#Authentication

This article is intended as a beginner level article for people that want to learn how to use OAuth2 in their web applications natively.

There is an accompanying video/demo that may be helpful here: 

and you can reproduce this locally with the Open Exchange application attached.

OAuth2 as a native authentication type for web applications

OAuth (Open Authorization) 2.0 is a standard way to let one application call another application’s API without sharing a username and password.

What is JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) that offers a lightweight, compact, and self-contained method for securely transmitting information between two parties. It is commonly used in web applications for authentication, authorization, and information exchange.

A JWT is typically composed of three parts:

1. JOSE (JSON Object Signing and Encryption) Header
2. Payload
3. Signature

These parts are encoded in Base64Url format and concatenated with dots (.) separating them.

Also in previous versions you could define your FHIR Server to accept requests via OAuth 2.0 (e.g. for a SMART on FHIR client) but nowadays with v2024.3, which was released a while ago, there is a new feature, that enables doing this more easily - the OAuth FHIR Client QuickStart.

When I was younger (a question about exactly how much younger is outside the scope of this article), the word “token” meant fun. You see, just a couple of times a year, I would get to go to an arcade and play some amusing video games with my friends.

These days, tokens signify security. JSON Web Token (JWT) Authentication has become one of the most popular standards for securing REST APIs. Fortunately for IRIS users, we have a straightforward way to set up applications to be protected this way. Yet, the idea is still similar to my old arcade days.

What is TLS?

TLS, the successor to SSL, stands for Transport Layer Security and provides security (i.e. encryption and authentication) over a TCP/IP connection. If you have ever noticed the "s" on "https" URLs, you have recognized an HTTP connection "secured" by SSL/TLS. In the past, only login/authorization pages on the web would use TLS, but in today's hostile internet environment, best practice indicates that we should secure all connections with TLS.

Why use TLS?

So, why would you implement TLS for HL7 connections?

I have an API set up in IRIS which is secured using an IRIS authentication service, so there is a bearer token being passed down in the request header.

I've already set  Parameter HandleCorsRequest = 1; on the spec class and All the endpoints I am have (a mix of GET, POST, PATCH and DELETE) are working from postman without issue, the problem is when consuming from the web front-end and the preflight checks the browser instigates. Most of the endpoints work in the browser, but some are triggering the preflight (OPTIONS) check causing the CORS issue.

Hi experts

I'm trying to configure an IRIS ODBC connection with "Windows NT authentication using the network login ID". I have created the System DSN as below:

and user (PROD\test) in the SQL Gateway connection 

However, as the error message suggests, IRIS is trying to connect with PROD\svc_mist, rather than PROD\test configured above. 

Is there anyway to configure the ODBC connection with specified account with Windows Auth method? 

Hi:

I see a lot of cool REST apps and i'm trying to host something in the TIE using REST/Axios with VITE. 

At the moment i will probably host the application in web applications in Intersytems. 

For authorisation and getting the logged in user and password to any app, is there a standard people are doing? 

I.e. for axios you might have this from the app

auth: {
        username: apiUser,
        password: apiPass
      }

But surely you want to pass through credentials from the IRIS logged in user, or alternatively pass the credential request to IRIS API to first receive the data.

Hi,

Does calling the BIND method of %SYS.LDAP, with the username, domain and password of the user that  needs to be authenticated- the right way to authenticate him/her ?

Also - am I correct in assuming that something like this is independant to (and I don't  need to specify setting for),  System Security -> LDAP Options 

Thanks

Steve

Hi community,

A colleague gets ERROR #822: Access denied every time he tries to log in via Management portal. It is NOT the case of wrong credentials: I reset his password password to a temporary one so it would prompt him to create a new one upon first login. He did get the prompt, changed his password and his next attempt at logging in displayed the same error.

The audit log record displays this:
Error message: ERROR #862: User is restricted from running application /csp/sys/op, %Admin_Operate:U required -- cannot execute.

