#Authentication

I am building a web application that uses JWT for authentication. I would like to pass the token in cookies instead of the Authorization header.
Is there a way to intercept the request and check the token from the cookies instead of the header? I tried overriding the OnPreDispatch() method and adding it to my dispatch class, but it seems like it never gets executed, as the response returns "Unauthorized" before reaching it.

ClassMethod OnPreDispatch(pURL As %String, pMethod As %String, ByRef pContinue As %Boolean) As %Status
{
        Set token = %request.Cookies.

Hi community,

I have an incorrect InterSystems Server Credentials password stored by the Workstation Keychain in VS Code. VS Code is trying to use this incorrect stored credential to access the server and does not prompt or allow me to input a different password. I do not see any settings associated with the Keychain or resetting those credentials. Does anyone know of the process to delete or replace a stored password here? 

Thanks!

Hannah 

I finally figured out how to get JWT token using set x = ##class(%SYS.OAuth2.Authorization).GetAccessTokenClient("medbank","openid fhirUser",.prop,.err).

I also found iris-fhir-client app on Open Exchange. I registered Epic sandbox server, but I cannot list resources. I suspect I need to integrate authorization / authentication. How do I do this with irisfhirclient py?

We are building a bunch of rest based services using Ens 2016.2 to serve our browser based application (Angular 4).

Two questions:

1. The initial authentication seems only work if credentials are placed in the url parameters.  Trying to use the Authorization header instead, the client code immediately complains about Access-Control-Allow-Origin. How can I resolve this?

2. After initial authentication, what is the proper way to send subsequent rest calls without having to include credential every time?

I have Parameter UseSession As Integer = 1 in my service class, but what else do I need to do?

Hi -

I know that when specifying Caché password rules (i.e. what constitutes a valid password definition) that the "Pattern Matching" logic is what is getting leveraged under the covers to enforce the "A Password Must conform to X" rule. I was hoping that people could share some more sophisticated pattern matching rules. (in particular, I was wondering what a rule that would require non-repeating mixture of letter, numbers, & punctuation of an overall minimal size)

This is more a WARNING than a question

Hello, has anyone tried to use Caché as a reverse proxy ?

We are trying to embed a dashboard server (Plotly Dash in this case, but it could be anything which runs on its application server) inside our application which is written in Caché.  
The dashboard/report server runs locally (for example, or inside a LAN) on port 8080, and has no authentication features, so we have to implement them on a different layer, and we'd like to use Caché for it.

Credentials for a Productions are stored as plain text in ^Ens.SecondaryData.Password and exposed as plain text via SQL table Ens_Config.Credentials which is not ideal as only admins should know the credentials.

I can create my own adapter etc... to store and use encrypted passwords but does anyone know if there is a standard way to do this in a Production?

Alternatively, am I missing how to secure this so the production can run and someone can monitor and operate a production without access to the SQL table or global?

Hi,

I'm using Operating System authentication and I need to give permission on Healthshare to allow a user to run only this two commands 

##Class(Backup.General).ExternalFreeze()

and

##Class(Backup.General).ExternalThaw()

This user is gonna be use to backup only.

There are any role on HealthShare for this?

Hi community,

A colleague gets ERROR #822: Access denied every time he tries to log in via Management portal. It is NOT the case of wrong credentials: I reset his password password to a temporary one so it would prompt him to create a new one upon first login. He did get the prompt, changed his password and his next attempt at logging in displayed the same error.

The audit log record displays this:
Error message: ERROR #862: User is restricted from running application /csp/sys/op, %Admin_Operate:U required -- cannot execute.

When trying to save ZAUTHENTICATE.mac the following error occurs 

If it is wrongly named as like ZATHIENTICATE.mac in the %SYS namespace it saves ok so it is something blocking saving a new fresh ZAUTH code of the correct name- we have no other delegated auth that I am aware of. 

Hello everyone :-)

I would like to update Atelier from version 1.0.262 to the 1.3 one. So I clicked on Help --> Check for updates, and I get these first error messages:

"No updates were found in available software sites."

"Some sites could not be found. See the error log for more detail." etc. cf picture below talking about Proxy Authentication.

I'm interested in different approaches on how to store user data in Caché. I'm assuming that application uses Caché security/Caché users and not a self-made authentication system.

Several approaches, I'm familiar with:

Hello,

I'm new to Iris for Health and I'm trying to get some experience using it.  I've subscribed to the Intersystems Iris for Health software in AWS marketplace.  I successfully spun up the EC2 instance with the default security group.  The try-iris instance is healthy and successfully starts within EC2.  I've also successfully changed the default password too.

 However, I'm unable to authenticate into the management portal.  The portal launches okay though I keep getting an access denied.  I'm also unable to authenticate into a session from the EC2 instance.

I am trying to use postman to start the restapi classes from a json openapi2.0.0 file.

POST: https://myserver.com/api/mgmnt/v2/requestAPI. The body contains the openapi2.0.0. The application api/mgmnt has in security settings: password. JWT is not selected. I set postman authentication to basis authentication and gave username and password. I also set in headers IRISUsername and IRISPassword. I have 401 Unauthorized.

Is the only way to go through is to build an oauth token? or do I miss something?

