Previous: Question: v2 Referrals »

#FHIR + Open ID Connect

Jun 20, 2014

I’ve upgraded my FHIR server to support OpenID Connect tokens as part of it’s OAuth based login. This is part of implementing IHE’s IUA profile, though I’m not yet sure whether I’m going to finish that off - I’m still discussing the way that works with the IHE authors. What this means is that as part of the server login process, my server provides a signed openID Connect token with user identification included in it. There’s now a standard Open ID Connect discovery document available here. Josh Mandel and I would like to make it standard for any FHIR server that uses OAuth, that the URL

[fhir-base]/.well-known/openid-
configuration

either returns an OIDC discovery document describing the OAuth part of the server, or redirects to the appropriate location (OIDC puts it on the root of the server, so that would be best place for it).

I added this to help understand how hard it is to support the tokens, since they’re part of the Smart-On-FHIR framework. And the answer’s kind of split - the JSON/identification bits are relatively straight-forward (so far). But the crypto bits - they’re screamingly hard. Because my server is written using Delphi, my choice of crypto libraries is somewhat limited - especially since my code is open source - and in the end I had to go with openSSL. It’s astounding how hard this crypto stuff is. At least half the problem is because of openSSL (see, “openSSL is written by monkeys” - my experience matched that). But it’s not all openSSL - basic crypto is harder than it should be - a myriad of closely related counter-intuitive terms, barely differentiated but incompatible file formats, conflicting or wrong advice, etc. And then it either works, or it doesn’t, and mostly all you get is “didn’t work” as an error (e.g. the signature didn’t verify). But I got nearly there in the end (I still have to work though the hard bits of this) (and thanks to Josh for support).

Anyway, the upshot of all this is the first (as far as I know) open source Delphi implementation of JSON Web Tokens and their associated stack of things (JWK, JWS). This might be useful for other delphi programmers, so:

• JWT.pas- the core implementation of JSON Web Tokens
• JSON.pas- the json library it uses
• libeay32.pas- extensions to the standard Indy OpenSSL headers (the next version of delphi will include these in the standard header file; these are extensions to the XE5 version)

And there’s some tests too. Also, there’s a bunch of other library stuff in Github there that those units depend on.