Add AuthZ to HAPI FHIR - Part 1

Introduction

In previous posts, I wrote about adding support for Authentication (AuthN) to HAPI FHIR.

In this post, we will take a look at some options to enable (fine grained) Authorization (AuthZ) in HAPI FHIR.

Option 1

There are three components to this solution: an Identity Provider that authenticates the user; an Authorization Server that decides what a given user can access; and an Access Gateway which enforces those permissions.

• Identity Provider: Keycloak
• Authorization Server: Keycloak
• Access Gateway: FHIR Info Gateway

Authorization Server

The HAPI FHIR AU with Auth Starter Project already uses Keycloak for Authentication (AuthN).

We will need to extend Keycloak and add support for SMART on FHIR.

See:

• Project Alvearie: SMART App Launch
• Project Alvearie: Keycloak extensions for FHIR
• Keycloak extensions for FHIR: Upgrade to the Quarkus-based distribution
• Keycloak discussion: Fine grained scope consent management

Also see:

• GitHub: Zedwerks - Keycloak extensions for FHIR

Access Gateway

The FHIR Information Gateway sits in front of a FHIR store (e.g., a HAPI FHIR server) and controls access to FHIR resources.

See:

• FHIR Info Gateway: Introduction

Option 2

Three components as per option 1.

AuthN and AuthZ: Keycloak

Access Gateway

A severless implementation of an Access Gateway.

Knative and OpenFaaS are open-source environments for creating and hosting serverless functions.

See:

• GitHub: Okta SMART on FHIR docs
• GitHub: Okta SMART on FHIR demo

Option 3

Three components as per option 1.

AuthN and AuthZ: Keycloak

Access Gateway

An Access Gateway implementation with support for Relationship-Based
Access Control (ReBAC).

See:

• GitHub: Secured FHIR Proxy
• OpenFGA: Relationship-based access control

Option 4

Three components as per option 1.

AuthN and AuthZ: Keycloak

Access Gateway

An Access Gateway implementation based on Spring Cloud Gateway.

See:

• Spring blog: Embracing Virtual Threads
• Spring blog: Spring Tips: Spring Cloud Gateway for Spring MVC
• Spring docs: Spring Cloud Gateway Server MVC

References

OAuth 2.0

• IETF: OAuth 2.0 for Browser-Based Applications
• Spring docs: Implementation Guidelines for Browser-Based Applications

SMART on FHIR

• HL7: SMART App Launch
• SMART Health IT: SMART on FHIR

Keycloak

• Keycloak: Documentation
• Keycloak docs: Service Provider Interfaces

FHIR Info Gateway

• GitHub: FHIR Info Gateway