OAuth2 Single Sign-On (SSO) with the new OAuth 2.0 Login module

mksd · June 17, 2019, 3:54pm

Dear all,

Since the resolution of TRUNK-381 it is possible to Spring-wire custom authentication schemes to OpenMRS Core, thereby overriding the default UsernamePasswordAuthenticationScheme.

I would like to present one use case using this new feature to achieve SSO using OAuth2 with the new OAuth 2.0 Login module:

I have made sure to ship it with an extensive set of READMEs that in particular explain how this can be done with JBoss Keycloak and Google API. Not sure if the latter will ever be used in production, but the former can definitely be.

Perhaps one day will we have our demo and QA servers letting us in with OpenMRS ID , @cintiadr? I would be happy to help.

@angshuonline another use case would be for Bahmni to ship with Keycloak (or equivalent) and have SSO working across all its components.

This is still beta code and the module is awaiting a first release, I would like to invite all of you to test it and provide feedback.

Thanks to all who have made this possible, in particular:

@amine for the scouting and pioneering work.
@lilian for the usual insight and directions.
@dkayiwa for challenging our approach to TRUNK-381 and getting things merged in.

Cc: @bdr @sunbiz @dev2 @dev3 @dev4 @dev5

mavrk · June 17, 2019, 4:45pm

This is awesome! I am gonna look out for ways we can leverage this new authentication scheme into https://github.com/openmrs/openmrs-module-oauth2 which also uses UsernamePasswordAuthenticationScheme.

bdr · July 17, 2019, 3:43pm

well … I’ve been poking around and scratching my head while staring at https://github.com/openmrs/openmrs-module-oauth2login.

To test this I've been using the Bahmni Virtual Box ([https://bahmni.atlassian.net/wiki/spaces/BAH/pages/14712841/Bahmni+Virtual+Box)](https://bahmni.atlassian.net/wiki/spaces/BAH/pages/14712841/Bahmni+Virtual+Box)
on my Linux laptop, along with the docker image of Keycloak.  I'm

now trying to figure out here to put the OpenMRS OAuth login module on the BAhmni Virtual Box. In reading the instructions found on github (), I’ve not found the “path” to install these files. I read: but I cannot find a directory that possesses the shown content: I’m confused after staring at the following directories: Cheers!

mksd · July 17, 2019, 3:46pm

Inside the box, that’d be in /opt/openmrs/modules.

Are you looking at enabling SSO within Bahmni?

bdr · July 17, 2019, 4:03pm

Thanks!

I am looking at enabling SSO within Bahmni, using Google as the

primary authentication source/provider. I’ll let you know how this proceeds as it is now my primary focus.

mksd · July 17, 2019, 4:07pm

Great, everything should be fine with the EMR part, but I’ll be curious to know your findings.

Odoo “should” be configurable to delegate authentication to a OAuth2 provider, but there’s some research to be done.

But then you’ll most likely hit a wall with OpenELIS, but let’s see when you get there.

hngondoki · June 17, 2020, 9:56am

Hallo,

Is there anyone in the community currently using this module on any OpenMRS version 2.X and does it work?

mksd · June 17, 2020, 12:33pm

Hi @hngondoki yes we do on a large-scale OpenMRS entreprise integration. Against Core 2.3.x.

hngondoki · June 18, 2020, 3:51pm

Noted. Thanks

mksd · June 18, 2020, 3:55pm

@hngondoki what’s your use case?

Also note that the README promises something that’s not yet implemented about the initial set of roles to give to users when they are being created (see here). Not a big deal to run the last mile though. However somehow we never had to prioritise it. I detailed it here already: GSoC 2020: Advancement of OAuth2 Module and Improvements in SMART OWA

ssovichhay · December 1, 2020, 4:57am

Hello, everyone! Implemented this and it’s working great for the login/logout process. However, I’m having a problem using Rest APIs where the response containing the login page of the IDP is returned instead of the intended result. So is there a way to bypass SSO dynamically like a url parameter or something?

mksd · December 1, 2020, 1:12pm

Hi @ssovichhay,

That’s intentionally not allowed. If you have configured for the authentication to be delegated elsewhere, then it has to always be, otherwise this introduces obvious security loopholes.

Looks like the HTTP headers that you are showing us are not enough (or are incorrect) to authenticate the user with the identity provider. And that’s why it always redirects you to its login page.

What about those two cookies, where did you get them from? How did you come up with the actual request to make?

I would suggest to look through the app (so through the browser), when authenticated with the identity provider, how a typical REST call looks like. By “look like” I mean looking at all the headers, all the cookies… etc.

ssovichhay · December 2, 2020, 2:34am

Thanks, @mksd for your reply! Are there any documents/posts on how to authenticate the OpenMRS user with the identity provider I should look at? because I only followed the HTTP call from this ; and it worked perfectly before I implemented the OAUTH2 module.

Also, I was using Postman. So it generated a bunch of request headers which I assumed are not necessary to show. As for the 2 cookies, they are generated from the http response.

mksd · December 2, 2020, 9:26am

Your question is identity provider specific, which one do you use?

The first question is: do you get everything running normally (forget about direct API calls for a sec) with your identity provider in place? That means:

some distro of OpenMRS with Core 2.2.1+ ;
with the OAuth 2 Login module ;
with an appropriate oauth2.properties file setup for your identity provider in the OpenMRS app data directory.

If all this is done and working as expected, then you can go stalk on REST requests made by your browser to see what should be in there in terms of headers, cookies, token and so on.

ramashish · May 3, 2023, 3:43am

Will the same work for Bahmni login or do we need to create a separate file for Bahmni login?

mksd · May 3, 2023, 5:39am

@ramashish what do you mean by separate file?

ramashish · May 5, 2023, 5:06am

For OpenMRS, you have mentioned “oauth2.properties file”. I understand that Bahmni uses OpenMRS for authentication, but do we need a similar OAuth2 properties file for Bahmni? If so, where should this file for Bahmni be copied.

mksd · May 5, 2023, 2:22pm

Ah, just in the same way as you would do for any other distribution of OpenMRS (as explained here)

The module consumes a configuration file oauth2.properties that must be dropped in the OpenMRS app data directory:

.
├── modules/
├── openmrs.war
├── openmrs-runtime.properties
├── ...
└── oauth2.properties

chief · May 10, 2023, 7:32am

Hello everyone, @mksd , could you please clarify if we can filter this path ‘/openmrs/ws/rest/v1/location’ ? As afr as I got oauth2 isn’t required here.

chief · May 10, 2023, 7:37am

@mksd , we need to put some extra part to Bahmni login page in order to be able to login via oauth2 module, don’t we?