Integrating Orthanc with KeyCloak or any other Authenticating Suites

[ujjawal sharma]

Hi,

I was trying to integrate Orthanc with KeyCloak but was unable to do it. Can some one let me know a way how to do it. I would also be happy to pick up any other authneticating suite rather than KeyCloak. I just need the user to be blocked from directly reaching the dashboard. 

Any kind of help will be appreciated.

Thanks,

Ujjawal

[Luiz Eduardo Guida Valmont]

Hi Ujjawal!

If you just need a simple blocking, you might configure Orthanc's native Basic Authentication. It'll be a case of setting "AuthenticationEnabled" to true and "RegisteredUsers" to the users of your choosing in the orthanc.json. The default sample configuration is self-documented like so:

  // Whether or not the password protection is enabled
  "AuthenticationEnabled" : true,

  // The list of the registered users. Because Orthanc uses HTTP
  // Basic Authentication, the passwords are stored as plain text.
  "RegisteredUsers" : {
    "orthanc" : "orthanc"
    // "alice" : "alicePassword"
  },

Should you need something more intricate, you might want to check the Advanced Authorization plugin. For more details, please check: http://book.orthanc-server.com/plugins/authorization.html

But I believe the simple Basic Auth might just what you need.

Have a good one!

Luiz =)

[ujjawal sharma]

Hi Luiz,

Thanks for your suggestion, i made the changes which you have said but still the Authorization popup is not appearing. I have downloaded the source code and i am trying to do a build on it. The build is successful. Is there any documentation on how to deplot it on any web server? 

However, the basic authentication is already enabled in the docker image. In case of docker, the basic authentication is working fine. I am not sure how to make the advanced authorization work on the docker instance.

Thanks,

Ujjawal

[Thibault Nélis]

Hello,

On Thu, 2018-07-12 at 00:38 -0700, ujjawal sharma wrote:
> I am not sure how to make the advanced authorization work on the
> docker instance.

If you wish to use the Osimis Orthanc bundle image (osimis/orthanc),
then you may find you can configure it quite easily through environment
variables.

Documentation:
https://osimis.atlassian.net/wiki/spaces/OKB/pages/26738689/How+to+use+
osimis+orthanc+Docker+images#Howtouseosimis/orthancDockerimages?-
Authorization
https://docs.docker.com/engine/reference/run/#env-environment-variables
https://docs.docker.com/compose/compose-file/#environment
https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/au
thorization-plugin/docker-compose.yml
--
Thibault Nélis <t...@osimis.io>
Osimis

[ujjawal sharma]

Thanks a lot for the wonderful info, can you please also let me know what i am doing wrong with the query for enabling the authorization plugin:

docker run --publish=80:8042 --publish=104:4242 --env AUTHZ_ENABLED=true  osimis/orthanc

It seems it should enable the authorization but the log that continue the command says:

No section "Authorization" in the configuration file, the authorization plugin is disabled"

[Thibault Nélis]

On Fri, 2018-07-13 at 01:43 -0700, ujjawal sharma wrote:
> Thanks a lot for the wonderful info, can you please also let me know
> what i am doing wrong with the query for enabling the authorization
> plugin:
>
> docker run --publish=80:8042 --publish=104:4242 --env
> AUTHZ_ENABLED=true osimis/orthanc
>
> It seems it should enable the authorization but the log that continue
> the command says:
>
> No section "Authorization" in the configuration file, the
> authorization plugin is disabled"

Yes, I encourage you to read the notes below the reference
documentation linked previously to understand why that is. We're
struggling to explain these behaviors more helpfully while still being
correct and complete, so feel free to ask more specific questions and
provide feedback on the text.

The short story is: X_ENABLED settings merely *force* the plugins to
run even without a configuration file (useful only if you're providing
configuration yourself *and* you're not using the default configuration
file name). If you want to generate a configuration file (here, you
do), specify any setting or use AUTHZ_BUNDLE_DEFAULTS to use default
values for all settings (in this case the latter is impossible since
there is at least one mandatory setting with no default value).

So, to summarize, in your scenario, you need only specify the
AUTHZ_WEBSERVICE setting at a minimum (because it is mandatory, as
described in the reference documentation). The AUTHZ setup procedure
will then generate the appropriate configuration file for you and
Orthanc will pick it up.

docker run --publish=80:8042 --publish=104:4242 --env AUTHZ_WEBSERVICE=
http://my.authz.service.example/ osimis/orthanc

It's likely you'll want to specify other settings (e.g. to pass tokens
to the authorization service and/or to refine the access control
policy).

[ujjawal sharma]

An update on this, i tried running the below command:

docker run --publish=80:8042 --publish=104:4242 --env AUTHZ_BUNDLE_DEFAULTS=true  osimis/orthanc

and it seems it has enabled the authentication. However, when i hit the URL http://localhost/ it gives the below error and the browser goes to a all white page:

E0713 08:51:01.069647 HttpClient.cpp:228] libCURL error: URL using bad/illegal format or missing URL

E0713 08:51:01.070041 PluginsManager.cpp:197] Exception while invoking plugin service 27: Error in the network protocol

E0713 08:51:01.070123 PluginsManager.cpp:164] Error in the network protocol

[Thibault Nélis]

On Fri, 2018-07-13 at 02:14 -0700, ujjawal sharma wrote:
> An update on this, i tried running the below command:
>
> docker run --publish=80:8042 --publish=104:4242 --env
> AUTHZ_BUNDLE_DEFAULTS=true osimis/orthanc
>
> and it seems it has enabled the authentication. However, when i hit
> the URL http://localhost/ it gives the below error and the browser
> goes to a all white page:
>
> E0713 08:51:01.069647 HttpClient.cpp:228] libCURL error: URL using
> bad/illegal format or missing URL
> E0713 08:51:01.070041 PluginsManager.cpp:197] Exception while
> invoking plugin service 27: Error in the network protocol
> E0713 08:51:01.070123 PluginsManager.cpp:164] Error in the network
> protocol

Yes, that's because Orthanc needs the "Authorization.WebService"
setting somewhere in its configuration file. This should become quite
obvious in retrospect; where shall it send the authorization requests
to? That said, these messages are definitely not intuitive.

I've issued a small patch to fail earlier and with a better message
when this happens (we usually do this for all mandatory settings,
somehow we missed it for this setup procedure):

https://bitbucket.org/osimis/orthanc-builder/pull-requests/41

$ docker container run --rm --env=AUTHZ_BUNDLE_DEFAULTS=true
docker.io/osimis/orthanc:latest |& grep ^AUTHZ
AUTHZ: Generating '/etc/orthanc/authorization.json'...
AUTHZ: Missing WEBSERVICE setting, not generating configuration file

Your immediate intuition using BUNDLE_DEFAULTS was good though, see my
other message in this thread for the correct approach.