Authentication
Blaze comes with a build-in feature to authenticate requests against an OpenID Connect provider. In order to activate this feature, the environment variable OPENID_PROVIDER_URL
has to be set to the base URL of your OpenID Connect provider.
If this feature is activated, all FHIR Endpoints will require a valid JWT in the Authorization header as Bearer
token. The tokens are validated using the first public key available in the OpenID Connect configuration fetched from <OPENID_PROVIDER_URL>/.well-known/openid-configuration
. Currently only RSA 256 signed tokens are supported.
Usage
In order to test the authentication feature, please start first Keycloak and then Blaze as defined in the Docker Compose file in the docs/authentication
directory:
docker compose up keycloak
wait until keycloak is started
docker compose up blaze
after both services are up, please run:
ACCESS_TOKEN=$(./fetch-token.sh) ./request-all-resources.sh
The output should be:
{
"resourceType": "Bundle",
"id": "C6IJYWHRYMGMXUFH",
"type": "searchset",
"total": 0,
"link": [
{
"relation": "self",
"url": "http://localhost:8080/fhir?_count=50&__t=0"
}
]
}
Additional Considerations
- Blaze will fetch the first public available under
<OPENID_PROVIDER_URL>/.well-known/openid-configuration
at the start and every minute afterwards - only the first public key is used (please file an issue if you need more than the first key)
- the only RSA 256 signatures are supported (please file an issue if you need also RSA 512)