#Authentication

I have an API set up in IRIS which is secured using an IRIS authentication service, so there is a bearer token being passed down in the request header.

I've already set  Parameter HandleCorsRequest = 1; on the spec class and All the endpoints I am have (a mix of GET, POST, PATCH and DELETE) are working from postman without issue, the problem is when consuming from the web front-end and the preflight checks the browser instigates. Most of the endpoints work in the browser, but some are triggering the preflight (OPTIONS) check causing the CORS issue.

Hi experts

I'm trying to configure an IRIS ODBC connection with "Windows NT authentication using the network login ID". I have created the System DSN as below:

and user (PROD\test) in the SQL Gateway connection 

However, as the error message suggests, IRIS is trying to connect with PROD\svc_mist, rather than PROD\test configured above. 

Is there anyway to configure the ODBC connection with specified account with Windows Auth method? 

Hi:

I see a lot of cool REST apps and i'm trying to host something in the TIE using REST/Axios with VITE. 

At the moment i will probably host the application in web applications in Intersytems. 

For authorisation and getting the logged in user and password to any app, is there a standard people are doing? 

I.e. for axios you might have this from the app

auth: {
        username: apiUser,
        password: apiPass
      }

But surely you want to pass through credentials from the IRIS logged in user, or alternatively pass the credential request to IRIS API to first receive the data.

Hi,

Does calling the BIND method of %SYS.LDAP, with the username, domain and password of the user that  needs to be authenticated- the right way to authenticate him/her ?

Also - am I correct in assuming that something like this is independant to (and I don't  need to specify setting for),  System Security -> LDAP Options 

Thanks

Steve

Hi community,

A colleague gets ERROR #822: Access denied every time he tries to log in via Management portal. It is NOT the case of wrong credentials: I reset his password password to a temporary one so it would prompt him to create a new one upon first login. He did get the prompt, changed his password and his next attempt at logging in displayed the same error.

The audit log record displays this:
Error message: ERROR #862: User is restricted from running application /csp/sys/op, %Admin_Operate:U required -- cannot execute.

I am trying to set up a web application with Delegated Authentication via IPM. It is possible to give a specific application Delegated Authentication:

<WebApplication
        Name="/${namespaceLower}/api"
        NameSpace="${namespace}"
        DispatchClass="pkg.isc.genai.rest.Handler"
        MatchRoles=":%All"
        AutheEnabled="#{$$$AutheDelegated}"
        Recurse="1"
        CookiePath="/${namespaceLower}/"
        />

with the AutheEnabled field.

Hello,

I need to expose InterSystems HealthInsight dashboards over the internet to external operators. The authentication flow is managed externally. When a user is authenticated, our system receives an HTTP request with specific headers (e.g., operator’s fiscal code and hospital identifier) that we need to extract in order to:

• Authorize the user to access the dashboards.
• Apply row-level security on the dashboards, filtering the data by hospital and user role.

I need to connect to a SFTP server and I seem to connect and timeout have tested the connection using File-zilla and the connection was successful but the problem is when I try to connect using the FTP in bound adapter service I get the following errors.

ERROR <Ens>ErrOutConnectExpired: FTP Connect timeout period (120) expired for ***************.com:990/******/SSL='********* + ERROR <Ens>ErrFTPConnectFailed: FTP: Failed to connect to server ***************.

Our client says the call to send email (method (%Net.SMTP).Send) started returning error # 6167 (Authentication expected but failed.) after installing IRIS 2022.1.2; email had worked before. Properties (%Net.Authenticator).UserName and .Password were configured. We can get email to work when we don't set property (%Net.SMTP).authenticator.

Any ideas what is going on? Thanks.

Hey,

I need to read a directory on a remote server which requires a user to be su. The question is how to correctly read the server response and then to send a su password using IRIS device I/O API (I'm able to read other commands output such as uname, but can't figure out how to switch to su):

// Init SSH session
Set .Session = ##class(%Net.SSH.Session).%New()
Set status = .Session.Connect(.Server)
$$$ThrowOnError(status)
Set status = .Session.AuthenticateWithUsername(.UserName, .Password)
$$$ThrowOnError(status)

// SUDO
#Dim device
Set device = ""
Set status = .

