Skip to content
This repository has been archived by the owner on Apr 13, 2023. It is now read-only.

docs: update postman collection and docs to use Id token #399

Merged
merged 3 commits into from
Aug 11, 2021
Merged

docs: update postman collection and docs to use Id token #399

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d0f7d8e
Revert "docs: Update POSTMAN collection and add Export README instruc…
carvantes Aug 10, 2021
e59fd55
docs: update postman collection and docs to use Id token
carvantes Aug 10, 2021
ce03130
address PR comments
carvantes Aug 11, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/deploy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ jobs:
run: |
ACCESS_TOKEN=$(aws cognito-idp initiate-auth --region us-west-2 --client-id $COGNITO_CLIENT_ID \
--auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=$COGNITO_USERNAME,PASSWORD=$COGNITO_PASSWORD | \
python -c 'import json,sys;obj=json.load(sys.stdin);print obj["AuthenticationResult"]["AccessToken"]')
python -c 'import json,sys;obj=json.load(sys.stdin);print obj["AuthenticationResult"]["IdToken"]')
bundle exec rake crucible:execute_hearth_tests[$SERVICE_URL,$API_KEY,$ACCESS_TOKEN]
custom-integration-tests:
needs: crucible-test
Expand Down
29 changes: 7 additions & 22 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ The system architecture consists of multiple layers of AWS serverless services.
FHIR Works on AWS is powered by single-function components. These functions provide you the flexibility to plug your own implementations, if needed. The components used in this deployment are:
+ [Interface](https://github.com/awslabs/fhir-works-on-aws-interface) - Defines communication between the components.
+ [Routing](https://github.com/awslabs/fhir-works-on-aws-routing) - Accepts HTTP FHIR requests, routes it to the other components, logs the errors, transforms output to HTTP responses and generates the [Capability Statement](https://www.hl7.org/fhir/capabilitystatement.html).
+ [Authorization](https://github.com/awslabs/fhir-works-on-aws-authz-rbac) - Accepts the access token found in HTTP header and the action the request is trying to perform. It then determines if that action is permitted.
+ [Authorization](https://github.com/awslabs/fhir-works-on-aws-authz-rbac) - Accepts the ID token found in HTTP header and the action the request is trying to perform. It then determines if that action is permitted.
+ [Persistence](https://github.com/awslabs/fhir-works-on-aws-persistence-ddb) - Contains the business logic for creating, reading, updating, and deleting the FHIR record from the database. FHIR also supports ‘conditional’ CRUD actions and patching.
+ Bundle - Supports multiple incoming requests as one request. Think of someone wanting to create five patients at once instead of five individual function calls. There are two types of bundles, batch and transaction. We currently only support transaction bundles.
+ [Search](https://github.com/awslabs/fhir-works-on-aws-search-es) - Enables system-wide searching (/?name=bob) and type searching (/Patient/?name=bob).
Expand Down Expand Up @@ -101,23 +101,17 @@ Set up the following three environment variables:

For instructions on importing the environment JSON, click [here](https://thinkster.io/tutorials/testing-backend-apis-with-postman/managing-environments-in-postman).

The `COGNITO_AUTH_TOKEN` required for each of these files can be obtained by following the instructions under [Authorizing a user](#authorizing-a-user).

The following variables required in the Postman collection can be found in `Info_Output.yml` or by running `serverless info --verbose`:
+ API_URL: from Service Information:endpoints: ANY
+ API_KEY: from Service Information: api keys: developer-key
+ CLIENT_ID: from Stack Outputs: UserPoolAppClientId
+ AUTH_URL: https://<CLIENT_ID>.auth.\<REGION\>.amazoncognito.com/oauth2/authorize

**Note:** You can also query Cognito openid "well-known" url to get the AUTH_URL
```
https://cognito-idp.[REGION].amazonaws.com/[from Stack Outputs: UserPoolId]/.well-known/openid-configuration
```


To find what FHIR Server supports, use the `GET Metadata` Postman request to retrieve the [Capability Statement](https://www.hl7.org/fhir/capabilitystatement.html)

**Authorizing a user**

FHIR Works on AWS uses Role-Based Access Control (RBAC) to determine what operations and what resource types a user can access. The default rule set can be found in [RBACRules.ts](https://github.com/awslabs/fhir-works-on-aws-deployment/blob/mainline/src/RBACRules.ts). To access the API, you must use the OAuth access token. This access token must include scopes of either `openid`, `profile` or `aws.cognito.signin.user.admin`.
FHIR Works on AWS uses Role-Based Access Control (RBAC) to determine what operations and what resource types a user can access. The default rule set can be found in [RBACRules.ts](https://github.com/awslabs/fhir-works-on-aws-deployment/blob/mainline/src/RBACRules.ts). To access the API, you must use the ID token. This ID token must include scopes of either `openid`, `profile` or `aws.cognito.signin.user.admin`.

Using either of these scopes provide information about users and their group. It helps determine what resources/records they can access.

Expand All @@ -127,18 +121,9 @@ Using either of these scopes provide information about users and their group. It

For more information, click [here](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html).

**Retrieving access token via postman using the openid profile**

To access the FHIR API, an access token is required. This can be obtained by following these steps within Postman:

1. Open Postman and choose the operation (for example, `GET Patient`).
2. In the **Authorization** tab, choose **Get New Access Token**.
3. A sign in page appears. Enter the username and password (if you don't know it look at the [init-auth.py](https://github.com/awslabs/fhir-works-on-aws-deployment/blob/mainline/scripts%5Cinit-auth.py) script).
4. After signing in, the access token is set and you have the access for approximately one hour.

**Retrieving an access token using aws.cognito.signin.user.admin**
**Retrieving an ID token using aws.cognito.signin.user.admin**

A Cognito OAuth access token can be obtained using the following command substituting all variables with their values from `INFO_OUTPUT.yml` or by using the `serverless info --verbose` command.
To access the FHIR API, an ID token is required. A Cognito ID token can be obtained using the following command substituting all variables with their values from `INFO_OUTPUT.yml` or by using the `serverless info --verbose` command.
+ For Windows, enter:
```sh
scripts/init-auth.py <CLIENT_ID> <REGION>
Expand All @@ -147,7 +132,7 @@ scripts/init-auth.py <CLIENT_ID> <REGION>
```sh
python3 scripts/init-auth.py <CLIENT_ID> <REGION>
```
The return value is an access token that can be used to hit the FHIR API without accessing the Oauth Sign In page. In Postman, instead of clicking the Get New Access Token button, you can paste the `ACCESS_TOKEN` value into the **Available Tokens** field.
The return value is the `COGNITO_AUTH_TOKEN` (found in the postman collection) to be used for access to the FHIR APIs.

### Accessing binary resources

Expand Down
Loading