I would like to present one use case using this new feature to achieve SSO using OAuth2 with the new OAuth 2.0 Login module:
I have made sure to ship it with an extensive set of READMEs that in particular explain how this can be done with JBoss Keycloak and Google API. Not sure if the latter will ever be used in production, but the former can definitely be.
Perhaps one day will we have our demo and QA servers letting us in with OpenMRS ID , @cintiadr? I would be happy to help.
@angshuonline another use case would be for Bahmni to ship with Keycloak (or equivalent) and have SSO working across all its components.
This is still beta code and the module is awaiting a first release, I would like to invite all of you to test it and provide feedback.
Thanks to all who have made this possible, in particular:
This is awesome!
I am gonna look out for ways we can leverage this new authentication scheme into https://github.com/openmrs/openmrs-module-oauth2 which also uses UsernamePasswordAuthenticationScheme.
To test this I've been using the Bahmni Virtual Box ([https://bahmni.atlassian.net/wiki/spaces/BAH/pages/14712841/Bahmni+Virtual+Box)](https://bahmni.atlassian.net/wiki/spaces/BAH/pages/14712841/Bahmni+Virtual+Box)
on my Linux laptop, along with the docker image of Keycloak. I'm
now trying to figure out here to put the OpenMRS OAuth login module
on the BAhmni Virtual Box. In reading the instructions found on
github (), I’ve
not found the “path” to install these files. I read:
but I cannot find a directory that possesses the shown content:
I’m confused after staring at the following directories:
Cheers!
Also note that the README promises something that’s not yet implemented about the initial set of roles to give to users when they are being created (see here). Not a big deal to run the last mile though. However somehow we never had to prioritise it. I detailed it here already: GSoC 2020: Advancement of OAuth2 Module and Improvements in SMART OWA
Hello, everyone! Implemented this and it’s working great for the login/logout process. However, I’m having a problem using Rest APIs where the response containing the login page of the IDP is returned instead of the intended result. So is there a way to bypass SSO dynamically like a url parameter or something?
That’s intentionally not allowed. If you have configured for the authentication to be delegated elsewhere, then it has to always be, otherwise this introduces obvious security loopholes.
Looks like the HTTP headers that you are showing us are not enough (or are incorrect) to authenticate the user with the identity provider. And that’s why it always redirects you to its login page.
What about those two cookies, where did you get them from? How did you come up with the actual request to make?
I would suggest to look through the app (so through the browser), when authenticated with the identity provider, how a typical REST call looks like. By “look like” I mean looking at all the headers, all the cookies… etc.
Thanks, @mksd for your reply! Are there any documents/posts on how to authenticate the OpenMRS user with the identity provider I should look at? because I only followed the HTTP call from this ; and it worked perfectly before I implemented the OAUTH2 module.
Also, I was using Postman. So it generated a bunch of request headers which I assumed are not necessary to show. As for the 2 cookies, they are generated from the http response.
Your question is identity provider specific, which one do you use?
The first question is: do you get everything running normally (forget about direct API calls for a sec) with your identity provider in place? That means:
some distro of OpenMRS with Core 2.2.1+ ;
with the OAuth 2 Login module ;
with an appropriate oauth2.properties file setup for your identity provider in the OpenMRS app data directory.
If all this is done and working as expected, then you can go stalk on REST requests made by your browser to see what should be in there in terms of headers, cookies, token and so on.
For OpenMRS, you have mentioned “oauth2.properties file”.
I understand that Bahmni uses OpenMRS for authentication, but do we need a similar OAuth2 properties file for Bahmni? If so, where should this file for Bahmni be copied.
Hello everyone,
@mksd , could you please clarify if we can filter this path ‘/openmrs/ws/rest/v1/location’ ?
As afr as I got oauth2 isn’t required here.