JohnNKing commented 2 weeks ago

Story

As UCSD, so my EHR can receive results, I need ReportStream to be able to authenticate via OAuth2.

Pre-conditions

[ ] Assumptions of prior or future work that's out of scope for this story

Acceptance Criteria

[ ] Required outcomes of the story

Tasks

Research

[ ] Foundational: High-level research to figure out what we need to do, and where

Engineering

[x] Research
- [x] Get familiar with RS's code base and how they generate JWTs
- [x] Test how RS constructs the jwt
[ ] Changes to code base
- [x] Discuss solutions
- [x] Add jwtParams map to the RESTTransport constructor in TransportType.kt
- [x] Extract map in getCredential in RESTTransport.kt
- [x] Enhance lookupTwoLeggedCredential in RESTTransport.kt for use of jwtParams map to generate the jwt
- [ ] Refactor and final touches
[x] Unit test
- [x] Test that jwt against EPIC's token endpoint to see if it is valid
[ ] Create How to onboard document

Definition of Done

[ ] Documentation tasks completed
- [ ] Documentation and diagrams created or updated
- [ ] Implementation guide (/ig folder)
- [ ] ADRs (/adr folder)
- [ ] Main README.md
- [ ] Other READMEs in the repo
- [ ] If applicable, update the ReportStream Setup section in README.md
- [ ] Threat model updated
- [ ] API documentation updated
[ ] Code quality tasks completed
- [ ] Code refactored for clarity and no design/technical debt
- [ ] Adhere to separation of concerns; code is not tightly coupled, especially to 3rd party dependencies
- [ ] Code is reviewed or developed by pair; 1 approval is needed but consider requiring an outside-the-pair reviewer
- [ ] Code quality checks passed
[ ] Security & Privacy tasks completed
- [ ] Security & privacy gates passed
[ ] Testing tasks completed
- [ ] Load tests passed
- [ ] Unit test coverage of our code >= 90%
[ ] Build & Deploy tasks completed
- [ ] Build process updated
- [ ] API(s) are versioned
- [ ] Feature toggles created and/or deleted. Document the feature toggle
- [ ] Source code is merged to the main branch

Research Questions

Optional: Any initial questions for research

Decisions

Optional: Any decisions we've made while working on this story

Notes

Optional: Any reference material or thoughts we may need for later reference

basiliskus commented 1 week ago

ReportStream already supports outbound OAuth2. More info here and here

basiliskus commented 1 week ago

It seems this will be more of an integration story with UCSD. As part of the work, we need to review the RS Programmer's Guide and make sure there are steps to set up outbound OAuth2 connection with RS

saquino0827 commented 4 days ago

Here's is the swagger doc for the description of OAuth2 using Okta. This seems to only be for inbound.

jorg3lopez commented 4 days ago

We checked how RS builds the jwt that is used to request an access token, and it appears that it will work with their current setup. The one thing we need now is the endpoint where we will send the message to.

jorg3lopez commented 1 day ago

Update: We concluded that RS has the right setup for OAuth2 when they generate jwt. The jwt that is being generated is not valid when we hit the token endpoint. The problem is that the issuer and subject params are not the client id that we got from EPIC. See picture:

The other issue is that the audience is blank, instead of having the baseUrl that is used to retrieve the token. See picture:

Proposed solution: I think that if we add these entries to the org file, we will have the ability to create JWTs with more flexibility and client customization.