Versions Compared

Old Version 7

changes.mady.by.user Pascal Brandt

Saved on

compared with

New Version Current

changes.mady.by.user Mayank Sharma

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: update student

Primary mentor

Mayank Sharma

Backup mentor

Harsha Kumara, Suranga Kasthurirathne

Assigned to

 Sanatt Abrol
Interested PeoplePascal Brandt

...

Excerpt

The initial work on OpenMRS OAuth module has carried out in the Implement the OAuth2 Support for Web Services APIs during the previous GSoC. The objective of this project is to migrate existing module to latest OpenMRS 2.x release and make all the OAuth grant type to work. This functionality should be demonstrated with the FHIR module. The new release also opens door to using higher versions of Spring Security OAuth2 project with the module which needs to be explored. Another major goal is to make FHIR module work with SMART applications which needs OAuth2 Authorization code grant type based authentication. So the plan is to improve our OAuth module to implement this capability and do required enhancements.

Note on current state of module : The OAuth2 module is currently configured to implement all grant types specified by the OAuth2 protocol. The module utilizes the Spring Security OAuth2 project and runs on OpenMRS 1.11.4 (max) due to restrictions of underlying API's that are incompatible with higher OpenMRS versions. We are mid-way migrating to a complete RESTful interaction between the front-end and back-end ( It is easier to make REST calls using JavaScript to fetch back-end data and render it rather than implementing custom spring data binders for current data structures used in the module). This also falls in line with the OpenMRS 2.x migration objective and is backward compatible with older versions of OpenMRS. To test the module, you can leverage OMODBypassController to register sample clients and generate client credentials while the UI-based client management functionality is made RESTful.

...

  • Go through the OAuth specification (RFC 6749)[1] and understand OAuth2 and it's grant types.  
  • Go through the available samples in web to understand the implementation[2]. 
  • Go through the documentation and samples of Spring Security and Spring Security OAuth2 projects. Study the Annotation vs XML implementation options
  • Go through and test the current state of OAuth Module and resources in Implement the OAuth2 Support for Web Services APIs
    • Study the data structures for Client, Client Developer.
    • Sketch a rough API specification for the REST endpoints we'd need. Here's the bare minimum (These endpoints must also take care of the permissions of the user making the requests)
      • POST /ws/oauth2/client {Client Registration Endpoint}
      • GET /ws/oauth2/client or  /ws/oauth2/client/{client_id} {List registered clients endpoint. }
      • PUT /ws/oauth2/client {Client Updataion Endpoint}
      • DELETE /ws/oauth2/client {Client Deletion Endpoint}
      • Issue New Credentials Endpoint; If the client hits the Client Updatation Endpoint keeping all request parameters (client_id and client_secret) same, we should be able to issue a new pair of client_id and client_secret!
    • Identify the API methods that need to called by these controllers. This should be easy to backtrack by studying the controller methods for the jsp files that handle client management. 
    • Take a look at how the Spring Security and Spring Security OAuth2 projects are wired up in the module. Here's the xml file
    • Going through the available documentation for the OAuth2 module will be helpful (OpenMRS OAuth2 module - for Client DevelopersOpenMRS OAuth2 Module - for ImplementersOpenMRS OAuth2 Module - for Module Developers ) . Also check out the resources section of this wiki
  • Take a look at authentication scheme used by SMART Apps and identify how OAuth2 module can serve as the authentication manager for such apps 
  • Come up with timeline along with how each week has used to develop the module to meet with required goals. 
  • Create tickets in JIRA for tasks to be completed during GSoC.

...

  1. https://tools.ietf.org/html/rfc6749 
  2. http://blog.facilelogin.com/2012/08/wso2-oauth-20-playground-with-wso2.html
  3. Implement the OAuth2 Support for Web Services APIs
  4. UI Framework Guide : UI Framework Step By Step Tutorial
  5. http://docs.spring.io/spring-security/site/migrate/current/3-to-4/html5/migrate-3-to-4-xml.html 
  6. Type of changes you can anticipate for the migration to Spring 4.x : https://github.com/spring-projects/spring-security-migrate-3-to-4/compare/xml?expand=1 
  7. SMART on FHIR
    1. Authorization Guide
    2. Scopes and Launch Context

...