How we add authentication/authorization in a HAPI Server?
2,128 views
Skip to first unread message
Safety Labs Inc
Aug 24, 2018, 1:22:09 PM8/24/18
to HAPI FHIR
We are using HAPI FHIR 3.0.0 REST Server (FHIR Server; FHIR 3.0.1/DSTU3). Today our HAPI server is not secure, i.e. anybody can access data for example: https://fhir.dstu3.safetylabs.org/baseDstu3/Observation/9981
This HAPI server is accessed from two client types:
- Our WebServer– We have a server which maintain among other things username and passwords for clinicians and other users. Our webserver “posts” observations to HAPI server. HAPI server must authenticate our Server before the post is allowed. Ideally HAPI should authenticate our webserver using oAuth2’s two Legged Authentication (or similar). 2-legged authentication is used for server-to-server authentication. In this case our WebServer is provided a client ID and a secret key (similar to username/password for humans). Our WebServer is authenticated by HAPI using the accompanied client ID and secret key. Ideally HAPI should return an accessToken to our webserver for its subsequent access to HAPI.
- Web App. A user on our web app authenticates with our webserver by logging in. Webserver in turn needs to obtain accessToken from HAPI for the user and send the accessToken to the Web App. WebApp then uses the accessToken to access HAPI.
How do we implement above or another security scheme in HAPI?
HAPI does provide Authentication Interceptors (http://hapifhir.io/doc_rest_server_security.html). Ideally these Interceptors should return an access token to be used by WebServer and Web App for subsequent requests to HAPI.
However HAPI Authentication Interceptors only returns “true” and not access token (for example Java Web Token JWT - https://jwt.io/).
Thank you for your help.
Message has been deleted
Safety Labs Inc
Aug 27, 2018, 10:23:53 AM8/27/18
to HAPI FHIR
Same question in simpler description
How can we implement backend server authentication in FHIR:HAPI? i.e how can our HAPI:FHIR server verify authentication of our server for RESTful API requests?
Kevin Mayfield
Aug 27, 2018, 10:41:53 AM8/27/18
to Safety Labs Inc, HAPI FHIR
Take a look here http://hapifhir.io/doc_rest_server_security.html
HSPC and NHS UK reference implementations have both implemented this (using oauth2 plus smart on fhir).
I don’t think either of these have documented this specifically but you can browse either code base.
Sent from my iPhone
Same question in simpler descriptionHow can we implement backend server authentication in FHIR:HAPI? i.e how can our HAPI:FHIR server verify authentication of our server for RESTful API requests?
--
You received this message because you are subscribed to the Google Groups "HAPI FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hapi-fhir+...@googlegroups.com.
To post to this group, send email to hapi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/hapi-fhir/f3fe9393-f4c4-4471-b45d-7c5ee2888710%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Avinash Shanbhag
Aug 27, 2018, 1:21:13 PM8/27/18
to Kevin Mayfield, Safety Labs Inc, HAPI FHIR
Hi
We have an open source github project that has implemented SMART App Authorization Guide on FHIR R3 Server. It's at the following link:
It is short on user documentation, since it was primarily built for our own use. But, feel free to let me know if you need any help in using the code.
Regards
avinash
On Mon, Aug 27, 2018 at 10:41 AM, Kevin Mayfield <mayfiel...@gmail.com> wrote:
Take a look here http://hapifhir.io/doc_rest_server_security.htmlHSPC and NHS UK reference implementations have both implemented this (using oauth2 plus smart on fhir).I don’t think either of these have documented this specifically but you can browse either code base.
Same question in simpler descriptionHow can we implement backend server authentication in FHIR:HAPI? i.e how can our HAPI:FHIR server verify authentication of our server for RESTful API requests?
--
You received this message because you are subscribed to the Google Groups "HAPI FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hapi-fhir+unsubscribe@googlegroups.com.
To post to this group, send email to hapi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/hapi-fhir/f3fe9393-f4c4-4471-b45d-7c5ee2888710%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "HAPI FHIR" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hapi-fhir+unsubscribe@googlegroups.com.
To post to this group, send email to hapi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/hapi-fhir/1F517BE6-DCCA-4C42-9BBA-B04DAEDE76A1%40gmail.com.
Safety Labs Inc
Aug 27, 2018, 5:12:55 PM8/27/18
to HAPI FHIR
Seems HSPC RI brings together Smart-FHIR, OAuth 2, and HAPI FHIR. HSPC RI is downloaded from https://github.com/smart-on-fhir-reference-implementation/reference-api-webapp or https://bitbucket.org/hspconsortium/reference-api
Would using HSPC RI as a FHIR solution as opposed to HAPI FHIR provide not provide with oAuth2 authentication? Is HSPC RI created for developers to download, deploy and develop?
vvi...@vvizard.ru
Sep 1, 2018, 10:12:34 AM9/1/18
to HAPI FHIR
Hello
суббота, 25 августа 2018 г., 3:22:09 UTC+10 пользователь Safety Labs Inc написал:
For case "Our WebServer" you can use X.509 certificate on "HAPI server" and implements RestfulClientFactory as ApacheRestfulClientFactory with support X.509.
Then you can use yours SSLRestfulClientFactory in FhirContext
суббота, 25 августа 2018 г., 3:22:09 UTC+10 пользователь Safety Labs Inc написал:
Reply all
Reply to author
Forward
0 new messages