Set up an Identity Provider

About Identity Providers and Firely Server

In order to use Access control and SMART you need an Identity Provider that can provide OAuth2 JWT Tokens with claims that conform to SMART on FHIR. In a production scenario, you typically already have such a provider. It could be the EHR system, the Active Directory, or a provider set up specifically for let’s say a Patient Portal. It is also very well possible that the provider handing the correct claims uses a federated OAuth2 provider to do the authentication.

An Identity Provider for testing

To allow you to test Access control and SMART, we provide you with instructions to build and run an Identity Provider in which you can configure the necessary clients, claims and users yourself to test different scenarios. The instructions are based on the excellent IdentityServer4 project on GitHub by Dominick Baier and Brock Allen.

By default, the configuration is such that you can test many different cases. If you wish to adjust the configuration, that will require a bit of programming.

The Identity Provider is built in Microsoft .NET Core. Therefore it should also run cross-platform, just as Firely Server itself. However, we did not try that.

Note

The project below is provided for your convenience. It comes with no warranty and is not supported by Firely.

In order to get tokens from the Identity Provider you need an http client. We included instructions on Access Control Tokens with Postman.

Instructions

  1. Clone the project Vonk.IdentityServer.Test from GitHub

  2. Run the Powershell script .\scripts\GenerateSSLCertificate.ps1
    This will generate an SSL Certificate in .\Vonk.IdentityServer.Test\ssl_cert.pfx, with the password
    ‘cert-password’. This is preconfigured in Program.cs.

  3. Open the solution Vonk.IdentityServer.Test.sln in Visual Studio

  4. Build the solution

  5. Run the Vonk.IdentityServer.Test project

  6. Visual Studio should automatically open http://localhost:5100 in your browser.

    You should see a page like this.

    ../_images/ac_identityprovider_startup.png

  7. Also try https://localhost:5101 for the https connection. Your browser will ask you to make a security exception for the self-signed certificate.

  8. Get the openid connect configuration at http://localhost:5100/.well-known/openid-configuration. You can see all the available scopes in this document.

Configuration

The Identity Server is preconfigured with two users and one client:

Client

ClientId

Postman

Secret

secret

Redirect Uri

https://www.getpostman.com/oauth2/callback

This client is allowed to request any of the available scopes.

It is called Postman, since many users use the Postman REST client to test FHIR Servers. If you use another client, you can still use it as the ClientId, or alter the values in Config.cs.

Users

Alice

UserName

Alice

Password

password

Launch context

patient=alice-identifier

Bob

UserName

Bob

Password

password

Launch context

patient=bob-identifier

You can add or alter users in Config.cs.