OpenID Connect
Overview
Access to the DSF FHIR server REST API and user interface can be configured via access control roles. By default users are authenticated using X.509 client certificates, but authentication for local users via OAuth 2.0 OpenID Connect can also be enabled.
The DSF FHIR server supports Authorization Code Flow for the user interface as well as Bearer Token Authentication for the REST API. Back-Channel Logout is also supported.
FHIR Reverse Proxy
The DSF FHIR reverse proxy requires client certificates by default. To use OpenID Connect authentication the configuration parameter SSL_VERIFY_CLIENT needs to be set to optional
.
Authorization Code Flow
To enable authentication via OpenID Connect authorization code flow, set the configuration parameter DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW to true
and specify the following parameters:
- DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL
- DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID
- DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET
Optionally, back channel logout can be enabled by setting DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT to true
. The DSF FHIR server accepts logout tokens at DEV_DSF_FHIR_SERVER_BASE_URL + /back-channel-logout
. The path can be modified via DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH.
Bearer Token Authentication
To enable bearer token authentication, set the configuration parameter DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN to true
and specify the following parameter:
Additional ODIC Configuration Parameter
A number of additional DEV_DSF_SERVER_AUTH_OIDC ...
configuration parameter are specify on the DSF FHIR server configuration parameter page.
For example the configuration parameter DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS can be used to specify a PEM encoded file with trusted root certificates to be used when accessing the OpenID Connect provider. If not specify the JVM default trusted root certificates are used for this connection.
Example
services:
app:
image: ghcr.io/datasharingframework/fhir:1.3.0
# ...
secrets:
- keycloak_root_ca.pem
# ...
environment:
# ...
DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW: 'true'
DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT: 'true'
DEV_DSF_SERVER_AUTH_OIDC_BEARER_TOKEN: 'true'
DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL: https://keycloak.test.org/realms/dsf
DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_CLIENT_TRUST_SERVER_CERTIFICATE_CAS: /run/secrets/keycloak_root_ca.pem
DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID: dsf-fhir
DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET: n9bCMtjugv3Y_.szktXyQ2RH5se+J%o3
# ...
secrets:
keycloak_root_ca.pem:
file: ./secrets/keycloak_root_ca.pem