I am very much a newbe on the subject of JWT, so please except my ignorance.
The Trust I am currently working for wish to create a framework whereby they can create REST API Services, within HealthConnect, and grant access to these using JSON Web Token Authorisation and Bearer Tokens. This would be similar to the way the Trust currently connects to other REST API's, i.e.: DocMan Connect and GOV.UK Notify.
Can anyone offer any advice / sample code and / or point me into the direct of suitable documentation to achieve this?
I have an API set up in IRIS which is secured using an IRIS authentication service, so there is a bearer token being passed down in the request header.
We have an OAuth server configured as an identity provider, and we have an external application (from another provider) that connects correctly with OAuth.
Due to the needs of the project, what we want to do is the following:
i come back to you , i've a problem with Client description in Oauth2, when i tick the Supported grant types and i save , there are not registred on the OAuth2_Client.Metadata table .
I am trying to configure OAuth2 server to connect to Cerner Auth server to get FHIR API access token but I am getting the error "Discovery response not valid".
I can get the access token back okay from Cerner endpoint used in the OAuth configuration below via Postman and Manually sending the request via HTTP Operation from HealthShare, so the URLs I am using looks correct but the OAuth configuration is not working.
I'm playing with OAuth2 with FHIR Server, but returned tokens cause 401 or 403 errors when trying to get FHIR resources.
I tried using fhir-client.js and Postman. Access tokens returned have been failing for both, with a 401 when trying through fhir-client.js and a 403 using Postman.
You will generate a one-time use JSON Web Token (JWT) to authenticate your app to the authorization server and obtain an access token that can be used to authenticate your app's web service calls. There are several libraries for creating JWTs. See jwt.io for some examples.
Hi.. I have an issue where we are using OAuth2.0 with the ZAUTHENTICATE routine. Once our token is validated we are using a users lan id (passed on the ID token) to find a software defined username in a Cache Global.
That is all working fine in ZAUTHENTICATE.. I am setting the software defined username in the Properties("Comment") array and wanting to reference it in the Rest Service Dispatch class.
Is this available anywhere (for Health Connect)? I've found a few presentations but they are aimed at entry level.
We're looking at supporting more and more FHIR, REST plus OAuth interfaces in future. I've built some of this into older versions of HealthShare and Ensemble but it's desirable to move to supported versions.
We would be using Healthshare as a facade to other systems.
I'm trying to implement an OAuth2 server, but I have som issues when trying to setup JWT under OAuth 2.0->Client.
I get the error message saying "No match between server name 'localhost' and SSL certificate values 'cache'". I have set up a SSL/TLS configuration as simple as possible without any certificate files. I'm accessing my server via HTTPS with an unsigned certificate.
Can anyone point me in the right direction on how to resolve the issue I'm encountering.
I'm trying to save a list of AccessTokens a user for a specific user. This way I could present it together with other user-data.
I have tried calling ##class(OAuth2.Server.AccessToken).OpenByCode(authCode) from %OAuth2.Server.Authenticate's AfterAuthenticate() method. This only returns things like State and AuthorizationCode, but the AccessToken is empty at this point (afterwards it becomes filled out).
Is there a way to achieve storing the AccessToken as part of the login system?
I am using OAuth2 Cache framework, acting as a client to an authorization server. My setup is based on this excellent previous post [Caché Open Authorization Framework (OAuth 2.0) implementation – part 1].
I'm facing ‘Authorization Server Error: Error Processing Response - No match between server name 'googleapis.com' and SSL certificate values google.com…’
It looks like I should set SSLCheckServerIdentity to false but I can’t figure out how. Has anyone had the same issue?
https://www.youtube.com/embed/BjIeR3EXPUA [This is an embedded link, but you cannot view embedded content directly on the site because you have declined the cookies necessary to access it. To view embedded content, you would need to accept all cookies in your Cookies Settings]
I have my server setup a resource server. When a user calls our API they submit a bearer token as authorization and in our dispatch class AccessCheck() we validate the JWT using ##class(%SYS.OAuth2.Validation).ValidateJWT().
If I include a scope to check in that method I get the error Scope check may only be done on requesting client and I'm not sure what this means. The method works without include the scope and will let me know if I have an unsigned token or an expired token.
I'm trying to sign some custom JWT with x.509 certs but running into a problem with the signed JWT containing some information I need in the JOSE header.
Is there a way to get the "X5C:[]" header included in the signed JTW? IS this as easy as setting something like the following
I am trying to work with Epic on FHIR. Epic's documentation stated, your application makes a HTTP POST request to the authorization server's OAuth 2.0 token endpoint to obtain access token.
Set tSC = ##class(%SYS.OAuth2.Authorization).GetAccessTokenClient(pClient,pScopes,.prop,.err) returns
ERROR #9761: No key in provided JWKS for alg ES512 and kid
I check this /csp/sys/oauth2/OAuth2.JWTServer.cls?client_name=medbank and I see this:
In .NET Core you have an option to extend a session using a "sliding expiration". This means that if over half the time has passed and the user actively uses their session then the expiry timer gets reset and the user remains logged in. This can lead to the curious situation where you have an active authenticated user with an expired access token being used in data-access requests.
Question for folks who have connected to an External FHIR repository outside of IRIS. Within the HS.FHIRServer.Interop.HTTPOperation there is not an option to include TLS or an OAuth authentication when connecting to an external Repository. So then how is that piece done if you need to Authenticate against an OAuth Server before you are able to access the data or call the Web Services/REST calls?
I have been tinkering with FHIR recently and tried to update the FHIR servers Capability Statement after I made some changes. I updated an OAuth2.Issuer Service Registry entrys URL and needed to update the metadata which the FHIR server sends to the client so they can get the updated URL for the authorization server we use.
This is a bit of an IRIS question but also and OAuth 2.0 questions:
I am using %OAuth2.JWT.JWTToObject() to "validate" a JWT. My questions:
- While I am checking claims with the returned body, does the return status of the method "count" as a validation step? In other words, if I weren't checking claims and $$$OK was returned from that method call (passing in the token and public keys), I could feel confident that this token came from the expected auth server?
I'm trying to use JWT authentication on a REST application in IRIS. The login API are correctly "injected" into the application. Login works fine with Postman and other REST clients, and subsequent calls to my REST API using the bearer token work fine (correctly authenticated). So far, so good.
By likes
.png)
I unable to change response Class.