Stream: implementers
Topic: OpenID Connect provider with SMART scopes
Christiaan Knaap (Jan 08 2018 at 15:39):
We've implemented authorization in Vonk, based on the SMART scopes and launch context. Basic question is: How do others provide an Open ID Connect Provider where users can configure their scopes for testing? Preferably without maintaining our own.
More background:
Since Vonk is a FHIR Server and not an end-user application (it has no UI), the expected flow is:
1. User interacts with some application X.
2. X retrieves an access-token by redirecting the user to an Open ID Connect Provider.
3. X interacts with Vonk, with the access-token as Authentication header.
4. Vonk validates the token and restricts access based on the scopes (like user/*.read) and - if present - a compartment defined by a launch scope (e.g. patient=123).
For users to test this on the public endpoint (after we deployed this), we need that OIDC Provider. And for testing purposes it would be useful if they can configure their own scopes. Users can then use Postman or another REST client as a dummy for application X.
From tests so far I found:
- SMART Sandbox is only meant to work with it's own FHIR Server (you cannot configure the 'audience'), and we cannot get it to provide the SMART claims in the access token.
- Grahame's server is capable of using HL7 authorization, but states that that is not really OAuth (let alone OIDC), plus from this documentation I cannot make up how to configure that.
Grahame Grieve (Jan 08 2018 at 19:54):
the HL7 server isn't what you are looking for. I use it as an identity provider from the authorization server, equivalent to facebook or google. I wrote my own OIDC provider, as did other implementation. I also use google and facebook as OIDC providers, but they are at a different point in the workflow
Last updated: Apr 12 2022 at 19:14 UTC
