Future steps for OAuth and OpenMRS

surangak · August 25, 2015, 8:17pm

Hi everyone,

With all the great work on OAuth that @maany and @harsha89 did for us this summer, i’d like to discuss where we want to position this. Of course, OAuth is a big thing, and a lot of people could potentially benefit from it, even though the implementer community doesn’t have a specific ask just yet. I want to figure out how to make sure that OAuth is widely disseminated, and used.

(a) Should OAuth become part of the platform release? (b) Given that security is crazy important, should we have an ‘external’ security expert evaluate what we did?

r0bby · August 25, 2015, 11:27pm

Yes!

It can’t hurt really – We are dealing with medical records here…so security is important as ■■■■!

burke · August 26, 2015, 4:22am

You might want to reach out to @skoussa for ideas on how this could be done (he discussed security on the 2014-12-04 Developers Forum).

-Burke

darius · August 26, 2015, 2:30pm

To me, OAuth feels like important-but-optional functionality. I think that we should not include this in the default download for either the platform or reference application (as you say, the implementer community doesn’t have a specific ask yet) but that we should ensure that it is well-tested and maintained alongside each release.

(I don’t know if we need to formalize this concept, but basically it’s analogous to the XForms module, which is not included in the reference application, but is obviously important and well-supported.)

surangak · August 26, 2015, 2:45pm

It seems that there is value is having an ‘external’ party check out our work, and validate its usability. As Burke mentioned, I wonder if @skoussa has any opinions on how to do this?

skoussa · August 28, 2015, 2:04am

Would love to help guys. How big is the OAuth module? as far as number of lines of code?

surangak · August 28, 2015, 3:48pm

@skoussa, this would be great! The module itself is not too large… @maany built it, and it currently working on moving the repo under OpenMRS. @maany, can you help Sherif with looking into the module?

michael · August 28, 2015, 5:40pm

This is it, right?

maany · August 28, 2015, 9:33pm

Yeah @michael. The latest code is on a different branch though. Here : https://github.com/maany/openmrs-module-oauth2-prototype/tree/oauth2-openmrs-1.11.x

maany · August 28, 2015, 10:05pm

Hi @skoussa @surangak The module is about 7000 lines of code currently. It is based on Spring Security and Spring Security OAuth2 projects and strictly adheres to OAuth2 specifications. I would love to give you a code walk-through if that’s helpful:) . I’m currently travelling to New York and I’ll direct you to the documentation once there.

sunbiz · August 31, 2015, 1:31am

Did anyone/@maany working on the Supporting multiple authentication scheme ticket as part of this?

maany · August 31, 2015, 11:11pm

@sunbiz I haven’t worked on this yet as I am using Spring Security for implementing OAuth2 as an authentication scheme. I am connecting spring security to openmrs users table as follows:

github.com

maany/openmrs-module-oauth2/blob/oauth2-openmrs-1.11.x/api/src/main/java/org/openmrs/module/oauth2/api/impl/UserAuthenticationServiceImpl.java

package org.openmrs.module.oauth2.api.impl;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.openmrs.User;
import org.openmrs.api.context.Context;
import org.openmrs.api.db.LoginCredential;
import org.openmrs.api.db.UserDAO;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;

import java.util.ArrayList;
import java.util.List;

This file has been truncated. show original

harsha89 · September 8, 2015, 11:36am

Sorry I was missed this discussion.

I agree with the @darius. We should let implementers to try out this and eventually integrate the OAuth support for our APIs in future. We should have some solid documentation on explaining setting up this functionality.

@maany were you able to complete the documentation.