OAuth2 Support for Web Services APIs: GSoC 2015

Hi All,

I’m mentoring for this project during this summer of code. I though of starting a discussion on this topic as it would be beneficial for all the students who are interested in this project. Guidelines in [1] would be definitely helpful for to create a successful project proposal for the project.

Following guidelines will initially helpful for you.

Fix some intro tickets of OpenMRS trunk which definitely helpful for you to understand the core technologies used in the OpenMRS core.

You can go through the FHIR module and the web services modules where we expose our data through set of standard REST APIs.

Having overall knowledge on OAuth2 will be definitely helpful for you to create a successful application. Many of the resources are listed in the project page[2].

Please let me know any doubts and clarifications on this project through this discussion or you can reach me through harsz89■■■■■■■■■■

[1] - https://wiki.openmrs.org/display/RES/Summer+Of+Code+2015 [2] - https://wiki.openmrs.org/display/projects/Implement+the+OAuth2+Support+for+Web+Services+APIs

Thanks, Harsha

Hi Harsha,

I’m wondering whether yourself or others have discussed using “OpenID Connect” (which builds on OAuth2) for this proposal?

OIDC provides a standard profile of OAuth2 for compatibility & interop, that includes identity (IdM) and authentication (authN). Whereas OAuth2 by itself is really a framework for constructing authorisation protocols only. OAuth2 leaves many important implementation choices open, which can often be too open.

The authZ features that OAuth2 by itself offers ‘out of the box’ are very limited. OpenID Connect, however allows not only strong, trust-able assertions (e.g. user ‘x’ was authenticated at location ‘y’, has role ‘z’, has had her ID card vetted, has a verified email address & logged on with 2FA authentication), but also supports addition of more advanced authorisation protocols like User Managed Access (which can address patient/delegated consent & institutional/provider data sharing scenarios among others).

One of the primary advantages of OIDC, is that it would allow integration of external SSO providers too, either institutional (like an MS AD server or workstation login), national (see NSTIC), or even cloud providers for patients if they consent. OIDC is also well supported on mobile devices & native apps (stored tokens, etc.)

If you haven’t already, I’d recommend taking a look at using a good existing open source OIDC implementation, such as MitreID Connect. It’s well featured and built on top of Spring Security (so still nice and pluggable). It will also support UMA in future (it’s in development).

Because security protocols are so unforgiving, for something as sensitive as patient data, I think it would be better to use a proven solution (from a team with strong existing expertise). It would be good to take a look whether it’s suitable. Something existing that works and can be integrated/adapted for use would allow efforts to be focused on even better features.

Note, there’s a group working to standardise how OAuth2, OpenID Connect, UMA, FHIR, etc. can be used in healthcare in interoperable ways too: http://openid.net/wg/heart/charter/. Josh Mandel is a member and already working with OpenMRS (e.g. on FHIR integration of SMART apps etc) so may be able to advise further.

@harsha89 , I submitted a proposal to melange on this project . You can view it on my personal space as well. https://wiki.openmrs.org/display/~sashrika/Implement+the+OAuth2+Support+for+Web+Services+APIs

would like to hear comments and feedback from the community.

Thanks!