Thank you very much.

Hi,

I've a Service utilising the Adapter EnsLib.SQL.InboundAdapter, which uses a Credentials item set with the details of a local SQL account. This currently works, however, we're looking to use the credentials of an AD domain account.

The domain account is a member of an AD security group, which has the required permissions on the source SQL database. I've checked that access is possible with this account via SQL studio.

I've tested setting the Credential username as domain\username and username@FQDN, but neither create a successful connection.

Does anyone happen to have a sample Configuration (CPF) Merge file that includes Action parameters setting up authentication methods (e.g. Password, Kerberos) for certain Services and Web Applications (e.g. via the ModifyService or Modify/CreateApplication AutheEnabled property)?

Thanks!

Hi, Community!

Suppose If you develop a client js application which works with Caché server via REST API (CSP Gateway).

What are the options for Authentication and working with Caché session then?

Hi guys,

I'm trying to consume a REST Service that use Digest authentication, I'm trying to implement the authentication but I'm don't know where is my mistake.

Someone have already used this type of authentication.

Below the code I wrote to try to generate the response hash:

Hello everyone,

I'm trying to authenticate a user(Health Share clinician) from a Java Application. 

I 'm already connected to Caché and able to run SQL commands.

My question is: How can I authenticate a user using only SQL? In fact, what I want is verify if the users exists in the base and if the given password is the same used in Health Share.

There is a column 'password' in Security.users table but I'm not able to see its content, even so, I don't know which hash function to use to compare with.

I need to perform additional checks before Cache user logins (let's say in a terminal for simplicity) and allow access only to those, who passed them. How do I do it?

If a user simply closes a tab (running a web application), is there any good way to ensure that the license is released AND the login cookie is destroyed?  

I found that if the tab is simply closed without first logging out of the application, then 1) the license hangs around forever, and 2) if the user then opens a tab, he is already logged in.

For #2, I understand that there might be some grace period to allow the user to log in automatically again using the same session Id (where is that documentation again?) but what about destroying the license?  Who/what is supposed to clean that up?

Is it possible to authenticate an xDBC (ODBC/JDBC) connection to InterSystems IRIS via (a 3rd party) OAuth server?

For REST APIs this is possible, but could this be achieved with OAuth? 

Out-of-the-box the ODBC/JDBC Drivers don't seem to have this option, but maybe some custom code could enable this? perhaps via Delegated Authentication and some OAuth classes customization, or some other way?

Has anyone done this already and can share how it was implemented, or someone with some guideline suggestions?

OAuth server to be deployed on the IRIS learning cloud platform. Clients - one on the other instance of the learning IRIS server, the other client locally on my computer in the container docker.

Both clients get a seemingly correct link (through ##class(%SYS.OAuth2.Authorization).GetAuthorizationCodeEndpoint()) to the login request form:  

https://52773b-62955584.labs.learning.intersystems.com/oauth2/authorize?response_type=code&client_id=nHCv5A-u_5T1YAwk_tJ7xpi1ky-s2AnRQMaL6YHsUgU&redirect_uri=https%3A//52773b-99792125.labs.learning.intersystems.com/csp/sys/oauth2/OAuth2.Response.

In our current UCR arhcitecture, we use two installations. We have one machine with Access, Registry and Edges and one machine with the ODS. On the machine with the Registry, I can create a user/clinician. When I log into the management portal with this user, a so-called delegated user is created in the cached users table. So far everything is going well. 

When I try the same on the machine with the ODS I get the message : 'ERROR #822: Access Denied' . so no delegated user is created.... Does anyone have any idea where I can find the solution?

I want to integrate IRIS with Keycloak OAuth2 provider to use delegated authentication everywhere and to secure everything - sys*/Portal applications, REST services, FHIR server and so on. If an unathenticated user tries to access any IRIS URL - he or she should be redirected to Keycloak. After the user has successfully authenticated, i would like to access his requistes (username, email, roles, scopes) extracted from the JWT token, programmatically. What should be done to achieve that?

When I attempt to start my local IRIS instance (named LATEST) I am getting the below error

"(111) Error starting service: LATEST
Reason: (1069) The service did not start due to a logon failure."

Does anyone have experience with this or know how to resolve the logon credentials associated  with this start? 

Hi guys, 

I want to develop a web application in which a user can log in through the user credential of intersystems that is created in Management Portal for a specific role. How can I authenticate the user and get any token or login cookie through which user can call other apis

Hello,

I need to expose InterSystems HealthInsight dashboards over the internet to external operators. The authentication flow is managed externally. When a user is authenticated, our system receives an HTTP request with specific headers (e.g., operator’s fiscal code and hospital identifier) that we need to extract in order to:

• Authorize the user to access the dashboards.
• Apply row-level security on the dashboards, filtering the data by hospital and user role.

I am working on an ZAUTHENTICATE.mac to move us from local cache users to Delegated Authentication against LDAP. 

I have created a user role within my instance of Ensemble that matches the AD Group that I will be assigning everyone in my group to.  Is there a way to query the list of available Roles within Ensemble, and if one of my AD groups matches that role, set the role for that user?

How would I compare the AD Group against the Role listing?

Thanks

Scott