One of the most common kinds of integration we are asked to do is emailing. One of the most typical email services our customers use is Microsoft’s Office 365. After setting up the right configuration on the Microsoft side, we can email from IRIS with two HTTP requests. By the end of this article, we will be able to send an email with an attachment through our Microsoft 365 service!

Microsoft’s REST API, called Graph, allows you to do a lot of things within Microsoft’s various apps, and it is precisely what we will employ to send our email.

In this tutorial, I will discuss how can you connect your IRIS data platform to sql server db  .

Prereq: 

• Have ODBC driver installed in your device. You can download it from here: Download ODBC Driver for SQL Server - ODBC Driver for SQL Server | Microsoft Learn. 
• Have SQL Server and IRIS installed in your device
• Have SQL Server connection Authentication enabled in SQL server

I am trying to set up a web application with Delegated Authentication via IPM. It is possible to give a specific application Delegated Authentication:

<WebApplication
        Name="/${namespaceLower}/api"
        NameSpace="${namespace}"
        DispatchClass="pkg.isc.genai.rest.Handler"
        MatchRoles=":%All"
        AutheEnabled="#{$$$AutheDelegated}"
        Recurse="1"
        CookiePath="/${namespaceLower}/"
        />

with the AutheEnabled field.

At hackathons that InterSystems participated and I supported, many students were asking how all their teammates could use the same IRIS database that they spun up in a container. I suggested using ngrok to expose their localhost IRIS and realized we don't have documentation on that. Hence, I thought this would be great to let more people knwo about this powerful technique for enhancing collaboration during development and testing.

Step-by-Step Guide to Exposing InterSystems IRIS with ngrok

This guide will walk you through the process of exposing your local InterSystems IRIS instance using ngrok.

Hello,

I need to expose InterSystems HealthInsight dashboards over the internet to external operators. The authentication flow is managed externally. When a user is authenticated, our system receives an HTTP request with specific headers (e.g., operator’s fiscal code and hospital identifier) that we need to extract in order to:

• Authorize the user to access the dashboards.
• Apply row-level security on the dashboards, filtering the data by hospital and user role.

I need to connect to a SFTP server and I seem to connect and timeout have tested the connection using File-zilla and the connection was successful but the problem is when I try to connect using the FTP in bound adapter service I get the following errors.

ERROR <Ens>ErrOutConnectExpired: FTP Connect timeout period (120) expired for ***************.com:990/******/SSL='********* + ERROR <Ens>ErrFTPConnectFailed: FTP: Failed to connect to server ***************.

Over the past couple of months, I have been working on the SMART on FHIR EHR Launch to test the capabilities of IRIS for Health using two open-source apps from CSIRO: SMART-EHR-Launcher and SMART Forms App. This journey has been incredibly interesting, and I’m truly grateful for the opportunity to work on this task and explore more of IRIS for Health’s potential.

After successfully demonstrating the seamless launch of multiple external SMART apps at the HL7 AU FHIR Connectathon, I’m excited to share what I’ve learned with the community.

Our client says the call to send email (method (%Net.SMTP).Send) started returning error # 6167 (Authentication expected but failed.) after installing IRIS 2022.1.2; email had worked before. Properties (%Net.Authenticator).UserName and .Password were configured. We can get email to work when we don't set property (%Net.SMTP).authenticator.

Any ideas what is going on? Thanks.

 JSON Web Token (JWT) Authentication

Hi Everyone,

I would like to share the code and step-by-step instructions/or guideline for generating a JWT (JSON Web Token) signature, as well as how to test it using Postman / HealthConnect.

JWT is an open standard (RFC 7519) that defines a compact, URL-safe method for securely transmitting information between parties in the form of a JSON object.

