Security and Authentication

All services require a valid token from the IdP when called.

All services require TLS (version 1.2 or higher) for transport security.

In line with industry best practices the HIMSA IdP does not allow IFRAME based usage for any kind of user interactive authentication. An X-FRAME-OPTIONS HTTP header is always returned with the value ‘SameOrigin’.

Authentication

Noah ES contains an Identity Provider that supports OAuth 2.0 and OpenId Connect. The Identity Provider (IdP) is used for Authentication.

The flow below applies to user interactive apps. For service apps / machine-to-machine client type the simplified Client Credentials flow is used.

1. Request

Parameters that must be supplied:

  • URI and port number

    • QA environment: idp.qa.eu.noah-es.com:443

    • EU Production: idp.eu.noah-es.com:443

    • US Production: idp.us.noah-es.com:443

  • ClientId: Supplied by HIMSA

  • Client secret: Supplied by HIMSA if required

  • Scope: openid profile noah.cloud.app.api

    • If relevant for your app and app registration allows: offline_access

  • Flow: Authorization Code + PKCE

  • RedirectURI: IdP will redirect the client to this after successful authentication, with tokens for accessing the API. You must inform HIMSA about this, because we need to whitelist it

  • Extra options

    • culture-lcid: Culture LCID code for localizing the website

2. Response

When the client is redirected to the RedirectURI, the response will contain:

  • auth_code: Must be exchanged afterwards for an access token

  • Id token

    • tenantid claim: The tenantId that the user selected

3. Exchange auth_code for an access token

Note: This is done automatically if you are using HIMSA's .NET Client.

Access and refresh tokens may vary greatly in length. Make no assumptions about the contents. It can change at any point in time

4. Connecting to API

  • URI and port number

    • QA environment: api.qa.eu.noah-es.com:443

    • EU Production: api.eu.noah-es.com:443

    • US Production: api.us.noah-es.com:443

  • HIMSA's .NET Client:

    • Either use the constructor that takes an access token or a refresh token as input

5. Renewal of access token

Note: This is done automatically if you are using HIMSA's .NET Client.

Lifetime of access tokens and refresh tokens varies depending on the client type and app type.

We never issue refresh tokens for service-apps/machine-to-machine apps. For other app types, it is possible to submit a support request for HIMSA to allow the use of refresh tokens for a specific app: Noah ES API Support