There is no specific interfaces for authentication, however, by taking advantage of KefhirRequestFilter and KefhirResponseFilter filters, we can invent the simpliest authentication ever:
@Singleton
public class BasicAuthenticator implements KefhirRequestFilter {
@Override
public Integer getOrder() {
return 10;
}
@Override
public void handleRequest(KefhirRequest request) {
if ("metadata".equals(request.getPath())) {
return;
}
if (req.getHeader("Authorization").equals("Basic qwerty123")) {
return;
}
throw new FhirException(401, IssueType.LOGIN, "not authenticated");
}
}
Since authentication is usually a little more complicated, KeFHIR provides some support modules to assist.
By implementing AuthenticationProvider interface, you can allow multiple authentication methods at one. If at least one AuthenticationProvider provides a User object - he is considered authenticated.
implementation "com.kodality.kefhir:auth-core:${kefhirVersion}"
implementation "com.kodality.kefhir:auth-rest:${kefhirVersion}"
public class BasicAuthenticator implements AuthenticationProvider {
@Override
public User autheticate(KefhirRequest request) {
if (req.getHeader("Authorization").equals("Basic qwerty123")) {
return new User();
}
return null;
}
}
Authenticated user is set into ClientIdentity service, allowing to get current loggen in user.
public class SomeServiceMaybe {
@Inject
private ClientIdentity clientIdentity;
public void someMethod() {
User currentUser = clientIdentity.get();
...
}
Using features mentioned above, KeFHIR provides openid auth implementation, by implementing AuthenticationProvider. You still are allowed to add more implementations if needed.
User will be populated with scopes and claims in this case.
work-in-progress
currently in proof-of-concept state, where a simple token validation and scopes extracting is done.
@build.gradle
implementation "com.kodality.kefhir:auth-openid:${kefhirVersion}"
@application.yml
oidc.url=http://oauth
KeFHIR provides SMART on FHIR authorization implementation.
User should be populated with scopes by authenticator in this case.
work-in-progress
scope based resource access restriction is done, but specification has changed since then.
@build.gradle
implementation "com.kodality.kefhir:auth-smart:${kefhirVersion}"