#Authentication

This article is intended as a beginner level article for people that want to learn how to use OAuth2 in their web applications natively.

There is an accompanying video/demo that may be helpful here: 

and you can reproduce this locally with the Open Exchange application attached.

OAuth2 as a native authentication type for web applications

OAuth (Open Authorization) 2.0 is a standard way to let one application call another application’s API without sharing a username and password.

What is JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) that offers a lightweight, compact, and self-contained method for securely transmitting information between two parties. It is commonly used in web applications for authentication, authorization, and information exchange.

A JWT is typically composed of three parts:

1. JOSE (JSON Object Signing and Encryption) Header
2. Payload
3. Signature

These parts are encoded in Base64Url format and concatenated with dots (.) separating them.

Also in previous versions you could define your FHIR Server to accept requests via OAuth 2.0 (e.g. for a SMART on FHIR client) but nowadays with v2024.3, which was released a while ago, there is a new feature, that enables doing this more easily - the OAuth FHIR Client QuickStart.

When I was younger (a question about exactly how much younger is outside the scope of this article), the word “token” meant fun. You see, just a couple of times a year, I would get to go to an arcade and play some amusing video games with my friends.

These days, tokens signify security. JSON Web Token (JWT) Authentication has become one of the most popular standards for securing REST APIs. Fortunately for IRIS users, we have a straightforward way to set up applications to be protected this way. Yet, the idea is still similar to my old arcade days.

What is TLS?

TLS, the successor to SSL, stands for Transport Layer Security and provides security (i.e. encryption and authentication) over a TCP/IP connection. If you have ever noticed the "s" on "https" URLs, you have recognized an HTTP connection "secured" by SSL/TLS. In the past, only login/authorization pages on the web would use TLS, but in today's hostile internet environment, best practice indicates that we should secure all connections with TLS.

Why use TLS?

So, why would you implement TLS for HL7 connections?

One of the most common kinds of integration we are asked to do is emailing. One of the most typical email services our customers use is Microsoft’s Office 365. After setting up the right configuration on the Microsoft side, we can email from IRIS with two HTTP requests. By the end of this article, we will be able to send an email with an attachment through our Microsoft 365 service!

Microsoft’s REST API, called Graph, allows you to do a lot of things within Microsoft’s various apps, and it is precisely what we will employ to send our email.

In this tutorial, I will discuss how can you connect your IRIS data platform to sql server db .

Prereq: 

• Have ODBC driver installed in your device. You can download it from here: Download ODBC Driver for SQL Server - ODBC Driver for SQL Server | Microsoft Learn. 
• Have SQL Server and IRIS installed in your device
• Have SQL Server connection Authentication enabled in SQL server

At hackathons that InterSystems participated and I supported, many students were asking how all their teammates could use the same IRIS database that they spun up in a container. I suggested using ngrok to expose their localhost IRIS and realized we don't have documentation on that. Hence, I thought this would be great to let more people knwo about this powerful technique for enhancing collaboration during development and testing.

Step-by-Step Guide to Exposing InterSystems IRIS with ngrok

This guide will walk you through the process of exposing your local InterSystems IRIS instance using ngrok.

Over the past couple of months, I have been working on the SMART on FHIR EHR Launch to test the capabilities of IRIS for Health using two open-source apps from CSIRO: SMART-EHR-Launcher and SMART Forms App. This journey has been incredibly interesting, and I’m truly grateful for the opportunity to work on this task and explore more of IRIS for Health’s potential.

After successfully demonstrating the seamless launch of multiple external SMART apps at the HL7 AU FHIR Connectathon, I’m excited to share what I’ve learned with the community.

 JSON Web Token (JWT) Authentication

Hi Everyone,

I would like to share the code and step-by-step instructions/or guideline for generating a JWT (JSON Web Token) signature, as well as how to test it using Postman / HealthConnect.

JWT is an open standard (RFC 7519) that defines a compact, URL-safe method for securely transmitting information between parties in the form of a JSON object.

Structure of a JWT:

A JWT consists of three parts, separated by dots (.):

In your Interoperability Production you could always have a Business Operation that is an HTTP client, that uses OAuth 2.0 for authentication, but you had to customize the Operation for this authentication methodology. Since v2024.3, which was lately released, there is a new capability, providing new settings, to handle this more easily.

Hello everyone,

I want to share my experience configuring an IIS server to enable secure HTTPs access to HealthShare/HealthConnect.

After installing the “WebServerGateway” and completing the initial setup, I encountered a few issues. Specifically, when trying to log into HealthConnect using HTTPS, the logo didn’t appear, and clicking any buttons didn’t trigger any response. See screenshot below:

Below is a step-by-step guide to resolve the current issue, as well as another issue I encountered with accessing the Rule Editor.

I have started working on utilizing Epic on FHIR about a month ago.

Creating a Public Private Key Pair

mkdir /home/ec2-user/path_to_key
openssl genrsa -out ./path_to_key/privatekey.pem 2048

For backend apps, you can export the public key to a base64 encoded X.509 certificate named publickey509.pem using this command...

openssl req -new -x509 -key ./path_to_key/privatekey.pem -out ./path_to_key/publickey509.pem -subj '/CN=medbank'

Recently I got into a situation where a user had some roles, which granted additional roles, and so on.

As I did not understand where a particular permission came from, I wrote this code which gets an initial set of roles and unwraps them recursively, accounting for any repeats.

As a part of the IRIS Python 2024 contest, my colleague Damir and I went with an idea to build a platform called ShelterShare for connecting victims and volunteers for shelter requests . To do so we chose django as a framework and proceeded to build the first version with 3 different docker containers, django, iris and nginx which would then utilize IRIS as a pure Database engine via the beautifly composed django_iris (cudos to Dimitry). As we were progressing fast, we decided to explore the option of running it within the same container as IRIS by utilizing WSGI added in 2024.1.

In this article we are going to see how we can use the WhatsApp instant messaging service from InterSystems IRIS to send messages to different recipients. To do this we must create and configure an account in Meta and configure a Business Operation to send the messages we want.

Let's look at each of these steps in more detail.

Setting up an account on Meta

This is possibly the most complicated point of the entire configuration, since we will have to configure a series of accounts until we can have the messaging functionality.

Here you can read the official Meta documentation.

Introduction

In the modern digital age, securing applications, particularly those handling sensitive health data, is paramount. The confidentiality, integrity, and availability of such data are crucial, necessitating robust security measures. Two-factor authentication (2FA) stands out as a critical enhancement in safeguarding access, adding an extra layer of security beyond just passwords. Recognizing the significance of this feature, InterSystems provides built-in support for 2FA in its database solutions. This tutorial aims to guide you through the process of configuring two-factor authentication in your InterSystems environment, ensuring that your data remains secure and accessible only to authorized users.

Your may not realize it, but your InterSystems Login Account can be used to access a very wide array of InterSystems services to help you learn and use InterSystems IRIS and other InterSystems technologies more effectively.  Continue reading to learn more about how to unlock new technical knowledge and tools using your InterSystems Login account.  Also - after reading, please participate in the Poll at the bottom, so we can see how this article was useful to you!

What is an InterSystems Login Account?

The objective of the article is to provide the reader with the following informations:

• Configure and use the FHIR server
• Create an OAuth2 Authorization Server
• Bind the FHIR server to the OAuth2 Authorization Server for support of SMART on FHIR
• Use the interoperability capabilities of IRIS for Health to filter FHIR resources
• Create a custom operation on the FHIR server

Schema of the article:

The %CSP.Login class is the utility class provided by InterSystems IRIS to do custom login pages. If you want to control your IRIS application authentication UI, you must extend %CSP.Login and override some methods according to your needs. This article is going to detail those methods and what you can do with them. In addition to that, you will get an explanation of the delegated authentication mechanism provided by ZAUTHENTICATE.mac routine.

“I have been waiting for thirty seconds for service. This is outrageous! I am leaving!”

“I am very sorry to hear that, sir. Perhaps, next time, you should make a reservation.”

If you heard that comment at your favorite restaurant, you would think the person saying it was being ridiculous. However, in the context of your API, it makes perfect sense. Just like your favorite eatery, your API has some regular patrons who, as you know, will be visiting one day or another. It would be great to be able to make a standing reservation for them as well.

It will involve a couple of IRIS fundamentals.

Here in %SYS, we have already examined users, resources, and roles. Now that we know how to set all of that up, we should give it a purpose. Next we will talk about applications! As you may expect, we will see various identical class methods defined here that we have seen in the previous classes. However, some of them will have some tiny yet significant differences.

Taking advantage of the Quiniela ML application and as we indicated in the previous article, we are going to explain how we can perform a JWT authentication between our frontend developed in Angular and our backend developed in InterSystems IRIS.

I remind you of the architecture of our QuinielaML project:

Usually it is a cumbersome process in web applications to develop the administration and management of user access, but in our case InterSystems IRIS simplifies the process by providing us with all the infrastructure we need.

In this article I will explain how to Authenticate, Authorize and Audit by code by using CSP Web Application along with Enabling /Disabling and Authenticate/Unauthenticate any Web Application.

• Online Demo is available on cloud https://dappsecurity.demo.community.intersystems.com/csp/user/index.csp (SuperUser | SYS)
• I recommend to watch the video before continue https://www.youtube.com/watch?v=qFRa3njqDcA

Application Layout

Have you ever thought of creating your own systems for editing users or, perhaps, even an API that you can call? Today, you’re going to join me in the %SYS namespace and get to know Security.Users! 

This class has forty properties, many of which you’ve seen before in the System Management Portal. There are class methods for manipulating most of those properties. Every method in this class is a class method, and in most of them, the username is passed as an argument. These methods can be used when you do not want to open and directly manipulate the user’s objects, which is a bad idea anyway!

This scenario showed up yesterday at a client site when I was delivering bespoke consultation on migration from Studio to VS Code.

The site's servers had been configured to use delegated authentication, but the "Delegated" checkbox hadn't been set against the /api/atelier web application, which is what the members of the InterSystems ObjectScript Extension Pack use to make their connections.

As soon as the we application got its checkbox set and the Server Manager refresh button was clicked, namespaces could be enumerated on the server.

It is a recommended security practice to login into sensitive Administrator Portals without any input passwords. Thus, it is necessary to identify and authenticate the users correctly. A common technique employed by web portals and mobile applications is to use Google social login. Today, Google Gmail has 2 billion users (source:https://www.usesignhouse.com/blog/gmail-stats). Therefore, it is a perfect shared login service to utilize to login InterSystems IRIS users when they need to manage their instances. This article will detail all the steps to embed Google Login into your InterSystems Management Portal.

Register your InterSystems instance in the Google Console

1. Go to https://console.cloud.google.com and log in with your Google user account.
2. On the header click Select a project: