Set up an Identity Provider
About Identity Providers and Firely Server
In order to use Access control and SMART you need an Identity Provider that can provide OAuth2 JWT Tokens with claims that conform to SMART on FHIR. In a production scenario, you typically already have such a provider. It could be the EHR system, the Active Directory, or a provider set up specifically for let’s say a Patient Portal. It is also very well possible that the provider handing the correct claims uses a federated OAuth2 provider to do the authentication.
An Identity Provider for testing
To allow you to test Access control and SMART, we provide you with instructions to build and run an Identity Provider in which you can configure the necessary clients, claims and users yourself to test different scenarios. The instructions are based on the excellent IdentityServer4 project on GitHub by Dominick Baier and Brock Allen.
By default, the configuration is such that you can test many different cases. If you wish to adjust the configuration, that will require a bit of programming.
The Identity Provider is built in Microsoft .NET Core. Therefore it should also run cross-platform, just as Firely Server itself. However, we did not try that.
Note
The project below is provided for your convenience. It comes with no warranty and is not supported by Firely.
In order to get tokens from the Identity Provider you need an http client. We included instructions on Access Control Tokens with Postman.
Instructions
Clone the project Vonk.IdentityServer.Test from GitHub
Run the Powershell script .\scripts\GenerateSSLCertificate.ps1
This will generate an SSL Certificate in .\Vonk.IdentityServer.Test\ssl_cert.pfx, with the password
‘cert-password’. This is preconfigured in Program.cs.Open the solution Vonk.IdentityServer.Test.sln in Visual Studio
Build the solution
Run the Vonk.IdentityServer.Test project
Visual Studio should automatically open http://localhost:5100 in your browser.
You should see a page like this.
Also try https://localhost:5101 for the https connection. Your browser will ask you to make a security exception for the self-signed certificate.
Get the openid connect configuration at http://localhost:5100/.well-known/openid-configuration. You can see all the available scopes in this document.
Configuration
The Identity Server is preconfigured with two users and one client:
Client
- ClientId
Postman
- Secret
secret
- Redirect Uri
This client is allowed to request any of the available scopes.
It is called Postman, since many users use the Postman REST client to test FHIR Servers. If you use another client, you can still use it as the ClientId, or alter the values in Config.cs.
Users
Alice
- UserName
Alice
- Password
password
- Launch context
patient=alice-identifier
Bob
- UserName
Bob
- Password
password
- Launch context
patient=bob-identifier
You can add or alter users in Config.cs.