Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

OpenMRS OAuth2 module - UI Mockups and Use Cases

No description
by

Mayank Sharma

on 31 March 2015

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of OpenMRS OAuth2 module - UI Mockups and Use Cases

Now, Bob's application has got an access token and it can use this token to access the web services exposed by FHIR and REST modules.
OpenMRS OAuth2 Module
UI mockups
Client Registrations
Bob is a developer for the EMR running at XYZ Hospital.
Bob and his team have developed a client that can utilize
the OAuth2 protocol and they want to securely exchange patient(or other) information with the OpenMRS server.
Roles
The OAuth2 module will provide OAuth2 based authorization and authentication support for external clients seeking to utilize web services of FHIR and REST or similar future modules.

Bob's application can now send requests to the Authorization and Token endpoint provided by the OAuth2 module. After getting an access token, Bob will be able to utilize the web services exposed by the FHIT and REST modules
To do so, Bob's application needs
Authorization from Alice
to act on her behalf
Meet Alice. (resource owner)
Alice has an account on the OpenMRS instance.
Bob's application wants to access
Alice's resources
via the OpenMRS web services modules.
As the registration is complete, the OAuth2 module will be able to
Authenticate
Bob's application, whenever it sends
requests to Protocol Endpoints
.
Role :
Resource Owner/ End User/ user
Description
: Any OpenMRS user whose resources can be exposed to external clients(with proper authorization ) via web services modules
Role:
Client
Description
: any external web application/ browser based application or native application that is part of an EMR/ Hospital management system and wants to use user's resources on OpenMRS instance
EMR
Role
: Resource Server
Description
: The OpenMRS server hosting
the web services sought by the client
Role:
Authorization Server/ OAuth2 module
Description
: The OAuth2 module hosted on
the OpenMRS Installation
Role
: Client Developer
Description:
A software developer responsible for the client.
Role
: User Agent
Description:
A web browser/ interface used by
user to interact with client and OpenMRS installation
public static void main(){
}
M D
xyz
Meet Bob!
but to do so, Bob needs to register their application with the OAuth2 module running on the OpenMRS server
Client Registration
Bob gets his Client Developer Account
Bob contacts the Admin of the OpenMRS instance.
The admin creates an OpenMRS account for Bob. His "role" is "client developer". (The OAuth2 module will automatically create this role on installation.)
Bob logs into OpenMRS instance as Client Developer
Bob Registers his application
*
*
After Authentication and Authorization, Bob's app will be able to send requests to the FHIR/ REST modules to access Alice's resources.
The sequence of Authorization, Authentication and
issue of tokens
depends on
Authorization Grant Types
Authorization Grant Types
`
Authorization Code
Implicit Grant Type
Resource Owner Password Credentials Grant
Client Credentials Grant
Authorization Request
OAuth2 module
Validate the request
if request is okay, refirect to
User Authentication
User Authentication
Client Authorization
GET openmrsinstance.com/openmrs/ws/oauth2/authorize
response type = "code"
app_id = "asdkjIuHjhL6556LKJJHFt"
app_secret = "456ASdsafejkhajk123cvJKH"
redirect_uri = "www.xyz-emr.com/oauthclientplay"
state = "" (Recommended)
scope = "" (Optional)
OAuth2 Module
/ws/oauth2/authenticate_user
Authorization Code Generation
Client is authorized
Authorization Response
OAuth2 Module
code = "asdas2156S4a5AS"
OAuth2 Module
p.s : these permissions were specified during client registration
p.s. app_id and app_secret were provided to Bob after Client Registration
OAuth2 Module
code = "asdas2156S4a5AS"
state = (same as that of authorization request)
response sent to
redirect_uri
with the following parameters :
Access Token Request
POST https://www.openmrsinstance.com/openmrs/ws/oauth2/token
Client Authentication
OAuth2 module
verifies that the authorization code is valid and corresponds to the client_id requester parameter.
verifies that the client_secret provided during Authorization Request and the client_secret corresponding to the client_id (in database) match. (exact strategy may vary eg public key)
validate redirect_uri parameter with database
Token Generation
access_token = "fgnljkJ&*HJs^%kkoeioa5522"
refresh_token = "jkYUIG21UIsdasd6+563s4d4f5"
Access Token Response
JSON string in body of HTTP response to the redirect_uri with
MIME type = "application/json"
grant_type = "authorization_code"
code = "asdas2156S4a5AS"
redirect_uri = ""www.xyz-emr.com/oauthTokenplay"
app_id="456ASdsafejkhajk123cvJKH"

OAuth2 Module
OAuth2 Module
{
"access_token":"fgnljkJ&*HJs^%kkoeioa5522",
"token_type":"fhir_basic_rest_basic",
"expires_in":3600,
"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,
"scope":(client_scope_value)
}
Authorization Request
GET http://www.openmrsinstance.com/openmrs/ws/oauth2/authorize
OAuth2 Module
validate the request
redirect_uri should match the redirec_uri provided during registration.
if all parameters are valid, redirect to end-user (Alice's) authentication
User Authentication
Client Authorization
response type = "code"
app_id = "asdkjIuHjhL6556LKJJHFt"
app_secret = "456ASdsafejkhajk123cvJKH"
redirect_uri = "www.xyz-emr.com/oauthclientplay"
state = "" (Recommended)
scope = "" (Optional)
p.s. app_id and app_secret were provided to Bob after Client Registration
OAuth2 Module
p.s. these permissions were set during client registration
Token Generation
generate an
access token only
after client authorization step.
Access Token Response
access_token = "asdasdasdasd3215"
"token_type = "fhir_basic_rest_basic",
expires_in = 3600,
scope= (optional)
state = (state management for client. Value is same as the client sent in the authorization request)
Client Application
Now Bob's application will retain the Fragment information locally
Bob's application sends a request to OAuth2 module to fetch a
web page with embedded javascript
that will be able to
extract the Token and other parameters from the fragment in the client's browser (or user-agent).

