sidebar_position | tags | |
---|---|---|
7 |
|
import ExampleCode from '!!raw-loader!@site/../examples/src/auth/external-identity-providers.ts'; import MedplumCodeBlock from '@site/src/components/MedplumCodeBlock';
Medplum supports external identity providers such as Auth0 and AWS Cognito for end user authentication. This is sometimes known as "Federated Identities".
When an end user authenticates with your client-side web application, we will use the following authentication flow:
Medplum provides a minimal example application which demonstrates using Auth0 as an external identity provider. The example is approximately 100 lines of TypeScript code, and can be used as a starting point for any standard OAuth2/OpenID identity provider.
Setup your external authentication provider (Auth0, AWS Cognito, Okta, etc). Use "https://api.medplum.com/auth/external" as the "redirect URI" (also known as the "callback URL" in some systems).
Also make sure that your provider accepts the profile
OIDC scope.
Note the following details:
- Authorize URL
- Token URL
- UserInfo URL
- Client ID
- Client secret
Setup your Medplum account:
- Register for a Medplum account
- Create a
ClientApplication
- Set the "Redirect URI" to "http://localhost:8000/"
- Add an external identity provider with the details from above
The MedplumClient TypeScript class provides a signInWithExternalAuth
convenience method:
When the external identity provider flow redirects back to your web application, it will include a code
query parameter. This code can be exchanged for a Medplum access token.
The MedplumClient TypeScript class provides a processCode
convenience method:
After the code is processed, the Medplum access token will be stored in the browser's local storage. The MedplumClient
will automatically use the access token for all subsequent API calls.
- (If using the Cognito's hosted UI) Set the "redirect uri" by navigating to: Amazon Cognito > User Pools > [Your pool] > [Your App Client] > Edit Hosted UI > Allowed callback URLs
- By default, Cognito does not include the
profile
scope. You can add this navigating to: Amazon Cognito > User Pools > [Your pool] > [Your App Client] > Edit Hosted UI > OpenID Connect Scopes - To disable PKCE for Cognito login, do the following:
- In your client application, pass in
false
for thepkceEnabled
parameter ofsignInWithExternalAuth
.
medplum.signInWithExternalAuth( EXTERNAL_AUTHORIZE_URL, EXTERNAL_CLIENT_ID, EXTERNAL_REDIRECT_URI, { projectId: MEDPLUM_PROJECT_ID, clientId: MEDPLUM_CLIENT_ID, redirectUri: WEB_APP_REDIRECT_URI, }, false, ),
- In the Medplum App, navigate to your ClientApplication > Edit and set "PKCE Optional" to
true
- In your client application, pass in