Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

Access Token Response

Token Generation

Client Application

Access token retrieval

HTTP Response sent to the redirect_uri provided by Bob. The following parameters included in URI Fragment (<scheme name> : <hierarchical part> [ ? <query> ] [ # <fragment> ]) :

/ws/oath2/fragmentextracter.html

  • Now Bob's application will retain the Fragment information locally
  • Bob's application sends a request to OAuth2 module to fetch a web page with embedded javascript that will be able to extract the Token and other parameters from the fragment in the client's browser (or user-agent).

The embedded script will extract the parameters from the URI Fragment via user agent and send the extracted parameters to the client server.

Bob's application now has the Access Token.

  • generate an access token only after client authorization step.

access_token = "asdasdasdasd3215"

"token_type = "fhir_basic_rest_basic",

expires_in = 3600,

scope= (optional)

state = (state management for client. Value is same as the client sent in the authorization request)

access_token = "asdasdasdasd3215"

refresh_token = Not Generated (as per sprcification)

OAuth2 Module

User Authentication

Client Authorization

Authorization Request

GET http://www.openmrsinstance.com/openmrs/ws/oauth2/authorize

response type = "code"

app_id = "asdkjIuHjhL6556LKJJHFt"

app_secret = "456ASdsafejkhajk123cvJKH"

redirect_uri = "www.xyz-emr.com/oauthclientplay"

state = "" (Recommended)

scope = "" (Optional)

p.s. these permissions were set during client registration

  • validate the request
  • redirect_uri should match the redirec_uri provided during registration.
  • if all parameters are valid, redirect to end-user (Alice's) authentication

p.s. app_id and app_secret were provided to Bob after Client Registration

Authorization Request

OAuth2 module

User Authentication

Client Authorization

GET openmrsinstance.com/openmrs/ws/oauth2/authorize

/ws/oauth2/authenticate_user

  • Validate the request
  • if request is okay, refirect to User Authentication

response type = "code"

app_id = "asdkjIuHjhL6556LKJJHFt"

app_secret = "456ASdsafejkhajk123cvJKH"

redirect_uri = "www.xyz-emr.com/oauthclientplay"

state = "" (Recommended)

scope = "" (Optional)

p.s : these permissions were specified during client registration

p.s. app_id and app_secret were provided to Bob after Client Registration

`

Authorization Grant Types

Authorization Response

Client is authorized

Authorization Code Generation

OAuth2 module

Access Token Request

Access Token Response

POST https://www.openmrsinstance.com/openmrs/oauth2/token

response sent to redirect_uri with the following parameters :

code = "asdas2156S4a5AS"

code = "asdas2156S4a5AS"

state = (same as that of authorization request)

Bob sends a request to the token endpoint (with client credentials in the Authorization Header, or other suitable strategy) with the following parameters

Bob's application can request access token by only using its credentials to access OpenMRS resources under its control or maybe even resources of Alice provided she has previously authorized the application. This grant type MUST be used with confidential clients

Access Token Response

grant_type = "client_credentials"

scope = (Optional)

  • Authenticate the Client
  • validate the request parameters
  • if valid and authentication succeeds, generate an access token

Access Token Request

Authorization

Oauth2 Module

Access token = "asda56ad546a65"

https://www.openmrsinstance.com/openmrs/ws/oauth2/token

Alice provides Bob with her username and password for the OpenMRS instance.

grant_type = "password"

username = "Alice"

password = "Alice's Password"

scope = (Optional)

  • validate the request
  • authenticate the application
  • protect the endpoint against brute force attacks ( as Alice's credentials need to be protected)

Bob sends this request to the token endpoint

Client Authentication

Token Generation

Access Token Response

Access Token Request

POST https://www.openmrsinstance.com/openmrs/ws/oauth2/token

access_token = "fgnljkJ&*HJs^%kkoeioa5522"

refresh_token = "jkYUIG21UIsdasd6+563s4d4f5"

grant_type = "authorization_code"

code = "asdas2156S4a5AS"

redirect_uri = ""www.xyz-emr.com/oauthTokenplay"

app_id="456ASdsafejkhajk123cvJKH"

OAuth2 module

  • verifies that the authorization code is valid and corresponds to the client_id requester parameter.
  • verifies that the client_secret provided during Authorization Request and the client_secret corresponding to the client_id (in database) match. (exact strategy may vary eg public key)
  • validate redirect_uri parameter with database

Authorization Code

Client Credentials Grant

Implicit Grant Type

Resource Owner Password Credentials Grant

OpenMRS OAuth2 Module

Bob's application can now send requests to the Authorization and Token endpoint provided by the OAuth2 module. After getting an access token, Bob will be able to utilize the web services exposed by the FHIT and REST modules

Meet Alice. (resource owner)

  • Alice has an account on the OpenMRS instance.
  • Bob's application wants to access Alice's resources via the OpenMRS web services modules.

UI mockups

Bob gets his Client Developer Account

  • Bob contacts the Admin of the OpenMRS instance.
  • The admin creates an OpenMRS account for Bob. His "role" is "client developer". (The OAuth2 module will automatically create this role on installation.)

Bob Registers his application

*

Bob logs into OpenMRS instance as Client Developer

but to do so, Bob needs to register their application with the OAuth2 module running on the OpenMRS server

Client Registration

To do so, Bob's application needs Authorization from Alice to act on her behalf

After Authentication and Authorization, Bob's app will be able to send requests to the FHIR/ REST modules to access Alice's resources.

