Security features and considerations
While Ontoserver does not ship with its own authentication system, it does implement a role-based access control system and the ability to integrate with an OAuth 2.0-compatible authorisation server.
The authorisation server must have the ability to issue JSON Web Tokens (JWT). A JWT is simply a token that contains a payload of information, such as claims and expiry, which is signed with a shared secret. An application, such as Ontoserver, can verify the authenticity and integrity of the JWT without the need to interrogate an authorisation server directly.
The payload of a typical JWT used to authenticate with Ontoserver looks like this:
{
"exp": 1506947837,
"user_name": "somebody@somewhere.com",
"authorities": [
"ROLE_FHIR_READ",
"ROLE_FHIR_WRITE"
],
"jti": "d27686bd-d439-4368-b5db-16431740ee38",
"client_id": "ac8fa7a3-cd05-4f7f-095b4dcbe330"
}
This JWT grants read/write access to the FHIR API.
The exp parameter represents the expiry time of the token. Attempts to use the token after this time will be refused by Ontoserver.
The roles available within Ontoserver are as follows:
ROLE_FHIR_READ | Read access to the FHIR API |
ROLE_FHIR_WRITE | Write access to the FHIR API |
ROLE_API_READ | Read access to the admin API |
ROLE_API_WRITE | Write access to the admin API |
ROLE_SYND_READ | Read access to the syndication API |
ROLE_SYND_WRITE | Write access to the syndication API |
The jti parameter is a unique identifier for the token. Its presence is generally used to mitigate against replay attacks.
The client_id parameter is a unique identifier for the client application, and can be used by the authorisation server within its authorisation logic, and to enforce allowable redirection URLs on a per-application basis.