#Authentication

I finally figured out how to get JWT token using set x = ##class(%SYS.OAuth2.Authorization).GetAccessTokenClient("medbank","openid fhirUser",.prop,.err).

I also found iris-fhir-client app on Open Exchange. I registered Epic sandbox server, but I cannot list resources. I suspect I need to integrate authorization / authentication. How do I do this with irisfhirclient py?

We are building a bunch of rest based services using Ens 2016.2 to serve our browser based application (Angular 4).

Two questions:

1. The initial authentication seems only work if credentials are placed in the url parameters. Trying to use the Authorization header instead, the client code immediately complains about Access-Control-Allow-Origin. How can I resolve this?

2. After initial authentication, what is the proper way to send subsequent rest calls without having to include credential every time?

When trying to save ZAUTHENTICATE.mac the following error occurs

If it is wrongly named as like ZATHIENTICATE.mac in the %SYS namespace it saves ok so it is something blocking saving a new fresh ZAUTH code of the correct name- we have no other delegated auth that I am aware of.

I am trying to use postman to start the restapi classes from a json openapi2.0.0 file.

POST: https://myserver.com/api/mgmnt/v2/requestAPI. The body contains the openapi2.0.0. The application api/mgmnt has in security settings: password. JWT is not selected. I set postman authentication to basis authentication and gave username and password. I also set in headers IRISUsername and IRISPassword. I have 401 Unauthorized.

Is the only way to go through is to build an oauth token? or do I miss something?

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:

Does anyone happen to have a sample Configuration (CPF) Merge file that includes Action parameters setting up authentication methods (e.g.

Hi,

I've a Service utilising the Adapter EnsLib.SQL.InboundAdapter, which uses a Credentials item set with the details of a local SQL account. This currently works, however, we're looking to use the credentials of an AD domain account.

The domain account is a member of an AD security group, which has the required permissions on the source SQL database. I've checked that access is possible with this account via SQL studio.

If a user simply closes a tab (running a web application), is there any good way to ensure that the license is released AND the login cookie is destroyed?

I found that if the tab is simply closed without first logging out of the application, then 1) the license hangs around forever, and 2) if the user then opens a tab, he is already logged in.

This is more a WARNING than a question

I want to integrate IRIS with Keycloak OAuth2 provider to use delegated authentication everywhere and to secure everything - sys*/Portal applications, REST services, FHIR server and so on. If an unathenticated user tries to access any IRIS URL - he or she should be redirected to Keycloak. After the user has successfully authenticated, i would like to access his requistes (username, email, roles, scopes) extracted from the JWT token, programmatically. What should be done to achieve that?

Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.

I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?

Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?

Hello,

I'm new to Iris for Health and I'm trying to get some experience using it. I've subscribed to the Intersystems Iris for Health software in AWS marketplace. I successfully spun up the EC2 instance with the default security group. The try-iris instance is healthy and successfully starts within EC2. I've also successfully changed the default password too.

However, I'm unable to authenticate into the management portal. The portal launches okay though I keep getting an access denied. I'm also unable to authenticate into a session from the EC2 instance.

Unless I'm mistaken, 2017.1 doesn't appear to support RFC 7523 (JSON Web Token Profile for OAuth 2.0 Client Authentication and Authorization Grants). Is that coming in 2017.2?

In order to support it in 2017.1, I'd have to override the OAuth 2.0 token endpoint to cater for the additional grant types - what's the best way to do this?

Thanks.

Currently, I am working on a CSP application that is supposed to generate reports. Users will have varying access to said reports. To achieve that, I plan to use LDAP (because it's used in other systems where those users already exist). Documentation does not provide enough information, so I'd like a clarification:
Do I need to enable LDAP authentication for the whole Cache instance to use LDAP authentication in a single CSP application in that instance?