0
583

Written by

Menno Voerman
Developer at University Medical Center Groningen
Follow
Question Menno Voerman · Oct 15, 2021

Ignore bearer token in unauthenticated web application

#InterSystems IRIS for Health

Hi All,

Hopefully someone can help me with this question.

I've got a FHIR adapter service defined as described here:

FHIR Interoperability Adapter
 

The web application is running:

This works well when asking the FHIR metadata I get a nice 200 response:

But when I want to request patient data I need to send the Access Token in the Request:

This gives a 401 error and I don't see any message at the InteropService (HS.FHIRServer.Interop.Service).

It looks like that the webapplication doesn't like the Authorization header:

How can I make sure that the webapplication just ignores the Autorization header?

 I only need the token on a later moment when interacting with the FHIR server.

Product version: IRIS 2021.1
$ZV: IRIS for Windows (x86-64) 2021.1 (Build 215U) Wed Jun 9 2021 09:39:22 EDT [HealthConnect:3.3.0] [HealthConnect:3.3.0]
Discussion (2)0
Log in or sign up to continue

Comments

Tony Beukes · Oct 20, 2021

You have Security Settings > Allowed Authentication Methods > Password unchecked in your Web Application definition.

Have you tried No Auth in Postman?

0
Menno Voerman · Oct 25, 2021

Hi All,

The  problem is in HS.FHIRServer.RestHandler

Class HS.FHIRServer.HC.FHIRInteropAdapter Extends HS.FHIRServer.RestHandler{Parameter isInteropAdapter As %Boolean = 1;Parameter ServiceConfigName As %String = "InteropService";}

For some reason its not allowed to send the bearer token with the unauthenticated application:

// Access token present on unsecure CSP request is invalid. Otherwise, if access// token found on secure CSP request then add to FHIR request AdditionalInfo for// later evaluation by the FHIR service.If '%request.Secure {If ($ZConvert($Piece(%request.GetCgiEnv("HTTP_AUTHORIZATION")," ",1),"U") = "BEARER") || ($Get(%request.Data("access_token",1)) '= "") {Set %response.Status = ..#HTTP401UNAUTHORIZEDReturn $$$OK}Set accessToken = ""Else {// InterSystems FHIRServer policy is to NOT allow passing access token in the// request URL or form encoded body (either can be found in %request.Data).If $Get(%request.Data("access_token",1)) '= "" {Set %response.Status = ..#HTTP401UNAUTHORIZEDReturn $$$OK}Set accessToken = ##class(%SYS.OAuth2.AccessToken).GetAccessTokenFromRequest(.tSC)$$$ThrowOnError(tSC)If accessToken '= "" {Do tRequest.AdditionalInfo.SetAt(accessToken, "USER:OAuthToken")Do tRequest.AdditionalInfo.SetAt(hsrestconfig.OAuthClientName, "USER:OAuthClient")}}

We're gonna discuss the issue with intersystems but it looks like we need custom programming to make this situation work in the new HC version.

0