Structure of a JWT:

A JWT consists of three parts, separated by dots (.):

Hey,

I need to read a directory on a remote server which requires a user to be su. The question is how to correctly read the server response and then to send a su password using IRIS device I/O API (I'm able to read other commands output such as uname, but can't figure out how to switch to su):

// Init SSH session
Set .Session = ##class(%Net.SSH.Session).%New()
Set status = .Session.Connect(.Server)
$$$ThrowOnError(status)
Set status = .Session.AuthenticateWithUsername(.UserName, .Password)
$$$ThrowOnError(status)

// SUDO
#Dim device
Set device = ""
Set status = .

I am building a web application that uses JWT for authentication. I would like to pass the token in cookies instead of the Authorization header.
Is there a way to intercept the request and check the token from the cookies instead of the header? I tried overriding the OnPreDispatch() method and adding it to my dispatch class, but it seems like it never gets executed, as the response returns "Unauthorized" before reaching it.

ClassMethod OnPreDispatch(pURL As %String, pMethod As %String, ByRef pContinue As %Boolean) As %Status
{
        Set token = %request.Cookies.

In your Interoperability Production you could always have a Business Operation that is an HTTP client, that uses OAuth 2.0 for authentication, but you had to customize the Operation for this authentication methodology. Since v2024.3, which was lately released, there is a new capability, providing new settings, to handle this more easily.

Hi!   

I'm trying to set up a Clinical Viewer demo env with HealthShare 2024.2. 
I've done the standard installation following the doc : 

• UCR - UCR demo with IHE
• CV - CV demo

Everything works until I get to the point where I have to enable federated SSO (UCR demo - Federated SSO). Once it is activated, I can no longer access the instance through the portal, and the browser displays the following error:

Checking the messages.log, I see that every time I try to enable federated SSO and access the portal, I encounter the following error:

12/24/24-10:51:55:639 (98515) 2 [Utility.

Hello everyone,

I want to share my experience configuring an IIS server to enable secure HTTPs access to HealthShare/HealthConnect.

After installing the “WebServerGateway” and completing the initial setup, I encountered a few issues. Specifically, when trying to log into HealthConnect using HTTPS, the logo didn’t appear, and clicking any buttons didn’t trigger any response. See screenshot below:

Below is a step-by-step guide to resolve the current issue, as well as another issue I encountered with accessing the Rule Editor.

I have started working on utilizing Epic on FHIR about a month ago.

Creating a Public Private Key Pair

mkdir /home/ec2-user/path_to_key
openssl genrsa -out ./path_to_key/privatekey.pem 2048

For backend apps, you can export the public key to a base64 encoded X.509 certificate named publickey509.pem using this command...

openssl req -new -x509 -key ./path_to_key/privatekey.pem -out ./path_to_key/publickey509.pem -subj '/CN=medbank'

where '/CN=medbank' is the subject name (for example the app name) the key pair is

I want to integrate IRIS with Keycloak OAuth2 provider to use delegated authentication everywhere and to secure everything - sys*/Portal applications, REST services, FHIR server and so on. If an unathenticated user tries to access any IRIS URL - he or she should be redirected to Keycloak. After the user has successfully authenticated, i would like to access his requistes (username, email, roles, scopes) extracted from the JWT token, programmatically. What should be done to achieve that?

I'm trying to call a SOAP web service which is implemented in .NET Classic and requires NTLM authentication. The client class was generated by %SOAP.WSDL.Reader. The problem is that neither NTLM authentication works nor can I handle the exception since VSCode debugger says that all meaningful fields and properties are empty (the same request works fine in Postman):

ClassMethod Test()
{
    #Dim client as My.Client
    Set client = ##class(My.Client).%New()
    Try
    {
        Set client.SSLConfiguration = "SSL"
        Set client.Location = "https://server/service.asmx"
        Set client.

I finally figured out how to get JWT token using set x = ##class(%SYS.OAuth2.Authorization).GetAccessTokenClient("medbank","openid fhirUser",.prop,.err).

I also found iris-fhir-client app on Open Exchange. I registered Epic sandbox server, but I cannot list resources. I suspect I need to integrate authorization / authentication. How do I do this with irisfhirclient py?