Menno Voerman · Oct 15, 2021

Ignore bearer token in unauthenticated web application

Hi All,

Hopefully someone can help me with this question.

I've got a FHIR adapter service defined as described here:

FHIR Interoperability Adapter

The web application is running:

This works well when asking the FHIR metadata I get a nice 200 response:

But when I want to request patient data I need to send the Access Token in the Request:

This gives a 401 error and I don't see any message at the InteropService (HS.FHIRServer.Interop.Service).

It looks like that the webapplication doesn't like the Authorization header:

How can I make sure that the webapplication just ignores the Autorization header?

 I only need the token on a later moment when interacting with the FHIR server.

Product version: IRIS 2021.1
$ZV: IRIS for Windows (x86-64) 2021.1 (Build 215U) Wed Jun 9 2021 09:39:22 EDT [HealthConnect:3.3.0] [HealthConnect:3.3.0]
0 296
Discussion (2)2
Log in or sign up to continue

You have Security Settings > Allowed Authentication Methods > Password unchecked in your Web Application definition.

Have you tried No Auth in Postman?

Hi All,

The  problem is in HS.FHIRServer.RestHandler

Class HS.FHIRServer.HC.FHIRInteropAdapter Extends HS.FHIRServer.RestHandler
{ Parameter isInteropAdapter As %Boolean = 1; Parameter ServiceConfigName As %String = "InteropService"; }

For some reason its not allowed to send the bearer token with the unauthenticated application:

// Access token present on unsecure CSP request is invalid. Otherwise, if access
// token found on secure CSP request then add to FHIR request AdditionalInfo for
// later evaluation by the FHIR service.
If '%request.Secure {
If ($ZConvert($Piece(%request.GetCgiEnv("HTTP_AUTHORIZATION")," ",1),"U") = "BEARER") || ($Get(%request.Data("access_token",1)) '= "") {
Set %response.Status = ..#HTTP401UNAUTHORIZED
Return $$$OK
Set accessToken = ""
Else {
// InterSystems FHIRServer policy is to NOT allow passing access token in the
// request URL or form encoded body (either can be found in %request.Data).
If $Get(%request.Data("access_token",1)) '= "" {
Set %response.Status = ..#HTTP401UNAUTHORIZED
Return $$$OK
Set accessToken = ##class(%SYS.OAuth2.AccessToken).GetAccessTokenFromRequest(.tSC)
If accessToken '= "" {
Do tRequest.AdditionalInfo.SetAt(accessToken, "USER:OAuthToken")
Do tRequest.AdditionalInfo.SetAt(hsrestconfig.OAuthClientName, "USER:OAuthClient")

We're gonna discuss the issue with intersystems but it looks like we need custom programming to make this situation work in the new HC version.