GSoC 2017 - FHIR OAuth Smart Apps Integration and OAuth module enhancements

Hi, I am starting this thread for all questions regarding this project. I have the following questions

  1. The migration involves the code to be compatible with Spring.Security.4.2.2.RELEASE ?
  2. The SMART apps integration will involve use of REST APIs and we need to implement this using HAPI right?

That’s all on my mind right now. I have already went through OAuth2 specifications and all work done on project. Also, I have watched @maany 's video for his presentations. Talking about OpenMRS development, I have earned the Smart Dev Badge and have had 6 PRs merged.

This project is really interesting and I am ready to give it the best of my efforts :slight_smile:


We already have REST APIs implemented in the REST Module and the FHIR Module. It looks like the FHIR Module already uses HAPI, but I know the REST Module uses a custom implementation.

I will add these links to the project page, but it’s also work reading the SMART Health IT docs, especially the authorization guide.

@maany @harsha89 @surangak Is the scope of this project to support OAuth for all our REST resources as well as support SMART on FHIR? If so, I recommend narrowing the focus to one or the other.


@pascal agreed with you, the scope of the project is bit wider hence for the moment we can skip the SMART application integration. We may include the SMART application integration as a additional task where student can work on it if there’s a time left. @maany hope you will be agree with me.


I agree @pascal. From a students perspective, I think it looked a bit scary. If we narrow down the scope to implementing OAuth for REST resources it seems doable. Let’s see what project mentor @maany thinks :slight_smile:


Yup. We’ll also have to ensure that the code is Java8 compatible and that it works with the latest Platform release :slight_smile: I have updated the wiki to include resources about migrating the module to Platform 2.x and Spring 4.x

As @pascal stated, the FHIR Module implements the HAPI server. So once the OAuth2 module has been upgraded and polished, the backend required by the SMART app is complete from the OpenMRS perspective. We can then focus on using the SMART API to implement a basic app and demonstrate SMART - OAuth2 - FHIR interactions. It would be a great code example for our FHIR team to refer to as they start building SMART apps!

Ahh sorry about that! The primary objective is to upgrade the module. I have specified some details in the wiki on how to go about it. Hopefully, if there are no major bugs/issues during the migration, we would have enough time to pursue the SMART app objective.

As discussed, OAuth2 has been implemented during GSoC 2015, so we have all the grant types. Currently the module only protects FHIR resources but that can be easily extended to other modules with a few lines of code :

The scope of the project for this year’s GSoC is:

  1. Upgrade the module to work with the latest OpenMRS Platform and RefApp (top priority)
  2. Demonstrate the SMART- OAuth2 - FHIR usecase (If time permits, we should be able to get started with this. If we get 1. right, this is fairly easy to do.)

If there’s still time left, although the chances are less, we could go ahead and pursue some other use cases of the OAuth2 module as mentioned in the Wiki :smiley:

That’s great man! Keep up the awesome work :slight_smile:


Hey @maany, I went through the changes on the project wiki and I gotta say the project became very interesting. I can’t wait to start brainstorming on the project and I hope to get you a rough proposal within a couple of days. Thanks :slight_smile:

Hey @maany, The wiki page mentions “You will need to contact the administrator of OpenMRS installation to give you credentials to login as a client developer” here . If we want to register a new client developer using a REST call, how can we make sure that the admin approves of this? This thing is bugging me for a while now :sweat_smile:

Or we just make sure that the person making the REST call is an already registered user and give him/ her the Client Developer rights?

1 Like

Hey @mavrk

We are proceeding with the latter. As I explained, It is similar to how facebook handles app developers. The main idea is that anyone with client developer privileges can create and manage their OAuth2 clients.

So a user can become a client developer via two possible flows. He can either request a client developer account form the OpenMRS implementation admin (when they register as a user for that implementation) or make a REST call and get those privileges after registering as a regular user. This removes the admin’s involvement from the process of curating app developers (like fb does), The admin can always manage the privileges through existing features of the OpenMRS webapp.

I hope this clarifies the current stand. You can use this explanation to draft the REST call in your proposal. If the community thinks otherwise, we can change the flow as we approach development of the module.

Also, if anything is still not clear, let me know. I am around today and can do a Skype call.

1 Like

Thanks @maany if there’s anything else I’ll let you know :slight_smile:

Hi @maany, Here’s a draft proposal, please have a look and send me your suggestions

Hey @mavrk Great work!! The proposal looks good. You can make a draft submission. I see you still have a day, if you get time, feel free to dig into the details about project implementation and update the relevant parts. For instance, if you look into OpenMRS Roles and Permissions, you can get an idea about how to introduce those in the OAuth2 module. Also, it would be great if you could re-organize the proposal to include all the questions and corresponding answers mentioned in the wiki here :

Thanks @maany I am making those changes right away

I have made those changes and submitted a draft proposal. I am looking into Roles and Permissions for OAuth Module.

1 Like

@mavrk Please re-organize the final section of your proposal as follow : Q1) Who are you and what are you stydying? Answer goes here Q2) Why are you the right person for this task? Answer goes here Q3) Describe in detail your software development experience by various technologies. Include all technologies you have used for development projects. Answer goes here

And so on… for all the questions requested in

I see your answers are scattered over the document. Please understand that scrolling up and down the proposal to find these answers is not very convenient and therefore, it would be great to have them put in a organized manner (as stated above) after your timeline :slight_smile: Also, make sure you submit the final proposal before the deadline today. Good Luck!!

Hi @maany, I submitted the project proposal. What’s next?

Hi @mavrk. It would be awesome to continue contributing to issuer and getting more familiar with the community while the evaluations are underway. Also check out the Daily IRC Scrum meetings. They provide a good platform to communicate what you’re doing with the developers and get help where you face blockers. Feel free to dig around the oauth2 project source code as well :slight_smile: Had a couple of really busy days, sorry could not get back sooner.