Refactor web login via FHIR Info Gateway

onaio / fhir-web

A web based interface for administering FHIR based digital health solutions

https://ona.io/home/introducing-quest-fhir-native-case-management/

Other

16 stars 13 forks source link

Refactor web login via FHIR Info Gateway #1375

Closed ageryck closed 3 months ago

ageryck commented 5 months ago

Feature Use Case

Currently, the web authenticates via keycloak read roles and permissions to make requests to HAPI, in this issue we want to refactor this to allow the web to authenticate as follows;

Request keycloak to validate the user and get the access token
Request gateway to read the provided token and make practitionerDetails request to get details on role, permissions, and assignment
Gateway to filter data/resources based on granted PractitionerDetails and return to web

Current android client workflow

Acceptance criteria

web can authenticate via the gateway and filter data based on assignment and user role

Project Contact

Ager

Relevant Information

This ticket is dependent on web users' assignment implementation and web gateway plugin implementation

peterMuriuki commented 5 months ago

I understand webs login flow does not need to change since we re retaining keycloak as the IAM as well as retaining the flow via which we get the access token from endpoint.

Note: Web does not need to understand how the gateway plugin functions or how data is filtered on the gateway, it just needs to make requests as it has been making and trusting that the gateway plugin enforces RBAC/ABAC in the response. Web also should expect that the gateways response retains the payload structure defined by the fhir spec.

What I expect to change on web as part of this issue:

[ ] Update fhir base url config to point to authenticated hapi fhir server.

dubdabasoduba commented 5 months ago

I understand webs login flow does not need to change since we re retaining keycloak as the IAM as well as retaining the flow via which we get the access token from endpoint.

Note: Web does not need to understand how the gateway plugin functions or how data is filtered on the gateway, it just needs to make requests as it has been making and trusting that the gateway plugin enforces RBAC/ABAC in the response. Web also should expect that the gateways response retains the payload structure defined by the fhir spec.

What I expect to change on web as part of this issue:

[ ] Update fhir base url config to point to authenticated hapi fhir server.

@peterMuriuki Agreed! I don't think we need to change anything

@ciremusyoka @peterMuriuki let's use this opportunity to fix the automatic auth token refresh functionality.

ciremusyoka commented 5 months ago

Setting the gateway base url similar to how we were setting base fhir url currently will not work out of box. There is inconsistency on the gateway endpoints. Some have /fhir prefix and others (gateway custom endpoints) don't. Our current implementation on the web expects all endpoints to be consistent. E.G to get location hierarchy current we use this https://fhir.labs.smartregister.org/fhir/LocationHierarchy/_search?_id=2252 but on gateway the request will be https://fhir-access-proxy.smartregister.org/LocationHierarchy?identifier=2252.

For us to use the gateway we will have to

Update the web to work with the gateway custom endpoints or
Update the gateway custom urls (/LocationHierarchy, /PractitionerDetails) to match the standard implementation of the other fhir endpoints

ciremusyoka commented 5 months ago

@lincmba Have noted permissions are not applied for requests with /_search after the resource name. https://fhir-access-proxy.smartregister.org/fhir/Patient/_search returns data for any user but https://fhir-access-proxy.smartregister.org/fhir/Patient does not return data for users without correct permissions.

ageryck commented 4 months ago

@lincmba Have noted permissions are not applied for requests with /_search after the resource name. https://fhir-access-proxy.smartregister.org/fhir/Patient/_search returns data for any user but https://fhir-access-proxy.smartregister.org/fhir/Patient does not return data for users without correct permissions.

@lincmba take a look at this

ciremusyoka commented 4 months ago

@lincmba @ageryck Location hierarchy response from the gateway is missing location children data which we use to display the hierarchy drill down.

"LocationHierarchyTree": {
    "locationsHierarchy": {
        "listOfNodes": {
            "treeNode": [
                {
                    ...,
                    "children": [
                        `This  children list is missing on gateway response`
                    ]
                }
            ]
        }
    }
}

Compare responses of https://fhir.labs.smartregister.org/fhir/LocationHierarchy?_id=2252 and https://fhir-access-proxy.smartregister.org/LocationHierarchy?identifier=2252