Using Postman for testing the OAuth2.0 of the InterSystems FHIR repository - Part1

Hi all, it's me again for sharing what I am studying recently.😓

 

Recently, I am studying how to setup OAuth2 authentication for the InterSystems FHIR repository. And I found the following articles are very good and easy to follow.😁

SMART on FHIR EHR Launch with IRIS for Health

Building an FHIR Repository + OAuth2 Authorization Server/Resource Server Configuration on IRIS for Health Part 2

 

For me, as a user who do not have much knowledge about OAuth2.0. I think it quite difficult to understand how to setup the whole OAuth2.0 environment before knowing how's it look like (what is it? what are the parameters I need? What is the expecting output?) from a pure user point of view. 🤔 Here, I try to reverse the sequence a little bit, we try to talk about OAuth2.0 from the client side 1st. And , here, we use Postman as a client.😁

If you want to have a test environment for OAuth, you may try the following dockers

workshop-iris-oauth2 or the docker in this article Building an FHIR Repository + OAuth2 Authorization Server/Resource Server Configuration on IRIS for Health Part 1

In this article, I setup an InterSystems FHIR repository with HTTPS support on my local machine. (Base on my observation, correct me if I am wrong, for making the InterSystems OAuth working, the resource server should support HTTPS😑😐)

 

---

So let's start from something simple. 😀

Case 1: Basic Authentication 

 Information we need are

 

While testing in Postman is simple, it looks like the following

In general, basic authentication is simple, because all you need is the URL of the resources you would like to get and provide the corresponding credential. 1 step and can obtain the data you want.😁✌

 

---

Case 2: OAuth Authentication 

The concept is a little bit different from basic authentication. From my understanding, the key difference is the concept of session and token. Maybe before we really jump into OAuth2.0, let's talk about something we familiar.

Let's consider the following scenario, you would like to visit an Art Museum for a special event "The Miracle Moment". As this event is so popular, the Art Museum decided to setup the flow control, divide the opening time into 8 sessions, for each session is 1 hour, and visitor must book their own session in the Ticketing Centre before visiting. In the other word, the visitor must present a valid ticket (token) at the correct time slot (session) to the Art Museum for the event "The Miracle Moment".

 

From the scenario above, we can summarize as following, from a OAuth2.0 client point of view, in order to access the resources we want, we need to 

Step1: get a token from the Authentication Server (Get a ticket from Ticket Service Centre)

Step2: present the token to the Resource Server (Present the ticket to the Art Museum)

For getting the token, you need to let the Authentication Server know

1. Who you are? (one of the most simple way, provide client_id and client_secret, of course there are some other way, but i just want to keep it simple here😁)

2. What is the Resource Server you want to access? (Which museum? Which venue?), you may provide it in the audience.

3. What is the scope of your access? (Which program? Which event?), you can provide it in the Scope, and this scope should be defined between the Authentication Server and the Resource Server.

 

So...now ... it's time for being a client

with the information below, and get the token from Postman

After the authentication complete, click use the token

 

Yeah!! now we got a valid token here,😁😂 and it will expired within an hour 😶🤐

 

Now use the token for getting the resource we want

 

Now try to get the Patient Resource

 

 

 

Yeah!! looks good.😁

Thank you for reading.