Closed ageryck closed 3 months ago
I understand webs login flow does not need to change since we re retaining keycloak as the IAM as well as retaining the flow via which we get the access token from endpoint.
Note: Web does not need to understand how the gateway plugin functions or how data is filtered on the gateway, it just needs to make requests as it has been making and trusting that the gateway plugin enforces RBAC/ABAC in the response. Web also should expect that the gateways response retains the payload structure defined by the fhir spec.
What I expect to change on web as part of this issue:
I understand webs login flow does not need to change since we re retaining keycloak as the IAM as well as retaining the flow via which we get the access token from endpoint.
Note: Web does not need to understand how the gateway plugin functions or how data is filtered on the gateway, it just needs to make requests as it has been making and trusting that the gateway plugin enforces RBAC/ABAC in the response. Web also should expect that the gateways response retains the payload structure defined by the fhir spec.
What I expect to change on web as part of this issue:
- [ ] Update fhir base url config to point to authenticated hapi fhir server.
@peterMuriuki Agreed! I don't think we need to change anything
@ciremusyoka @peterMuriuki let's use this opportunity to fix the automatic auth token refresh functionality.
Setting the gateway base url similar to how we were setting base fhir url currently will not work out of box.
There is inconsistency on the gateway endpoints. Some have /fhir
prefix and others (gateway custom endpoints) don't.
Our current implementation on the web expects all endpoints to be consistent.
E.G to get location hierarchy current we use this https://fhir.labs.smartregister.org/fhir/LocationHierarchy/_search?_id=2252
but on gateway the request will be https://fhir-access-proxy.smartregister.org/LocationHierarchy?identifier=2252
.
For us to use the gateway we will have to
(/LocationHierarchy, /PractitionerDetails)
to match the standard implementation of the other fhir endpoints@lincmba Have noted permissions are not applied for requests with /_search
after the resource name.
https://fhir-access-proxy.smartregister.org/fhir/Patient/_search
returns data for any user but https://fhir-access-proxy.smartregister.org/fhir/Patient
does not return data for users without correct permissions.
@lincmba Have noted permissions are not applied for requests with
/_search
after the resource name.https://fhir-access-proxy.smartregister.org/fhir/Patient/_search
returns data for any user buthttps://fhir-access-proxy.smartregister.org/fhir/Patient
does not return data for users without correct permissions.
@lincmba take a look at this
@lincmba @ageryck Location hierarchy response from the gateway is missing location children data
which we use to display the hierarchy drill down.
"LocationHierarchyTree": {
"locationsHierarchy": {
"listOfNodes": {
"treeNode": [
{
...,
"children": [
`This children list is missing on gateway response`
]
}
]
}
}
}
Compare responses of https://fhir.labs.smartregister.org/fhir/LocationHierarchy?_id=2252 and https://fhir-access-proxy.smartregister.org/LocationHierarchy?identifier=2252
Feature Use Case
Currently, the web authenticates via keycloak read roles and permissions to make requests to HAPI, in this issue we want to refactor this to allow the web to authenticate as follows;
Current android client workflow
Acceptance criteria
web can authenticate via the gateway and filter data based on assignment and user role
Project Contact
Ager
Relevant Information
This ticket is dependent on web users' assignment implementation and web gateway plugin implementation