Blaze comes with a build-in feature to authenticate requests against an OpenID Connect provider. In order to activate this feature, the environment variable OPENID_PROVIDER_URL has to be set to the base URL of your OpenID Connect provider.
If this feature is activated, all FHIR Endpoints will require a valid JWT in the Authorization header as Bearer token. The tokens are validated using the first public key available in the OpenID Connect configuration fetched from <OPENID_PROVIDER_URL>/.well-known/openid-configuration. Currently only RSA 256 signed tokens are supported.
In order to test the authentication feature, please start Keycloak and Blaze as defined in the Docker Compose file in the docs/authentication directory:
docker-compose upafter both services are up, please run:
ACCESS_TOKEN=$(./fetch-token.sh) ./request-all-resources.shThe output should be:
{
"entry": [],
"id": "C6IJYWHRYMGMXUFH",
"link": [
{
"relation": "self",
"url": "http://localhost:8080/fhir?_count=50&__t=0"
}
],
"resourceType": "Bundle",
"total": 0,
"type": "searchset"
}- Blaze will fetch the first public available under
<OPENID_PROVIDER_URL>/.well-known/openid-configurationat the start and every minute afterwards - only the first public key is used (please file an issue if you need more than the first key)
- the only RSA 256 signatures are supported (please file an issue if you need also RSA 512)