Stream: clinFHIR
Topic: OAuth access token
Joel Schneider (Oct 05 2020 at 14:54):
Is there a straightforward way to use an OAuth access token with clinFHIR?
A minimal implementation would involve adding an "Authorization: Bearer <access_token>" header to outbound FHIR API requests.
David Hay (Oct 05 2020 at 18:27):
Not at the moment - which module are you thinking of? Patient Viewer? Wouldn't be hard to do that. (I've been meaning to do the full SMART thing some time so this might be an interim step )...
Josh Mandel (Oct 05 2020 at 19:03):
https://microsoft-healthcare-madison.github.io/patient-lists-demo/ has an example of this kind of thing under "settings" --
image.png lets you just paste in a token if you happen to be connecting to a server that needs one.
H/T @Carl Anderson
Joel Schneider (Oct 05 2020 at 19:41):
Something like that would be great.
Joel Schneider (Oct 05 2020 at 19:49):
Yes, the Patient Viewer module.
David Hay (Oct 07 2020 at 03:07):
OK - will get on to it...
David Hay (Oct 10 2020 at 20:09):
Ok - all done (and thanks to help from @Joel Schneider for investigation work). If you use the Patient Viewer module, when you click the 'Select Patient' button then at the bottom of the dialog is a text box where you can enter an Access Token. The token is stored in the browser memory and will be supplied in the Authorization header of any subsequest request in Patient Viewer.
Interestingly, adding this header causes AngularJS (which clinFHIR is written in) to generate an HTTP OPTIONS request - which the server must support as part of CORS. Turns out you need to do a little bit of Hapi configuration to support this.
This doesn't work:
CorsInterceptor corsInterceptor = new CorsInterceptor();
This does:
CorsConfiguration corsConfiguration = new CorsConfiguration();
corsConfiguration.applyPermitDefaultValues();
corsConfiguration.setAllowedMethods(Arrays.asList(new String[] { "*" }));
CorsInterceptor corsInterceptor = new CorsInterceptor(corsConfiguration);
If people want, I can look to implement the full OAuth2 dance, but for now this should be enough...
Joel Schneider (Oct 11 2020 at 07:14):
Created a related hapi-fhir pull request here:
https://github.com/jamesagnew/hapi-fhir/pull/2126
Joel Schneider (Oct 11 2020 at 08:38):
It would be best to also add relevant exposed headers to the custom CorsConfiguration, e.g.:
corsConfiguration.setExposedHeaders(Arrays.asList(new String[] {
"Content-Location",
"Date",
"ETag",
"Location",
"X-Request-Id",
"X-Correlation-Id"
}));
Josh Mandel (Oct 12 2020 at 15:07):
Interestingly, adding this header causes AngularJS (which clinFHIR is written in) to generate an HTTP OPTIONS request
It's actually more basic -- this is standard, automatic browser behavior for requests that can't be considered "simple requests". https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Simple_requests has a good overview.
David Hay (Oct 12 2020 at 17:11):
Thanks Josh! Joel has also suggested a shift to HTTPS - something I've been thinking about, but should really move on. Main complication I'm anticipating is accessing plain HTTP servers - IIRC the browser displays a warning when that happens...
Josh Mandel (Oct 12 2020 at 17:27):
Yeah, one possibility is to offer https-or-not, by hosting your app at https: and http: endpoints.
Josh Mandel (Oct 12 2020 at 17:27):
We do this for http://launch.smarthealthit.org/ and https://launch.smarthealthit.org/
David Hay (Oct 12 2020 at 17:49):
Will give that a try...
Last updated: Apr 12 2022 at 19:14 UTC