Client Registrations

xyz

The OAuth2 module will provide OAuth2 based authorization and authentication support for external clients seeking to utilize web services of FHIR and REST or similar future modules.

Bob logs into his client developer account

Maybe, I will create a new app and discard this one completely!!

Alice logs in into her OpenMRS instance account

I don't want bob's application to access my resources on the OpenMRS installation anymore!

I want to revoke access to Bob's Application

Suppose Bob no longer needs the resources of users from OpenMRS instance

Bob is a developer for the EMR running at XYZ Hospital.

Bob and his team have developed a client that can utilize

the OAuth2 protocol and they want to securely exchange patient(or other) information with the OpenMRS server.

Suppose after some time, Alice has a thought!

Refreshing an Access Token

OAuth2 Module

Refresh Response

Bob's application makes a request to

POST http://www.openmrsinstance.com/openmrs/ws/oauth2/access_token

  • validate the refresh token
  • authenticate client and/or user, if required
  • invalidate previously issued access token
  • generate new access token

grant_type = "refresh_token"

refresh_token = "as45646as4dasd"

Prepare a HTTP response to the redirect_uri.

And include the new access token in the response body. (Content-type = "application/json", as seen before)

Parameters for client and user authentication may be included

Meet Bob!

Role: User Agent

Description: A web browser/ interface used by

user to interact with client and OpenMRS installation

Role: Client Developer

Description: A software developer responsible for the client.

Roles

public static void main(){

}

Now, Bob's application has got an access token and it can use this token to access the web services exposed by FHIR and REST modules.

FHIR Request Filter

Role : Resource Owner/ End User/ user

Description : Any OpenMRS user whose resources can be exposed to external clients(with proper authorization ) via web services modules

FHIR Resource Access Request

FHIR module will fetch the requested Resource

Let's say Bob's application wants to get a Patient resource by UUID via the FHIR module. If will send the following request :

GET http://openmrsinstance.com/openmrs/ws/fhir/Patient/dda12af7-1691-11df-97a5-7038c432aabf

When the request arrives at the FHIR module, a request filter will utilize the OAuth2 module's validateToken() method to validate the accompanying access token

The request object will also include the access token issued to Bob's application in the precious steps (and if required,

client credentials).

access_token = "asdhjua56a564d78"

Role: Resource Server

Description: The OpenMRS server hosting

the web services sought by the client

OAuth2 module, Token Validation

A token is valid iff :

  • it's properly decrypted
  • the information it contains matches the information used to construct it
  • the client was issued this very token in the previous steps (may require client authentication, but can be achieved with client_id alone)
  • token is not expired

Role: Authorization Server/ OAuth2 module

Description: The OAuth2 module hosted on

the OpenMRS Installation

Role: Client

Description: any external web application/ browser based application or native application that is part of an EMR/ Hospital management system and wants to use user's resources on OpenMRS instance

REST request filter

REST web services module

REST web service module access request

M D

updates Alice's name

When the request arrives at the REST web services module, a request filter will utilize the validateToken() method the OAuth2 module's API before processing the request

Let's say Bob's application wants to edit Alice's name to Alice Monroe by utilizing the REST Web Services module. It

POST /ws/rest/person/uuidofperson/name

Body content:

{"givenName": "Alice", "familyName": "Monroe", "access_token" = "asda56465asd65"}

REST Module

if required, we can include client_id or client credendiatls as a request parameter or in the Authorization header

EMR

OAuth2 Module

OAuth2 Module

Thank You!

FHIR Module

OAuth2 Module

OAuth2 Module

OAuth2 Module

OAuth2 Module

JSON string in body of HTTP response to the redirect_uri with MIME type = "application/json"

{

"access_token":"fgnljkJ&*HJs^%kkoeioa5522",

"token_type":"fhir_basic_rest_basic",

"expires_in":3600,

"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,

"scope":(client_scope_value)

}

OAuth2 Module

OAuth2 Module

As the registration is complete, the OAuth2 module will be able to Authenticate Bob's application, whenever it sends requests to Protocol Endpoints.

The sequence of Authorization, Authentication and issue of tokens depends on Authorization Grant Types

JSON string in body of HTTP response to the redirect_uri with MIME type = "application/json"

{

"access_token":"fgnljkJ&*HJs^%kkoeioa5522",

"token_type":"fhir_basic_rest_basic",

"expires_in":3600,

"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,

"scope":(client_scope_value)

}

OAuth2 Module

JSON string in body of HTTP response to the redirect_uri with MIME type = "application/json"

{

"access_token":"fgnljkJ&*HJs^%kkoeioa5522",

"token_type":"fhir_basic_rest_basic",

"expires_in":3600,

"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,

"scope":(client_scope_value)

}

OAuth2 Module

OAuth2 Module

Let's have a look at some of the additional features of the OAuth2 module

JSON string in body of HTTP response to the redirect_uri with MIME type = "application/json"

{

"access_token""asda56ad546a65"

"token_type":"fhir_basic_rest_basic",

"expires_in":3600,

"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,

"scope":(client_scope_value)

}

OAuth2 Module

Learn more about creating dynamic, engaging presentations with Prezi