JWT enabled FHIR Server web app access
Hello Community,
I've configured a FHIR Server in FHIR Configuration "/csp/healthshare/learn1/fhir/r4 " and I enabled a JWT Authentication for this web application. I've invoked this url http://localhost:52773/csp/healthshare/learn1/fhir/r4/login with basic auth get the JWT token. Now I use the access token as a "Bearer" for GET the patient resource. But I got 401Unauthorized error. Anyway I can get the patient resource with basic auth. I tired assign with %ALL role for testing as well. Did I miss any additional configuration in "FHIR Server Configuration"
.png)
Comments
What you are likely missing is that enabling JWT authentication on the web application by itself is not sufficient for FHIR bearer-token access. The FHIR server must be configured as an OAuth 2.0 resource server and associated with an OAuth client/resource-server configuration so that the REST handler and FHIR service can validate the token. [1][2]
You should check these points:
- In FHIR Server Authorization Settings, set the OAuth Client Name for your FHIR server. This binds the FHIR server to the OAuth server/resource-server configuration. [2]
- Create or verify a client definition where the FHIR server is registered as a Resource server, then save it with dynamic registration. [2][1]
- If you are using an InterSystems OAuth server to issue tokens for the FHIR server, configure that OAuth server to use or extend the classes in the HS.HC.OAuth2.Server package. [1]
Important: If you are using an InterSystems IRIS for Health OAuth 2.0 authorization server (InterSystems OAuth server) to issue authorization tokens for your FHIR server, configure your OAuth 2.0 server to use or extend the classes in the HS.HC.OAuth2.Server package, as described in Configuring an OAuth Server for FHIR. Doing so ensures that the OAuth server behaves as expected by the FHIR server’s default token handing class. [1]
Also verify the token itself:
- The FHIR server expects the access token in the HTTP Authorization header as
Bearer <token>; passing it another way is not supported for the FHIR server. [3] - The token must be a JWT; the FHIR server currently does not handle opaque tokens. [4]
- The token must include the correct audience for the FHIR endpoint and appropriate scope such as
user/*.readoruser/*.write, otherwise requests can fail even if the token is otherwise valid. [5][1]
Note: Although read/write syntax is supported, permissions are best specified using SMART on FHIR v2-style syntax. See the HL7 specification for details. [1]
For a GET of Patient data, the token must include at least one valid scope, and user scopes are one of the supported types. The default token handler enforces FHIR/SMART scope rules, not just user roles such as %ALL. [1]
If your InterSystems OAuth server is on the same instance as your FHIR server, you can invoke the ConfigureInternalOAuthClients() method of the HS.HC.OAuth2.Client.Installer class to quickly set up client configurations. [1]
If you want the simplest path, use the OAuth FHIR Client Quickstart in the Management Portal to connect your existing FHIR server to the OAuth server. [1]
Sources: