#OAuth2

I built a BP, that every time that a message is received from a BS, it executes 

 set isAuth=##class(%SYS.OAuth2.AccessToken).IsAuthorized("EpicFHIRPOC",,,.accessToken,.idtoken,.responseProperties,.error)
 if 'isAuth {
        set tSC=##class(%SYS.OAuth2.Authorization).GetAccessTokenClient("EpicFHIRPOC", "*",, .error)        
         set isAuth=##class(%SYS.OAuth2.AccessToken).IsAuthorized("EpicFHIRPOC",,,.accessToken,.idtoken,.responseProperties,.error)
    }

To save time, I was thinking of just creating a BS that goes out and gets the Authorization Token every hour.

I need to connect IRIS to a third-party FHIR server which in turn is connected to Keycloak.

For machine-to-machine communications, client credentials grants should be used. I don't know why exactly but the FHIR server requires access tokens to contain the "openid" scope, otherwise it returns 401 (unauthorized).

If the access token returned by Keycloak contains that scope, IRIS complains about ""ERROR #8859: Unsupported response to access token request: OpenID Connect is not supported for password and client credentials grant type". The error is produced by the OAuth2.

I have an API set up in IRIS which is secured using an IRIS authentication service, so there is a bearer token being passed down in the request header.

I've already set  Parameter HandleCorsRequest = 1; on the spec class and All the endpoints I am have (a mix of GET, POST, PATCH and DELETE) are working from postman without issue, the problem is when consuming from the web front-end and the preflight checks the browser instigates. Most of the endpoints work in the browser, but some are triggering the preflight (OPTIONS) check causing the CORS issue.

Hi,

I do have the problem to send mails to outlook after getting the new OAUTH2 token. 

 I have no problem getting the token, but after I got the token I try to send the mail thru smtp but authorization failed , please see my try to send the token thru the %Net.Authenticator mechanism %Net.SASL.XOAUTH2

Is this ok?

Or is there an other method to authenticate using the needed bearer method instead of user/pwd with the authenticator? 

 ....code to get the token is working..

...   set s=##class(%Net.SMTP).%New()
    
    set m=##class(%Net.MailMessage).%New()
    
    set auth=##class(%Net.

Hello Community,

I’m working on an InterSystems IRIS production that needs to call an external API using OAuth client credentials (client_id and client_secret). For security reasons, I must pass these credentials via environment variables in my Docker container.

In the IRIS terminal, I can successfully retrieve these environment variables using $System.Util.GetEnviron("api-clientid") and $System.Util.GetEnviron("api-clientsecret"). However, inside my Business Operation class (OnMessage method), these environment variables return empty strings.

We have an OAuth server configured as an identity provider, and we have an external application (from another provider) that connects correctly with OAuth.

Hello, community!

I am working on implementing OAuth 2.0 authentication in InterSystems IRIS and need to correctly define a CSRF token that will be validated by OAuth.Response. However, I am having trouble finding a clear method to configure the CSRF token correctly.

So far, I have tried:

• Setting the CSRF token in the request header.
• Inserting the CSRF token via InsertCookie.

Despite these attempts, I haven’t been successful. On the OAuth.Response page, the CSRF token is empty, and I get the error message “Invalid CSRF token” because the csrfToken is empty.

We are trying to create a JWT in order to get oauth2 token from login.microsoftonline.com and then use that token to get key/secret from an Azure Key Vault.

It seemed like it would be quite straightforward by using the Create method of class  %Net.JSON.JWT

But already trying to set the first header parameter alg PS256 as specified by https://learn.microsoft.com/en-us/entra/identity-platform/certificate-c… becomes a problem.

Hi!   

I'm trying to set up a Clinical Viewer demo env with HealthShare 2024.2. 
I've done the standard installation following the doc : 

• UCR - UCR demo with IHE
• CV - CV demo

Everything works until I get to the point where I have to enable federated SSO (UCR demo - Federated SSO). Once it is activated, I can no longer access the instance through the portal, and the browser displays the following error:

Checking the messages.log, I see that every time I try to enable federated SSO and access the portal, I encounter the following error:

12/24/24-10:51:55:639 (98515) 2 [Utility.

I am trying to work with Epic on FHIR. Epic's documentation stated, your application makes a HTTP POST request to the authorization server's OAuth 2.0 token endpoint to obtain access token.

Set tSC = ##class(%SYS.OAuth2.Authorization).GetAccessTokenClient(pClient,pScopes,.prop,.err) returns

ERROR #9761: No key in provided JWKS for alg ES512 and kid  

I check this /csp/sys/oauth2/OAuth2.JWTServer.cls?

I have created an OAuth Client and have created the credentials etc successfully.

I have tested using the curl command and have received the token back from the Server using the terminal.

I now need to create an Operation to use my client credentials to connect to the Server and receive the token back.

What adapter would I use as I am unable to link my client credentials and secret  - currently  I am using the EnsLib.HTTP.OutboundAdapter
 but I am not sure if this is the correct.

Hi all,

I'm performing a migration of some services from one instance to another, and I noticed that the technique defined within the InterSystems Server Migration Guide does not include OAuth client configurations. The recommended technique is to use the ##class(Security.System).ExportAll() and ##class(Security.System).ImportAll() methods.

Is there a way to migrate OAuth client configurations, or do those have to be re-created manually?

I want to integrate IRIS with Keycloak OAuth2 provider to use delegated authentication everywhere and to secure everything - sys*/Portal applications, REST services, FHIR server and so on. If an unathenticated user tries to access any IRIS URL - he or she should be redirected to Keycloak. After the user has successfully authenticated, i would like to access his requistes (username, email, roles, scopes) extracted from the JWT token, programmatically. What should be done to achieve that?

I finally figured out how to get JWT token using set x = ##class(%SYS.OAuth2.Authorization).GetAccessTokenClient("medbank","openid fhirUser",.prop,.err).

I also found iris-fhir-client app on Open Exchange. I registered Epic sandbox server, but I cannot list resources. I suspect I need to integrate authorization / authentication. How do I do this with irisfhirclient py?

Working on a project where I'm needing to make FHIR calls from my HealthConnect Interop production to Epic. 

My issue is I'm not able to construct a valid JWT for the OAuth token retrieval that Epic will accept. I have the below code where I'm able to create a valid header and payload that I'm base64URL encoding and then trying to sign with my .pem private key file. However, Epic is not liking the signature portion of my JWT.

As such, I wanted to present my code to see if I'm performing the signature steps correctly? I've seen some posts where the %Net.

I need to create a JWT to connect to EPIC FHIRserver sandbox.

https://fhir.epic.com/Documentation?docId=oauth2&section=BackendOAuth2G…

You will generate a one-time use JSON Web Token (JWT) to authenticate your app to the authorization server and obtain an access token that can be used to authenticate your app's web service calls. There are several libraries for creating JWTs. See jwt.io for some examples.

The header and payload are then base64 URL encoded, combined with a period separating them, and cryptographically signed using the private key to generate a signature.

I have just learned about configuration merge. However I see there is no option to configure OAuth2 with CPF. Any hopes to get that covered some day?

Hi

I'm trying to use JWT authentication on a REST application in IRIS. The login API are correctly "injected" into the application. Login works fine with Postman and other REST clients, and subsequent calls to my REST API using the bearer token work fine (correctly authenticated). So far, so good.

The problem is that it doesn't work with Axios, so I can only test it, I cannot integrate it into my application.

I'm trying to authorise my app using OAuth 2.0 i Cache. Sadly I'm unable to exchange the authorization code for an access token.

I am able to redirect user to the /authorize page, where the user can login and approve my app. The user is then correctly redirected back to my app and a ?code parameter is sent back.

I am trying to use IRIS for Health as a Facade for an external FHIR Server, where IRIS provides the proper authentication. The client authenticates using a bearer token obtained from the IRIS OAuth2 server via a jwt client assertion. The IRIS endpoint, however, returns a 401 as soon as I remove the Unauthenticated access

Is there w way to make this work through configuration?

