Introducing
Your new presentation assistant.
Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.
Trending searches
HTTP Response sent to the redirect_uri provided by Bob. The following parameters included in URI Fragment (<scheme name> : <hierarchical part> [ ? <query> ] [ # <fragment> ]) :
/ws/oath2/fragmentextracter.html
The embedded script will extract the parameters from the URI Fragment via user agent and send the extracted parameters to the client server.
Bob's application now has the Access Token.
access_token = "asdasdasdasd3215"
"token_type = "fhir_basic_rest_basic",
expires_in = 3600,
scope= (optional)
state = (state management for client. Value is same as the client sent in the authorization request)
access_token = "asdasdasdasd3215"
refresh_token = Not Generated (as per sprcification)
GET http://www.openmrsinstance.com/openmrs/ws/oauth2/authorize
response type = "code"
app_id = "asdkjIuHjhL6556LKJJHFt"
app_secret = "456ASdsafejkhajk123cvJKH"
redirect_uri = "www.xyz-emr.com/oauthclientplay"
state = "" (Recommended)
scope = "" (Optional)
p.s. these permissions were set during client registration
p.s. app_id and app_secret were provided to Bob after Client Registration
GET openmrsinstance.com/openmrs/ws/oauth2/authorize
/ws/oauth2/authenticate_user
response type = "code"
app_id = "asdkjIuHjhL6556LKJJHFt"
app_secret = "456ASdsafejkhajk123cvJKH"
redirect_uri = "www.xyz-emr.com/oauthclientplay"
state = "" (Recommended)
scope = "" (Optional)
p.s : these permissions were specified during client registration
p.s. app_id and app_secret were provided to Bob after Client Registration
`
POST https://www.openmrsinstance.com/openmrs/oauth2/token
response sent to redirect_uri with the following parameters :
code = "asdas2156S4a5AS"
code = "asdas2156S4a5AS"
state = (same as that of authorization request)
Bob sends a request to the token endpoint (with client credentials in the Authorization Header, or other suitable strategy) with the following parameters
Bob's application can request access token by only using its credentials to access OpenMRS resources under its control or maybe even resources of Alice provided she has previously authorized the application. This grant type MUST be used with confidential clients
grant_type = "client_credentials"
scope = (Optional)
Access token = "asda56ad546a65"
https://www.openmrsinstance.com/openmrs/ws/oauth2/token
Alice provides Bob with her username and password for the OpenMRS instance.
grant_type = "password"
username = "Alice"
password = "Alice's Password"
scope = (Optional)
Bob sends this request to the token endpoint
POST https://www.openmrsinstance.com/openmrs/ws/oauth2/token
access_token = "fgnljkJ&*HJs^%kkoeioa5522"
refresh_token = "jkYUIG21UIsdasd6+563s4d4f5"
grant_type = "authorization_code"
code = "asdas2156S4a5AS"
redirect_uri = ""www.xyz-emr.com/oauthTokenplay"
app_id="456ASdsafejkhajk123cvJKH"
OAuth2 module
*
but to do so, Bob needs to register their application with the OAuth2 module running on the OpenMRS server
After Authentication and Authorization, Bob's app will be able to send requests to the FHIR/ REST modules to access Alice's resources.
xyz
The OAuth2 module will provide OAuth2 based authorization and authentication support for external clients seeking to utilize web services of FHIR and REST or similar future modules.
Bob logs into his client developer account
Maybe, I will create a new app and discard this one completely!!
Alice logs in into her OpenMRS instance account
I don't want bob's application to access my resources on the OpenMRS installation anymore!
I want to revoke access to Bob's Application
Suppose Bob no longer needs the resources of users from OpenMRS instance
Bob is a developer for the EMR running at XYZ Hospital.
Bob and his team have developed a client that can utilize
the OAuth2 protocol and they want to securely exchange patient(or other) information with the OpenMRS server.
Suppose after some time, Alice has a thought!
Bob's application makes a request to
POST http://www.openmrsinstance.com/openmrs/ws/oauth2/access_token
grant_type = "refresh_token"
refresh_token = "as45646as4dasd"
Prepare a HTTP response to the redirect_uri.
And include the new access token in the response body. (Content-type = "application/json", as seen before)
Parameters for client and user authentication may be included
Meet Bob!
Role: User Agent
Description: A web browser/ interface used by
user to interact with client and OpenMRS installation
Role: Client Developer
Description: A software developer responsible for the client.
public static void main(){
}
Role : Resource Owner/ End User/ user
Description : Any OpenMRS user whose resources can be exposed to external clients(with proper authorization ) via web services modules
Let's say Bob's application wants to get a Patient resource by UUID via the FHIR module. If will send the following request :
GET http://openmrsinstance.com/openmrs/ws/fhir/Patient/dda12af7-1691-11df-97a5-7038c432aabf
When the request arrives at the FHIR module, a request filter will utilize the OAuth2 module's validateToken() method to validate the accompanying access token
The request object will also include the access token issued to Bob's application in the precious steps (and if required,
client credentials).
access_token = "asdhjua56a564d78"
Role: Resource Server
Description: The OpenMRS server hosting
the web services sought by the client
A token is valid iff :
Role: Authorization Server/ OAuth2 module
Description: The OAuth2 module hosted on
the OpenMRS Installation
Role: Client
Description: any external web application/ browser based application or native application that is part of an EMR/ Hospital management system and wants to use user's resources on OpenMRS instance
M D
updates Alice's name
When the request arrives at the REST web services module, a request filter will utilize the validateToken() method the OAuth2 module's API before processing the request
Let's say Bob's application wants to edit Alice's name to Alice Monroe by utilizing the REST Web Services module. It
POST /ws/rest/person/uuidofperson/name
Body content:
{"givenName": "Alice", "familyName": "Monroe", "access_token" = "asda56465asd65"}
REST Module
if required, we can include client_id or client credendiatls as a request parameter or in the Authorization header
EMR
OAuth2 Module
OAuth2 Module
Thank You!
FHIR Module
OAuth2 Module
OAuth2 Module
OAuth2 Module
OAuth2 Module
JSON string in body of HTTP response to the redirect_uri with MIME type = "application/json"
{
"access_token":"fgnljkJ&*HJs^%kkoeioa5522",
"token_type":"fhir_basic_rest_basic",
"expires_in":3600,
"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,
"scope":(client_scope_value)
}
OAuth2 Module
OAuth2 Module
JSON string in body of HTTP response to the redirect_uri with MIME type = "application/json"
{
"access_token":"fgnljkJ&*HJs^%kkoeioa5522",
"token_type":"fhir_basic_rest_basic",
"expires_in":3600,
"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,
"scope":(client_scope_value)
}
OAuth2 Module
JSON string in body of HTTP response to the redirect_uri with MIME type = "application/json"
{
"access_token":"fgnljkJ&*HJs^%kkoeioa5522",
"token_type":"fhir_basic_rest_basic",
"expires_in":3600,
"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,
"scope":(client_scope_value)
}
OAuth2 Module
OAuth2 Module
JSON string in body of HTTP response to the redirect_uri with MIME type = "application/json"
{
"access_token""asda56ad546a65"
"token_type":"fhir_basic_rest_basic",
"expires_in":3600,
"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,
"scope":(client_scope_value)
}
OAuth2 Module