Add AuthZ to HAPI FHIR - Part 1
Introduction
In previous posts, I wrote about adding support for Authentication (AuthN) to HAPI FHIR.
In this post, we will take a look at some options to enable (fine grained) Authorization (AuthZ) in HAPI FHIR.
Option 1
There are three components to this solution: an Identity Provider that authenticates the user; an Authorization Server that decides what a given user can access; and an Access Gateway which enforces those permissions.
- Identity Provider: Keycloak
- Authorization Server: Keycloak
- Access Gateway: FHIR Info Gateway
Authorization Server
The HAPI FHIR AU with Auth Starter Project already uses Keycloak for Authentication (AuthN).
We will need to extend Keycloak and add support for SMART on FHIR.
See:
- Project Alvearie: SMART App Launch
- Project Alvearie: Keycloak extensions for FHIR
- Keycloak extensions for FHIR: Upgrade to the Quarkus-based distribution
- Keycloak discussion: Fine grained scope consent management
Also see:
Access Gateway
The FHIR Information Gateway sits in front of a FHIR store (e.g., a HAPI FHIR server) and controls access to FHIR resources.
See:
- FHIR Info Gateway: Introduction
Option 2
Three components as per option 1.
AuthN and AuthZ: Keycloak
Access Gateway
A severless implementation of an Access Gateway.
Knative and OpenFaaS are open-source environments for creating and hosting serverless functions.
See:
- GitHub: Okta SMART on FHIR docs
- GitHub: Okta SMART on FHIR demo
Option 3
Three components as per option 1.
AuthN and AuthZ: Keycloak
Access Gateway
An Access Gateway implementation with support for Relationship-Based
Access Control (ReBAC).
See:
- GitHub: Secured FHIR Proxy
- OpenFGA: Relationship-based access control
Option 4
Three components as per option 1.
AuthN and AuthZ: Keycloak
Access Gateway
An Access Gateway implementation based on Spring Cloud Gateway.
See:
- Spring blog: Embracing Virtual Threads
- Spring blog: Spring Tips: Spring Cloud Gateway for Spring MVC
- Spring docs: Spring Cloud Gateway Server MVC
References
OAuth 2.0
- IETF: OAuth 2.0 for Browser-Based Applications
- Spring docs: Implementation Guidelines for Browser-Based Applications
SMART on FHIR
- HL7: SMART App Launch
- SMART Health IT: SMART on FHIR
Keycloak
- Keycloak: Documentation
- Keycloak docs: Service Provider Interfaces
FHIR Info Gateway
- GitHub: FHIR Info Gateway