OpenID Connect

Overview

Access to the DSF FHIR server REST API and user interface can be configured via access control roles. By default users are only authenticated using X.509 client certificates, but authentication for local users via OAuth 2.0 OpenID Connect can also be enabled.

The DSF FHIR server supports Authorization Code Flow for the user interface as well as Bearer Token Authentication for the REST API. Back-Channel Logout is also supported.

FHIR Reverse Proxy

The DSF FHIR reverse proxy requires client certificates by default. To use OpenID Connect authentication the configuration parameter SSL_VERIFY_CLIENT needs to be set to optional.

Authorization Code Flow

To enable authentication via OpenID Connect authorization code flow, set the configuration parameter DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW to true and specify the following parameters:

• DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL
• DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID
• DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET

Optionally, back channel logout can be enabled by setting DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT to true. The DSF FHIR server accepts logout tokens at DEV_DSF_FHIR_SERVER_BASE_URL + /back-channel-logout. The path can be modified via DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH.

Bearer Token Authentication

To enable bearer token authentication, set the configuration parameter DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN to true and specify the following parameter:

• DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL

Additional ODIC Configuration Parameter

A number of additional DEV_DSF_SERVER_AUTH_OIDC ... configuration parameter are specify on the DSF FHIR server configuration parameter page.

For example the configuration parameter DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS can be used to specify a PEM encoded file with trusted root certificates to be used when accessing the OpenID Connect provider. If not specify the JVM default trusted root certificates are used for this connection.

Example

services:
  app:
    image: ghcr.io/datasharingframework/fhir:1.5.1
    # ...
    secrets:
      - keycloak_root_ca.pem
      # ...
    environment:
      # ...
      DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW: 'true'
      DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT: 'true'
      DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN: 'true'
      DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL: https://keycloak.test.org/realms/dsf
      DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS: /run/secrets/keycloak_root_ca.pem
      DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID: dsf-fhir
      DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET: n9bCMtjugv3Y_.szktXyQ2RH5se+J%o3
    # ...
secrets:
  keycloak_root_ca.pem:
    file: ./secrets/keycloak_root_ca.pem