FHIR Chat · OAuth2 / Keycloak

Stream: ibm

Topic: OAuth2 / Keycloak

Cornelius Erbelding (Nov 12 2020 at 15:08):

Hi,
as described in this Issue, i'm trying to use Keycloak as Authentification provider.
It works via browser, but via CLI or Postman, (providing previously generated Bearer-Token) it only returns

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
    <script type="text/javascript" language="javascript">
        var loc=window.location.href;document.cookie="WASReqURLOidcn221075362="+loc+"; path=/;"
    </script>
    <script type="text/javascript" language="javascript">
        window.location.replace("https:// MYURL :8443/auth/realms/fhir/protocol/openid-connect/auth?response_type=code&client_id=fhir_service&state=001605193369358RtvBAm8no&redirect_uri=https%3A%2F%2F MYURL %3A9443%2Foidcclient%2Fredirect%2Ffhir_service&scope=openid+profile")
    </script>
    <title>Redirect To OP</title>
</head>

<body></body>

</html>

Maybe it's no bug, but instead some type of misconfiguration at FHIR, Keycloak or Postman?

Thanks a lot!
Cornelius

Lee Surprenant (Nov 12 2020 at 17:46):

Thanks Cornelius, your timing is good because I've been meaning to document how to do this for a while...

Lee Surprenant (Nov 12 2020 at 17:47):

and thanks for linking your report to those open issues, it helped me identify #1672 as a duplicate of https://github.com/IBM/FHIR/issues/1546 :-)

Lee Surprenant (Nov 12 2020 at 17:48):

so what I've settled in on for our deployment is using the mpJwt liberty feature instead of the openidConnectClient one

Lee Surprenant (Nov 12 2020 at 17:51):

here's a sample config snippet that you could try dropping into fhir-server/configDropins/overrides:

<server>
    <featureManager>
        <!-- mpJwt-1.1 is already enabled in the default server.xml, but it doesn't hurt to repeat it here -->
        <feature>mpJwt-1.1</feature>
    </featureManager>

    <!-- Override the application-bnd binding of the main webapp -->
    <webApplication contextRoot="fhir-server/api/v4" id="fhir-server-webapp" location="fhir-server.war" name="fhir-server-webapp">
        <application-bnd id="bind">
            <security-role id="users" name="FHIRUsers">
                <group id="usersGroup" access-id="group:https://host/auth/realms/${env.KEYCLOAK_REALM}/fhirUser"/>
            </security-role>
        </application-bnd>
    </webApplication>

    <!-- The MP JWT configuration that injects the caller's JWT into a
         ResourceScoped bean for inspection. -->
    <mpJwt id="jwtConsumer"
           jwksUri="http://host/auth/realms/${env.KEYCLOAK_REALM}/protocol/openid-connect/certs"
           audiences="https://host/fhir-server/api/v4"
           userNameAttribute="sub"
           groupNameAttribute="group"
           issuer="https://host/auth/realms/${env.KEYCLOAK_REALM}"
           signatureAlgorithm="RS256"
           authFilterRef="filter"/>

    <authFilter id="filter">
        <requestUrl urlPattern="/fhir-server" />
    </authFilter>
</server>

Lee Surprenant (Nov 12 2020 at 17:52):

note that here we're actually using an additional claim called group to assign the user to our FHIRUsers security-role

Lee Surprenant (Nov 12 2020 at 17:53):

hopefully that helps (until i can get to providing better doc)

Lee Surprenant (Nov 12 2020 at 17:54):

also, i'm guessing there is a way to do this with the liberty openidConnect features as well; I think I just ended up down this path because I wanted to get the JWT injected into our JAX-RS stuff for something

Cornelius Erbelding (Nov 13 2020 at 06:31):

Dear @Lee Surprenant , thanks for your help.
As far as I can see, this would be the keycloakRP.xml Dropin from the Smart-FHIR component, right?
I'm assuming, the oauthResourceServer.xml dropin should be disabled / replaced by the one above.

I will try this solution and get back to you as soon as there is something to report.

Lee Surprenant (Nov 13 2020 at 11:45):

That’s right, But for this to work you’ll need to make sure your users in keycloak belong to a group called “fhirUser”

Lee Surprenant (Nov 13 2020 at 11:47):

And configure keycloak with an audience mapper which sets the aud claim to match what the FHIR server expects

Cornelius Erbelding (Nov 17 2020 at 12:23):

I managed to get it running.
I wrote all necessary configurations into the GitHub Issue #1703 for all other users facing the same problem.

Sadly, after enabling the token-based authorization, Browser-Access (with the desired redirect to Keycloak-Login) doesn't work anymore.
Normally, the option inboundPropagation="supported" should issue a redirect to Keycloak-Login-UI if no token or invalid token is supplied. (while inboundPropagation="required" ignores missing/invalid tokens)

Lee Surprenant (Nov 17 2020 at 12:30):

awesome. you don't mind if we nab some of that content for the documentation (https://github.com/IBM/FHIR/issues/1546) do you?

Are you sure that inboundPropagation="required" ignores missing/invalid tokens? I really thought it errored out in those cases (but agree that it doesn't redirect).

Cornelius Erbelding (Nov 17 2020 at 13:17):

Lee Surprenant said: