#OAuth2

In v2026.1 we introduced support for a more robust and real-life secure authorization for your FHIR endpoints.

This is achieved by using SMART on FHIR v2 fine-grained scopes.

Focus - Not SMART in general, rather, the fine-grained scopes; Hands-on easy sample

This article is intended as a beginner level article for people that want to learn how to use OAuth2 in their web applications natively.

There is an accompanying video/demo that may be helpful here: 

and you can reproduce this locally with the Open Exchange application attached.

OAuth2 as a native authentication type for web applications

OAuth (Open Authorization) 2.0 is a standard way to let one application call another application’s API without sharing a username and password.

Hi, now I would like to continuous on the topic that we talk about previously

Using Postman for testing the OAuth2.0 of the InterSystems FHIR repository - Part1

Question 1: Where is my client_id and client_secret come form?

Short answer: Authentication Server.

If you don't have an Authentication Server, you may set up one as following

Provide the hostname (the host must support Https), at least 1 grand type (we choose client credential here), and SSL/TSL configuration

Input the scopes (here we input user/*.read and user/*.

If you want to generate JWT from x509 cert/key, any operation (including reading) on %SYS.X509Credentials requires U on %Admin_Secure resource.%Admin_Secure is required because is persistent, and it's implemented this way to prevent all users from accessing private keys.

If  resource is not available at runtime, you can use the following workaround.

Upon reviewing the code for JWT generation, I discovered that the JWT code utilizes solely as a source of runtime data for PrivateKey, PrivateKeyPassword, and 

Hi all, it's me again for sharing what I am studying recently.😓

Recently, I am studying how to setup OAuth2 authentication for the InterSystems FHIR repository. And I found the following articles are very good and easy to follow.😁

SMART on FHIR EHR Launch with IRIS for Health

Building an FHIR Repository + OAuth2 Authorization Server/Resource Server Configuration on IRIS for Health Part 2

For me, as a user who do not have much knowledge about OAuth2.0. I think it quite difficult to understand how to setup the whole OAuth2.0 environment before knowing how's it look like (what is it?

I built a BP, that every time that a message is received from a BS, it executes 

 set##class

To save time, I was thinking of just creating a BS that goes out and gets the Authorization Token every hour. However then how to do I pull that Token into the BO to ensure that the Token is included in the Request that is sent to the HS.FHIRServer.Interop.HTTPOperation?

InterSystems API Manager (IAM) is a core component of the InterSystems IRIS Data Platform, offering centralized API management with a strong emphasis on security. IAM simplifies the entire API lifecycle, from creation to retirement, and provides a developer portal for easy API discovery and integration. Access control features allow administrators to define precise permissions, and IAM seamlessly integrates with the IRIS Data Platform, enhancing data management and integration capabilities.

Features of IAM include:

• API Gateway: Centralized API management and security hub.

Also in previous versions you could define your FHIR Server to accept requests via OAuth 2.0 (e.g. for a SMART on FHIR client) but nowadays with v2024.3, which was released a while ago, there is a new feature, that enables doing this more easily - the OAuth FHIR Client QuickStart.

I need to connect IRIS to a third-party FHIR server which in turn is connected to Keycloak.

For machine-to-machine communications, client credentials grants should be used. I don't know why exactly but the FHIR server requires access tokens to contain the "openid" scope, otherwise it returns 401 (unauthorized).

If the access token returned by Keycloak contains that scope, IRIS complains about ""ERROR #8859: Unsupported response to access token request: OpenID Connect is not supported for password and client credentials grant type". The error is produced by the OAuth2.

Hello Community,

I’m working on an InterSystems IRIS production that needs to call an external API using OAuth client credentials (client_id and client_secret). For security reasons, I must pass these credentials via environment variables in my Docker container.

In the IRIS terminal, I can successfully retrieve these environment variables using $System.Util.GetEnviron("api-clientid") and $System.Util.GetEnviron("api-clientsecret"). However, inside my Business Operation class (OnMessage method), these environment variables return empty strings.