Future steps for OAuth and OpenMRS

Hi everyone,

With all the great work on OAuth that @maany and @harsha89 did for us this summer, i’d like to discuss where we want to position this. Of course, OAuth is a big thing, and a lot of people could potentially benefit from it, even though the implementer community doesn’t have a specific ask just yet. I want to figure out how to make sure that OAuth is widely disseminated, and used.

(a) Should OAuth become part of the platform release? (b) Given that security is crazy important, should we have an ‘external’ security expert evaluate what we did?


It can’t hurt really :slight_smile: – We are dealing with medical records here…so security is important as ■■■■!

You might want to reach out to @skoussa for ideas on how this could be done (he discussed security on the 2014-12-04 Developers Forum).



To me, OAuth feels like important-but-optional functionality. I think that we should not include this in the default download for either the platform or reference application (as you say, the implementer community doesn’t have a specific ask yet) but that we should ensure that it is well-tested and maintained alongside each release.

(I don’t know if we need to formalize this concept, but basically it’s analogous to the XForms module, which is not included in the reference application, but is obviously important and well-supported.)


It seems that there is value is having an ‘external’ party check out our work, and validate its usability. As Burke mentioned, I wonder if @skoussa has any opinions on how to do this? :smile:

Would love to help guys. How big is the OAuth module? as far as number of lines of code?

1 Like

@skoussa, this would be great! The module itself is not too large… @maany built it, and it currently working on moving the repo under OpenMRS. @maany, can you help Sherif with looking into the module?

This is it, right?

Yeah @michael. The latest code is on a different branch though. Here : https://github.com/maany/openmrs-module-oauth2-prototype/tree/oauth2-openmrs-1.11.x :slight_smile:

1 Like

Hi @skoussa @surangak The module is about 7000 lines of code currently. It is based on Spring Security and Spring Security OAuth2 projects and strictly adheres to OAuth2 specifications. I would love to give you a code walk-through if that’s helpful:) . I’m currently travelling to New York and I’ll direct you to the documentation once there. :slight_smile:

Did anyone/@maany working on the Supporting multiple authentication scheme ticket as part of this?

@sunbiz I haven’t worked on this yet as I am using Spring Security for implementing OAuth2 as an authentication scheme. I am connecting spring security to openmrs users table as follows:

1 Like

Sorry I was missed this discussion.

I agree with the @darius. We should let implementers to try out this and eventually integrate the OAuth support for our APIs in future. We should have some solid documentation on explaining setting up this functionality.

@maany were you able to complete the documentation.