FHIR Chat · Authorizing POST base searches · implementers

Stream: implementers

Topic: Authorizing POST base searches

view this post on Zulip Sanjaai (Jan 13 2022 at 18:41):

We need to do patient based searches against a local fhir server. It is recommended internally to use POST based searches to avoid exposure of PHI on the query string.
The fhir server is placed behind a gateway that does the Authorization based on specific fhir resources and scopes. Gateway tries to be independent from payload and business logic ( i.e avoid looking into the body of the http payload)
However now the gateway is having difficulties to authorize call for search and Create to this endpoint beaches they are on the same subpath (i.e. /Observatoin) and use the same http verb (POST).
Just wondering whether there good approaches to address this from the community?
Thank you.

view this post on Zulip Lloyd McKenzie (Jan 13 2022 at 18:51):

The ContentType header ought to be distinct...

view this post on Zulip Paul Church (Jan 13 2022 at 18:54):

the POST search REST path is /Observation/_search, which is distinct from a POST to /Observation

view this post on Zulip Sanjaai (Jan 13 2022 at 18:59):

@Lloyd McKenzie are you referring to content type "application/x-www-form-urlencoded" I believe it was stated as "May" so I'm not sure whether I can rely on that always.

view this post on Zulip Paul Church (Jan 13 2022 at 19:02):

Is that optional? I thought that Content-Type was required. Looking at the spec I don't see a clear MAY/SHALL word, in a quick read through.

view this post on Zulip Vassil Peytchev (Jan 13 2022 at 19:31):

There is a fairly thinly implied requirement in this statement

For this RESTful search (see definition in RESTful API), the parameters are a series of name=[value] pairs encoded in the URL or as an application/x-www-form-urlencoded submission for a POST

I think the underlying HTTP requirements actually make it required

view this post on Zulip Lloyd McKenzie (Jan 13 2022 at 23:15):

It would certainly be wrong to have a ContentType that said the content was FHIR JSON or XML.

view this post on Zulip Lloyd McKenzie (Jan 13 2022 at 23:15):

Anyhow, Paul's point (which I'd forgotten) means that the distinguishing feature can be the URL.

view this post on Zulip Sanjaai (Jan 14 2022 at 03:50):

Thank you @Lloyd McKenzie @Paul Church , i think I can use the _search subpath to differentiate. I misread it as optional initially. I verified with few public servers and seems to be mandatory with POST based searches

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -