| Table of Contents | ||
|---|---|---|
|
Introduction
This document describes the process of endpoint authentication for our API using OpenHIM (Open Health Information Mediator). OpenHIM is an open-source health mediation platform that facilitates the integration of health systems by managing transactions and routing messages between heterogeneous systems.
Our services do not implement a separate authentication layer, as we rely on the robust authentication functionality provided by OpenHIM. OpenHIM acts as an intermediary that manages authentication and authorization for clients accessing our services, allowing us to focus on developing our core functionalities without having to worry about implementing and managing authentication at the application level
Endpoint Authentication
The endpoints of our API require authentication to access protected resources. We use OpenHIM as a mediation platform to manage user and client authentication and authorization when accessing our services.
Authentication Flow
The authentication flow of our endpoints using OpenHIM is as follows:
Access Request: The client sends an access request to a protected resource through an endpoint of our API.
Intermediation with OpenHIM: The access request is intercepted by OpenHIM, which acts as an intermediary between the client and our API.
Authentication: OpenHIM verifies the client's credentials and authorizes or denies access to the requested resource based on client roles.
Resource Access: If the credentials are valid and the client has the appropriate role, OpenHIM redirects the request to the corresponding endpoint of our API, allowing the client to access the requested resource.
Supported Authentication Types
Our API supports the following types of authentication through OpenHIM:
Basic Authentication: It uses the basic HTTP authentication method, which involves sending credentials (username and password) in the HTTP header.
Usage Examples
Below are examples of how to authenticate requests to our endpoints using OpenHIM:
Basic Authentication
curl -X GET \ http://openhim-dev.psi-mis.org:5001/fhir\ -H 'Authorization: Basic base64encoded(username:password)'
Role-Based Access Control
We utilize role-based access control (RBAC) in OpenHIM to assign specific permissions to clients based on their roles. This allows us to control access to resources and actions within our API.
Client and Password.
To obtain a username and password to access the API for a project, you will need to request them from the administrators of the OpenHIM service.
OPENHIM - Client.
If you want more information about this, you can check on the official web-page: Clients | OpenHIM and Authentication | OpenHIM
OPENHINM - User.
In OpenHIM, the concept of "Users" refers to the entities that manage data transactions between healthcare systems. These users have access to the OpenHIM Console, where they can monitor, manage, and authorize data transactions between different healthcare systems.
The "Services" in OpenHIM are the applications or healthcare systems that integrate with the OpenHIM to exchange data. "Channels," on the other hand, are the specific connections between two services through the OpenHIM, allowing data exchange between them.
It's important to distinguish between "Users" and "Clients" in OpenHIM. "Users" are the individuals who use the OpenHIM to manage transactions and monitor data exchange, while "Clients" are the healthcare systems or applications that integrate with the OpenHIM to exchange data with other systems.
Additionally, OpenHIM manages roles for users, meaning that different levels of permissions and access to functions within the OpenHIM Console can be assigned based on the responsibilities and authorizations of each user in the system. This helps efficiently manage who has access to what functionalities and data within the system.
If you want more information about this, you can check on the official web-page: Users | OpenHIM