Security features and considerations

While Ontoserver does not ship with its own authentication system, it does implement a role-based access control system and the ability to integrate with an OAuth 2.0-compatible authorisation server.

The authorisation server must have the ability to issue JSON Web Tokens (JWT). A JWT is simply a token that contains a payload of information, such as claims and expiry, which is signed with a shared secret. An application, such as Ontoserver, can verify the authenticity and integrity of the JWT without the need to interrogate an authorisation server directly.

The payload of a typical JWT used to authenticate with Ontoserver looks like this:

{
  "exp": 1506947837,
  "user_name": "somebody@somewhere.com",
  "authorities": [
    "ROLE_FHIR_READ",
    "ROLE_FHIR_WRITE"
  ],
  "jti": "d27686bd-d439-4368-b5db-16431740ee38",
  "client_id": "ac8fa7a3-cd05-4f7f-095b4dcbe330"
}

This JWT grants read/write access to the FHIR API.

The exp parameter represents the expiry time of the token. Attempts to use the token after this time will be refused by Ontoserver.

The roles available within Ontoserver are as follows:

ROLE_FHIR_READRead access to the FHIR API
ROLE_FHIR_WRITEWrite access to the FHIR API
ROLE_API_READRead access to the admin API
ROLE_API_WRITEWrite access to the admin API
ROLE_SYND_READRead access to the syndication API
ROLE_SYND_WRITEWrite access to the syndication API

The jti parameter is a unique identifier for the token. Its presence is generally used to mitigate against replay attacks.

The client_id parameter is a unique identifier for the client application, and can be used by the authorisation server within its authorisation logic, and to enforce allowable redirection URLs on a per-application basis.