Access token retrieval
The embedded script will extract the parameters from the URI Fragment via user agent and send the extracted parameters to the client server.
Bob's application now has the Access Token.
OAuth2 Module
access_token = "asdasdasdasd3215"
refresh_token = Not Generated (as per sprcification)
HTTP Response sent to the redirect_uri provided by Bob. The following parameters included in
URI Fragment
(<scheme name> : <hierarchical part> [ ? <query> ] [ # <fragment> ]) :
/ws/oath2/fragmentextracter.html
Authorization
Alice provides Bob with her username and password for the OpenMRS instance.
Access Token Request
https://www.openmrsinstance.com/
openmrs/ws/oauth2/token
Oauth2 Module
validate the request
authenticate the application
protect the endpoint against brute force attacks ( as Alice's credentials need to be protected)
Access Token Response
grant_type = "password"
username = "Alice"
password = "Alice's Password"
scope = (Optional)
Bob sends this request to the token endpoint
OAuth2 Module
JSON string in body of HTTP response to the redirect_uri with
MIME type = "application/json"
{
"access_token":"fgnljkJ&*HJs^%kkoeioa5522",
"token_type":"fhir_basic_rest_basic",
"expires_in":3600,
"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,
"scope":(client_scope_value)
}
JSON string in body of HTTP response to the redirect_uri with
MIME type = "application/json"
{
"access_token":"fgnljkJ&*HJs^%kkoeioa5522",
"token_type":"fhir_basic_rest_basic",
"expires_in":3600,
"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,
"scope":(client_scope_value)
}
Bob's application can request access token by
only using its credentials
to access OpenMRS
resources under its control
or
maybe
even
resources of Alice
provided she has previously authorized the application. This grant type
MUST
be used with
confidential clients

Access Token Request
OAuth2 module
Authenticate the Client
validate the request parameters
if valid and authentication succeeds, generate an access token
Access Token Response
Bob sends a request to the
token endpoint
(with client credentials in the
Authorization Header
, or other suitable strategy) with the following parameters
grant_type = "client_credentials"
scope = (Optional)
POST https://www.openmrsinstance.com/openmrs/oauth2/token
OAuth2 Module
Access token = "asda56ad546a65"
JSON string in body of HTTP response to the redirect_uri with
MIME type = "application/json"
{
"access_token""asda56ad546a65"
"token_type":"fhir_basic_rest_basic",
"expires_in":3600,
"refresh_token: "jkYUIG21UIsdasd6+563s4d4f5,
"scope":(client_scope_value)
}
FHIR Resource Access Request
Let's say Bob's application wants to get a Patient resource by UUID via the FHIR module. If will send the following request :
GET http://openmrsinstance.com/openmrs/ws/fhir/Patient/dda12af7-1691-11df-97a5-7038c432aabf
FHIR module will fetch the requested Resource
FHIR Request Filter
When the request arrives at the FHIR module, a request filter will utilize the OAuth2 module's validateToken() method to validate the accompanying access token
OAuth2 module, Token Validation
REST web service module access request
Let's say Bob's application wants to edit Alice's name to Alice Monroe by utilizing the REST Web Services module. It
POST /ws/rest/person/uuidofperson/name
Body content:
{"givenName": "Alice", "familyName": "Monroe", "access_token" = "asda56465asd65"}
REST web services module
updates Alice's name
REST request filter
When the request arrives at the REST web services module, a request filter will utilize the validateToken() method the OAuth2 module's API before processing the request
The request object will also include the access token issued to Bob's application in the precious steps (and if required,
client credentials).
access_token = "asdhjua56a564d78"
A token is valid iff :
it's properly decrypted
the information it contains matches the information used to construct it
the client was issued this very token in the previous steps (may require client authentication, but can be achieved with client_id alone)
token is not expired
OAuth2 Module
REST Module
FHIR Module
if required, we can include client_id or client credendiatls as a request parameter or in the Authorization header
Let's have a look at some of the additional features of the OAuth2 module
Refreshing an Access Token
Bob's application makes a request to
POST http://www.openmrsinstance.com/openmrs/ws/oauth2/
access_token
Refresh Response
Prepare a HTTP response to the redirect_uri.
And include the new access token in the response body. (Content-type = "application/json", as seen before)
OAuth2 Module
validate the refresh token
authenticate client and/or user, if required
invalidate previously issued access token
generate new access token
grant_type = "
refresh_token
"
refresh_token = "as45646as4dasd"
Parameters for client and user authentication may be included
OAuth2 Module
I don't want bob's application to access my resources on the OpenMRS installation anymore!
I want to
revoke access
to Bob's Application
Suppose after some time, Alice has a thought!
Alice logs in into her OpenMRS instance account
Suppose Bob no longer needs the resources of users from OpenMRS instance
Maybe, I will create a new app and discard this one completely!!
Bob logs into his client developer account
Thank You!
Full transcript