Appearance

Authentication

Blaze comes with a build-in feature to authenticate requests against an OpenID Connect provider. In order to activate this feature, the environment variable OPENID_PROVIDER_URL has to be set to the base URL of your OpenID Connect provider.

If this feature is activated, all FHIR Endpoints will require a valid JWT in the Authorization header as Bearer token. The tokens are validated using all public keys available in the OpenID Connect configuration fetched from <OPENID_PROVIDER_URL>/.well-known/openid-configuration. Currently only RSA 256 signed tokens are supported.

To further restrict which tokens are accepted, two optional environment variables can be set:

  • OPENID_PROVIDER_ISSUER — the expected value of the iss (issuer) claim. Tokens with a different issuer are rejected.
  • OPENID_AUDIENCE — the expected value of the aud (audience) claim. Tokens that do not include this audience are rejected.

It is strongly recommended to configure both variables in production to prevent tokens minted for other applications from being accepted by Blaze. If either variable is not set, the corresponding claim is not validated and a warning is logged at startup.

Usage

In order to test the authentication feature, please start first Keycloak and then Blaze as defined in the Docker Compose file in the docs/authentication directory:

sh
docker compose up keycloak

wait until keycloak is started

sh
docker compose up blaze

after both services are up, please run:

sh
ACCESS_TOKEN=$(./fetch-token.sh) ./request-all-resources.sh

The output should be:

json
{
  "resourceType": "Bundle",
  "id": "C6IJYWHRYMGMXUFH",
  "type": "searchset",
  "total": 0,
  "link": [
    {
      "relation": "self",
      "url": "http://localhost:8080/fhir?_count=50&__t=0"
    }
  ]
}

Additional Considerations

  • Blaze will fetch the first public available under <OPENID_PROVIDER_URL>/.well-known/openid-configuration at the start and every minute afterwards
  • only the first public key is used (please file an issue if you need more than the first key)
  • the only RSA 256 signatures are supported (please file an issue if you need also RSA 512)