I am building a web application that uses JWT for authentication. I would like to pass the token in cookies instead of the Authorization header.
Is there a way to intercept the request and check the token from the cookies instead of the header? I tried overriding the OnPreDispatch() method and adding it to my dispatch class, but it seems like it never gets executed, as the response returns "Unauthorized" before reaching it.

ClassMethod OnPreDispatch(pURL As %String, pMethod As %String, ByRef pContinue As %Boolean) As %Status
{
        Set token = %request.Cookies.

Hi!   

I'm trying to set up a Clinical Viewer demo env with HealthShare 2024.2. 
I've done the standard installation following the doc : 

• UCR - UCR demo with IHE
• CV - CV demo

Everything works until I get to the point where I have to enable federated SSO (UCR demo - Federated SSO). Once it is activated, I can no longer access the instance through the portal, and the browser displays the following error:

Checking the messages.log, I see that every time I try to enable federated SSO and access the portal, I encounter the following error:

12/24/24-10:51:55:639 (98515) 2 [Utility.

I want to integrate IRIS with Keycloak OAuth2 provider to use delegated authentication everywhere and to secure everything - sys*/Portal applications, REST services, FHIR server and so on. If an unathenticated user tries to access any IRIS URL - he or she should be redirected to Keycloak. After the user has successfully authenticated, i would like to access his requistes (username, email, roles, scopes) extracted from the JWT token, programmatically. What should be done to achieve that?

I'm trying to call a SOAP web service which is implemented in .NET Classic and requires NTLM authentication. The client class was generated by %SOAP.WSDL.Reader. The problem is that neither NTLM authentication works nor can I handle the exception since VSCode debugger says that all meaningful fields and properties are empty (the same request works fine in Postman):

ClassMethod Test()
{
    #Dim client as My.Client
    Set client = ##class(My.Client).%New()
    Try
    {
        Set client.SSLConfiguration = "SSL"
        Set client.Location = "https://server/service.asmx"
        Set client.

I finally figured out how to get JWT token using set x = ##class(%SYS.OAuth2.Authorization).GetAccessTokenClient("medbank","openid fhirUser",.prop,.err).

I also found iris-fhir-client app on Open Exchange. I registered Epic sandbox server, but I cannot list resources. I suspect I need to integrate authorization / authentication. How do I do this with irisfhirclient py?

Hi

I'm trying to use JWT authentication on a REST application in IRIS. The login API are correctly "injected" into the application. Login works fine with Postman and other REST clients, and subsequent calls to my REST API using the bearer token work fine (correctly authenticated). So far, so good.

The problem is that it doesn't work with Axios, so I can only test it, I cannot integrate it into my application.

I am trying to use IRIS for Health as a Facade for an external FHIR Server, where IRIS provides the proper authentication. The client authenticates using a bearer token obtained from the IRIS OAuth2 server via a jwt client assertion. The IRIS endpoint, however, returns a 401 as soon as I remove the Unauthenticated access

Is there w way to make this work through configuration?

Dear All,

I am currently part of a team that is developing an application using Microsoft PowerApps as the front end and IRIS as the backend.  Effectively that frontend screens, which are house and an Azure serve, call a series of REST interfaces exposed by IRIS from a physical Microsoft server.  During the development stage we have not had any security in place but now we need to secure the application using a single sign on.  PowerApps relies on Microsoft Entra for its security both LDAP and OAuth.  Has anyone in the community connected IRIS to Microsoft Entra?

I have a question about using OnInit() within a Ens.BusinessOperation.

When you include OnInit(), does OnInit() only execute when you start a Business Operation? Or does it execute OnInit () every time you send a REST request to the operation. I am trying to pinpoint when the best time is to execute the POST command to get the Token

I am needing to get a Bearer Token from a REST POST call and return the Authorization key prior to making the rest of the REST calls to pull down data.

When not using OAuth, what have you done to get the Token prior to executing any Requests?

Thanks

Scott

Hi Team,

My SOAP functions were working perfectly before enabling basic authentication. To set up basic authentication, I created web applications for the SOAP service, checked the password option, and assigned a user to this web application. However, after enabling basic authentication, the SOAP service stopped working.

