You're reading the documentation for a development version. For the latest released version, please have a look at 1.1.1.

Authentication

OpenFHIR provides built-in support for securing its RESTful APIs using Keycloak as an OAuth2 identity provider. This allows fine-grained access control via JWT-based authentication.

Enabling Authentication with Keycloak

To protect your OpenFHIR instance using Keycloak, set the protected flag in your configuration and provide standard Spring Security OAuth2 settings.

Configuration

Add the following configuration in your application.yml or application.properties:

protected: true

spring:
  security:
    oauth2:
      resourceserver:
        jwt:
          issuer-uri: http://keycloak/realms/open-fhir
          jwk-set-uri: http://keycloak/realms/open-fhir/protocol/openid-connect/certs

Alternatively, if using application.properties:

protected=true

spring.security.oauth2.resourceserver.jwt.issuer-uri=http://keycloak/realms/open-fhir
spring.security.oauth2.resourceserver.jwt.jwk-set-uri=http://keycloak/realms/open-fhir/protocol/openid-connect/certs

How it works

  • Protected Mode: When protected: true, OpenFHIR enforces authentication for all API requests.

  • JWT-Based Authentication: OpenFHIR validates JWTs issued by Keycloak, ensuring only authorized users with correct scopes can access resources.

  • Authorization Headers: Clients must send a valid Bearer Token in the Authorization header when making API requests.

Scopes

Scopes

Scope

Description

Protected API

fc.(c,r,u,d)

FHIR Connect APIs used for state configuration

are protected with (c)reate, (r)ead, (u)pdate,

(d)elete scopes (i.e. fc.c means a create is allowed, ..)

/fc/model, /fc/context

opt.(c,r,u,d)

API through which one is able to create an operational

template

/opt

openfhir.map

granting access to mapping API

/openfhir/tofhir, /openfhir/toopenehr

conceptmap.(c,r,u,d)

granting access to /fhir/ConceptMap

/terminology/fhir/ConceptMap