Question
Neil Thaiss · Jan 18, 2021

JSON Web Token Authorisation and Bearer Tokens

Hi,

I am very much a newbe on the subject of JWT, so please except my ignorance.

The Trust I am currently working for wish to create a framework whereby they can create REST API Services, within HealthConnect, and grant access to these using JSON Web Token Authorisation and Bearer Tokens. This would be similar to the way the Trust currently connects to other REST API's, i.e.: DocMan Connect and GOV.UK Notify.

Can anyone offer any advice / sample code and / or point me into the direct of suitable documentation to achieve this?

Also, any advice on how to set-up and use OAuth and OpenID Connect would be very useful.

 

Thank you in advance.

Product version:
HealthShare 2020.1
00
3 0 4 132

Replies

We have two Open Source products that will look after JWTs for you in the ways you are asking about (ie REST services with IRIS):

- QEWD, if you want to implement everything at the back-end in Node.js / JavaScript

- mgweb-server if you want to use ObjectScript logic for your back-end logic

For QEWD and IRIS, see:

https://github.com/robtweed/qewd-starter-kit-iris-networked

In particular for REST services, see:

https://github.com/robtweed/qewd-starter-kit-iris-networked/blob/master/...

and specifically this section:

https://github.com/robtweed/qewd-starter-kit-iris-networked/blob/master/...

For mgweb-server, see:

https://github.com/robtweed/mgweb-server

specifically using with IRIS:

https://github.com/robtweed/mgweb-server/blob/master/IRIS.md

and within that document, this section on JWTs:

https://github.com/robtweed/mgweb-server/blob/master/IRIS.md#using-json-...

Rob

Thanks Rob, I'll take a look at these.

For a few versions already Caché and IRIS already support OAuth2 out of the box. Look at the documentation.

Depends on your architecture you can use this way, or use any external Identity provider like keycloack. 

And I think IAM also can help with it as well.

Hi Dmitriy,

I have been looking at OAuth2, but am struggling to get my head around it and wasn't sure has to use it within a Production and using Business Services and Operations.

Is this possible?

What is the recommend way to secure REST Business Services and Operations?

How does FHiR secure REST Business Services and Operations?

Sorry, a lot of questions!