We recently moved from using the Private Web Server, to using an Apache/Web Gateway setup and moved towards using the built in LDAP functionality within IRIS. Since then, we have 1 user that uses VSCode (/api/atelier) heavily that continues to have issues signing into IRIS through VS Code and the /api/atelier extension.

I am trying to troubleshoot two issues..

• User having login failures with correct

Is there an api for 'Is this user log-in?' and 'log-in this user with this id and password'?

Thank you

I am attempting to configure an inbound service that utilizes the EnsLib.SOAP.GenericService class. This service receives HL7-v3 content wrapped in SOAP requests. Despite reading the documentation on configuring SOAP services, I am still confused.

In my current configuration item "Fr_Centrak_RTLS", I have ‘Enable Standard Requests’ checked, ‘Pool Size’ set to 0, and the port is unspecified.

I have also configured a web application with the following details:

My challenge is determining the correct URL address for sending SOAP traffic to this service.

I am trying to use postman to start the restapi classes from a json openapi2.0.0 file.

POST: https://myserver.com/api/mgmnt/v2/requestAPI. The body contains the openapi2.0.0. The application api/mgmnt has in security settings: password. JWT is not selected. I set postman authentication to basis authentication and gave username and password. I also set in headers IRISUsername and IRISPassword. I have 401 Unauthorized.

Is the only way to go through is to build an oauth token? or do I miss something?

Thank you very much.

When trying to save ZAUTHENTICATE.mac the following error occurs 

If it is wrongly named as like ZATHIENTICATE.mac in the %SYS namespace it saves ok so it is something blocking saving a new fresh ZAUTH code of the correct name- we have no other delegated auth that I am aware of. 

Hi, I need to make a prompt for a password and to not display what the user is typing in a CMD. I want to use the read command but i'm not sure if it is possible with it.

Is it possible to authenticate an xDBC (ODBC/JDBC) connection to InterSystems IRIS via (a 3rd party) OAuth server?

For REST APIs this is possible, but could this be achieved with OAuth? 

Out-of-the-box the ODBC/JDBC Drivers don't seem to have this option, but maybe some custom code could enable this? perhaps via Delegated Authentication and some OAuth classes customization, or some other way?

Has anyone done this already and can share how it was implemented, or someone with some guideline suggestions?

Hi,

I use Caché COS and I'm having trouble doing a POP3 on the Microsoft email server using OAuth 2.0 authentication.

I'm using the following program to accomplish this task:

QGPOP ; Recebe e-mail da Microsoft Office 365
  Set server=##class(%Net.POP3).%New()
  Set server.port=995
  Set server.StoreAttachToFile=1
  Set server.AttachDir="D:\HOME\CNTIRET"
  Set servername="outlook.office365.com"
  Set user="importacao@ferrolene.com.br",pass="xxxxxx"
  Set AccessToken="exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  set server.SSLConfiguration="Transnovag"
  Set status=server.

Hello everyone,

I am attempting to enable two-factor authentication for a user account through the System Administration > Security > Users > Edit User (Security Settings) section. However, I am encountering an error with the Qrcode class.

ERROR #5002: ObjectScript error: <NOTOPEN>zGenerate+27^%SYS.QRCode.1

Update:
I tried to create a QR code image using the command from the %SYS.Qrcode class, and I encountered the same error. I believe it may be related to folder permissions, but I have already granted all the permissions that I am aware of to the InterSystems database.

Hello,

I'm making rest API service with Authentication.

How I can return HTTP Status 403 if user enter invalid login or password?

Now returning Http status 200.

Class RestAPI Extends %CSP.REST
{

XData UrlMap [ XMLNamespace = "http://www.intersystems.com/urlmap" ]
{
<Routes>

<Map Prefix="/restforms" Forward="Form.REST.Main"/>
<Route Url="/auth/:login/:pass" Method="GET" Call="CheckUser" Cors="true"/>
</Routes>
}

ClassMethod CheckUser(userAw, pwdAw) As %String
{

set %response.ContentType = "application/json"

// my code to check auth

Set object = {}
Set object.status = -1
Set object.message = "HTTP/1.