Can i install Oauth2 Module (once customised with XML) on the Reference Application 2.11?

Hi all,

We would like to get the FHIR2 module running in the latest (v2.11, March 2021) Reference Application, and use it in the context of SMART on FHIR with OAuth2. We will be making FHIR calls from another Java/Javascript application to extract data from OpenMRS using the "Clinician’ Role.

We have found the instructions on building a version of OAuth2 here: OAuth2 Module - for Module Developers - Projects - OpenMRS Wiki using maven and an edited version of the XML config.

Does the Spring installation in the Reference Application support this OAuth2 module without any further modification (dependent modules, security parameters, etc)?

We are also confused about the XML attributes: <security:intercept-url pattern="<resource_uri>" access=“hasAnyRole(‘ROLE_USER’,‘ROLE_CLIENT’)”/>

We can’t find any documentation on the ROLEs on the Wiki. If we have defined a “Clinician” role which extends “Practitioner” role, and has correct access privileges, which ROLE value should this be placed in? Both?

Any advice would be appreciated.

Thanks, …|<

My best guess would be yes. The real factor here is the version of the OpenMRS Platform you’re running on, but 2.0 - 2.3 should (most likely) work. That said, it may not work on versions of the platform from 2.4 on. This is in part because of a major upgrade in Spring version (to Spring 5) and in part because the core library that that module depends on (Spring OAuth) has been deprecated and is no longer actively maintained.

Here’s were things get a little weird. The OAuth2 module uses Spring Security to provide the OAuth functionality, etc., but OpenMRS doesn’t. So there’s no correspondence between the ROLE_USER or ROLE_CLIENT (which are Spring Security roles) and OpenMRS roles. (The ROLE_USER is issued to any authenticating user as is, apparently, ROLE_ADMIN see here; ROLE_CLIENT is just a role assigned to OAuth2 clients — in this case the SMART Apps registered with the server).

I can’t fully recommend using that module. I believe it works, but I’m unaware of anyone actually using it in production and it may be lacking in functionality or expected security properties, etc. (In addition to the other code I pointed to this is concerning).

FWIW: OA Jira project to group OAuth 2 and OAuth 2 Login

Thanks very much @ibacher and @dkayiwa.

I’m guessing that Daniel (whose name is on the release) would have commented if the Reference Application 2.11 was based on OpenMRS 2.4 (using Spring5)? My understanding is that it is based on “OpenMRS 2.x” (where x < 4). But please correct me if I’m wrong.

Looks like the Jira chat indicates that we should try the “OAuth2 Login” part of the project, rather than the “OAuth2”… thanks for pointing that out Daniel. The chat also indicates that there will be a separate Repo for the “OAuth2 Login” part soon as well. We’ll keep an eye out.

In the medium term, we don’t explicitly need SMART on FHIR (OAuth2-based authorisation), we just want to check that FHIR can be used for integration with our Care Platform. We already have vanilla REST working from there to make queries on OpenMRS… but would like to ensure that we can use FHIR resources returned via REST as well. We’ll need to design a specific security stack when deployed to a customer anyway…

best regards, …|<

The repo already exists: GitHub - openmrs/openmrs-module-oauth2login: Delegates user authentication to an OAuth 2.0 authentication provider.

I think he mentioned platform 2.4 not to mean that it is the one you are running, but rather to give you broader information that the real determinant factor is the underlying platform version that powers the reference application. That is why he started with: My best guess would be yes. :slight_smile: