  "personal_code": "EE:EID:50701124378",
  "personal_code_verified": true,
  "strong_session": false,
  "roles": [
    {
      "marker": "student",
      "active": true,
      "start_date": "2018-01-17",
      "end_date": null,
      "name_et": "Õpilane",
      "name_en": "Student",
      "name_ru": "student",
      "desc_et": null,
      "desc_en": null,
      "desc_ru": null,
      "provider_ehis_id": "293",
      "provider_reg_nr": "75014445",
      "provider_name": "Keila ühisgümnaasium",
      "created_at": "2018-01-17T16:25:50+02:00",
      "updated_at": "2018-01-17T16:27:55+02:00",
      "student_grade": "6",
      "student_parallel": "A"
    },
    {
      "marker": "faculty",
      "active": null,
      "start_date": "2018-10-09",
      "end_date": null,
      "name_et": "faculty",
      "name_en": "Faculty",
      "name_ru": "faculty",
      "desc_et": null,
      "desc_en": null,
      "desc_ru": null,
      "provider_ehis_id": "223",
      "provider_reg_nr": "75012452",
      "provider_name": "Ääsmäe põhikool",
      "created_at": "2018-10-09T13:44:13+03:00",
      "updated_at": "2018-10-09T13:44:13+03:00"
    },
    {
      "marker": "library-walk-in",
      "active": null,
      "start_date": "2018-10-09",
      "end_date": null,
      "name_et": "library-walk-in",
      "name_en": "Library-walk-in",
      "name_ru": "library-walk-in",
      "desc_et": null,
      "desc_en": null,
      "desc_ru": null,
      "provider_ehis_id": null,
      "provider_reg_nr": "75012452",
      "provider_name": "Ääsmäe põhikool",
      "created_at": "2018-10-09T13:44:13+03:00",
      "updated_at": "2018-10-09T13:44:13+03:00"
    },
    {
      "marker": "student",
      "active": true,
      "start_date": "2018-12-13",
      "end_date": null,
      "name_et": "student",
      "name_en": "Student",
      "name_ru": "student",
      "desc_et": null,
      "desc_en": null,
      "desc_ru": null,
      "provider_ehis_id": "214",
      "provider_reg_nr": "75004429",
      "provider_name": "Albu põhikool",
      "created_at": "2018-12-13T14:42:40+02:00",
      "updated_at": "2018-12-14T19:13:54+02:00",
      "student_grade": "5",
      "student_parallel": null
    }
  ],
  "ui_locales": "et",
  "custodies": [
    {
      "name": "Hernes Hernes",
      "given_name": "Hernes",
      "family_name": "Hernes",
      "email": "priit.tark+020@gmail.com",
      "email_verified": true,
      "personal_code": "EE:EID:60005050011",
      "personal_code_verified": false,
      "roles": [
        {
          "marker": "student",
          "active": true,
          "start_date": "2018-12-13",
          "end_date": null,
          "name_et": "Õpilane",
          "name_en": "Student",
          "name_ru": "student",
          "desc_et": null,
          "desc_en": null,
          "desc_ru": null,
          "provider_ehis_id": "214",
          "provider_reg_nr": "75004429",
          "provider_name": "Albu põhikool",
          "created_at": "2018-12-13T14:42:40+02:00",
          "updated_at": "2018-12-14T19:13:54+02:00",
          "student_grade": "5",
          "student_parallel": null
        }
      ]
    },
    {
      "name": "Loos Loos",
      "given_name": "Loos",
      "family_name": "Loos",
      "email": "priit.tark+011@gmail.com",
      "email_verified": true,
      "personal_code": "EE:EID:38612232328",
      "personal_code_verified": false,
      "roles": [

      ]
    }
  ]
}
}

Attributes:

NB! If client does not require scope, HarID does not return scope attributes.

Scope Attribute Description
openid

sub

An identifier for the user, unique for HarID accounts and never reused. HarID account can have multiple emails at different points in time, but the sub value is never changed. Use sub within your e-service as the unique-identifier key for the user.

profile

name

The user's full name.

email

email

The user's email address. This may not be unique and is not suitable for use as a primary key. Provided only if your scope included the string "email".

email

email_verified

True if the user's e-mail address has been verified; otherwise false.

profile

ui_locales

Indicates user preferred user interface locales, example: 'et' for Estonia or 'et en' where Estonia would be preferred over English.
personal_code

personal_code

Mostly Estonia's identity code. Always have prefix with 2 colons. Example EE:EID:11412090004
personal_code

personal_code_verified

User has at least once in history logged into HarID using strong authentication method such as Mobile-ID or ID-card.
session_type strong_session

True if user user last authentication into HarID was done by using strong authentication method such as Mobile-ID or ID-card. You can use standard way by ID token where "arm" value is either "pwd" (password auth) or "pop" (mobiil-ID/ID-card auth).

roles roles User roles, user can have multiple roles

roles

roles:marker Uniq identifier, example 'student'

roles

roles:active Defines, if role is valid. Only roles with value "true"  are valid.

roles

roles:start_date Role start date. Start date does not define alone, if role is active. Role must be also active with value "true" and start date must be in past to determine you can rely on it.

roles

roles:end_date Role end date. End date does not define alone, if role is active. Role must be also active with value "true" and end date must missing or in the future.

roles

roles:name_et Role name in Estonian

roles

roles:name_en Role name in English

roles

roles:name_ru Role name in Russian

roles

roles:desc_et Role description in Estonian

roles

roles:desc_en Role description in English

roles

roles:desc_ru Role description in Russian

roles

roles:provider_reg_nr Provider's (institution (school)) registration number

roles

roles:provider_name Provider (example school) name

roles

roles:created_at Role creation time, format: ISO8601

roles

roles:updated_at Role updated time, format: ISO8601

roles

roles:student_grade Only present when user has 'stundet' role, provides grade, example value: '6'

roles

roles:student_parallel

Only present when user has 'stundet' role, provides class parallel info, example: 'A'

custodies name String, full name
custodies given_name First name
custodies family_name Family name
custodies email Email
custodies email_verified Boolean, true or false, Child has verified his/her email
custodies personal_code Child personal code
custodies personal_code_verified Child user has either verified at least once his/her account with strong authetication or personal code comes form Rahvastikuregister
custodies roles Same attributes as main role attributes.