Dear All,

I am currently part of a team that is developing an application using Microsoft PowerApps as the front end and IRIS as the backend.  Effectively that frontend screens, which are house and an Azure serve, call a series of REST interfaces exposed by IRIS from a physical Microsoft server.  During the development stage we have not had any security in place but now we need to secure the application using a single sign on.  PowerApps relies on Microsoft Entra for its security both LDAP and OAuth.  Has anyone in the community connected IRIS to Microsoft Entra?

Question for folks who have connected to an External FHIR repository outside of IRIS. Within the HS.FHIRServer.Interop.HTTPOperation there is not an option to include TLS or an OAuth authentication when connecting to an external Repository. So then how is that piece done if you need to Authenticate against an OAuth Server before you are able to access the data or call the Web Services/REST calls?

Hello,

I have my server setup a resource server.  When a user calls our API they submit a bearer token as authorization and in our dispatch class AccessCheck() we validate the JWT using ##class(%SYS.OAuth2.Validation).ValidateJWT(). 

If I include a scope to check in that method I get the error Scope check may only be done on requesting client and I'm not sure what this means. The method works without include the scope and will let me know if I have an unsigned token or an expired token.  

I noticed that the implementation of the method calls Set token=##class(OAuth2.AccessToken).

Good afternoon! 👋 We would be very grateful if you are kind enough to read and respond to our request 😊.

We need given an Authentication request issued towards our OAuth 2.0 authorization server; that in case of error, the responded message is customized.

Currently if we point from POSTMAN to:
https://[IP]:[Port]/oauth2/token?grant_type=client_credentials&scope=my/scope

Username: Erroneous
Password: Erroneous

We get:
{
    "error": "server_error",
    "error_description": "ERROR #5002: Cache error: <INVALID OREF>zAuthorize+28^OAuth2.Server.Token.

Is it possible to authenticate an xDBC (ODBC/JDBC) connection to InterSystems IRIS via (a 3rd party) OAuth server?

For REST APIs this is possible, but could this be achieved with OAuth? 

Out-of-the-box the ODBC/JDBC Drivers don't seem to have this option, but maybe some custom code could enable this? perhaps via Delegated Authentication and some OAuth classes customization, or some other way?

Has anyone done this already and can share how it was implemented, or someone with some guideline suggestions?

Hello,

I have created a service in Node.js which interacts with IRIS using APIs. The current implementation uses basic auth. I want to implement OAuth 2, to make the communication between the node.js service and IRIS secure. I want my service to act as client and IRIS as Authorization and Resource server. I don't know how to do that. Anyone who has implemented OAuth using IRIS can you help me out or point me in the right direction on about how to implement it? 

Thank you for your help :)

I am attempting to setup my first OAuth2 client, as we are adventuring into the realm of making FHIR API calls to our EMR from HealthShare Health Connect. 

I have gone through and set up the Issuer Endpoint, and Client Configuration but now I want to test it and verify that the setup is correct. When I setup the Client Configuration, it would not allow me to use Discovery as it was saying I needed a "Client secret" but was not given one. So I set it up manually, thinking I hit all the information correctly.

Trying to setup my first OAuth 2 client to authenticate against Epic's Interconnect instance that is hosting FHIR/Web Service API's. Epic's documentation says the JWT request has to be sent as a POST request..

Does 

GetAuthorizationCodeEndpoint

and 

GetImplicitEndpoint

automatically put the request into a POST request, or do I need to format a %Net.HttpRequest to POST?

Thanks

Scott

Hi,

I use Caché COS and I'm having trouble doing a POP3 on the Microsoft email server using OAuth 2.0 authentication.

I'm using the following program to accomplish this task:

QGPOP ; Recebe e-mail da Microsoft Office 365
  Set server=##class(%Net.POP3).%New()
  Set server.port=995
  Set server.StoreAttachToFile=1
  Set server.AttachDir="D:\HOME\CNTIRET"
  Set servername="outlook.office365.com"
  Set user="importacao@ferrolene.com.br",pass="xxxxxx"
  Set AccessToken="exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  set server.SSLConfiguration="Transnovag"
  Set status=server.

Hello,

I am trying to get FHIR Resource using OAuth 2.0 . I get access_token sucessfully but when I use this token i get this type of error in postman. It is showing 401 Unauthorized please suggest any solution.

Thank You