Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
Purpose & Requirements

...


Client_typePurposeaccess_type

Auth_FE

Auth frontEndDIRECT
MSPMedical service providerBROKER
MISMedical information systemDIRECT
NHS_AdminAdmin console of the NHSDIRECT
MITHRIL ADMINAdmin console of the Mithril itselfDIRECT
PHARMACYPharmacyBROKER
UADDRESSES ADMINAdmin of UA adressesDIRECT


Send & Get API-key

Some clients (which `access_type` = BROKER) must be send (mandatory) API-key as a attribute `API-key` in HEADER all request.

Example:

Code Block
curl --include \
     --request POST \
     --header "Content-Type: application/json" \
     --header "Authorization: Bearer mF_9.B5f-4.1JqM" \
     --header "API-key: d09vQUFlWTZ6Q0RXRDJISldUOVQ3dz09" \
     --data-binary "{
  \"medication_request_request\": { 
....


Manage MIS broker scope 

For some clients (client_type = MIS) which provide transfer for call API - we need mandatory validate possibility access to API endpoints.

Proposed use new attribute `broker_scopes` in JSON object in column `client.priv_settings`.

If attribute `broker_scopes` not exist in `client.priv_settings` - we don`t need validate access over broker!

Client_typePurposevalidate_broker_scopes

Auth_FE

Auth frontEnd
MSPMedical service provider
MISMedical information system"broker_scopes": "legal_entity:read declaration:read employee:read"
NHS_AdminAdmin console of the NHS
MITHRIL ADMINAdmin console of the Mithril itself
PHARMACYPharmacy
UADDRESSES ADMINAdmin of UA adresses

 

For clients (client_type = MIS) on which we will check access for call API endpoint - we need describe the list `broker_scopes`. 
Proposed manage & store list  `broker_scopes` in attribute `priv_settings` in table `clients`. 

Example:

Code Block
languagejs
{
  "allowed_grant_types": [
    	"password",
    	"access_token"
  ],
  "access_type": "direct",
  "broker_scopes": 
  		"legal_entity:read
		 declaration:read
		 employee:read"
}

In case of need complex disconnect MIS for transfer of call API endpoints - we need full clear him `broker_scopes`.
Clear, but not delete!

Validate MIS transfer scope

When MSP call specific API endpoint over (transfer) MIS we need validate possibility to access.

  1. Get `client_id` from `token`
  2. Read `clients` for `client_id`.   (further in the text - `REQUEST_CLIENT`)Read 
  3. Extract `access_type` from `priv_settings`. 
  4. If `access_type` = `BROKER
    1. Read   `API-key` from HEADER
    2. Validate  `API-key`.
      1. Validate exists `secret` in table `clients`
        1. if invalid - return error  "Not found API-key!" (!!! text error - TBD)
      2. Read
    `client_types` for REQUEST_CLIENTValidate Read `
      1. `
    access_over_broker`=TRUE 
    1. If invalid - break validation.
      1. clients` with `secret`(API-key) in header.  (further in the text - `BROKER_CLIENT`)
    Read
      1. Extract `
    client_types` for this BROKER_CLIENT
      1. access_type` from `priv_settings`
        Validate
            1. If `
        validate
            1. access_
        broker_scopes
            1. type` =
        TRUE if invalid
            1. `BROKER- return error  "Incorrect API-key!" (!!! text error - TBD)
        Get
          1. Extract `broker_scopes`
        from 
          1. from `priv_settings`
        in table `clients` for `BROKER_CLIENT`
          1.  . 
            1. if not found `broker_scopes` - - return error  "Incorrect broker settings!" (!!! text error - TBD)
          2. Read needed scopes for call API Endpoint (read from GateWay configuration - "/gateway-config.yaml")
          3. Validate exist
        all
          1. needed scopes in `broker_scopes` of `BROKER_CLIENT`.
            1. if invalid - return error "Conflict !" (!!! text error - TBD)
      2. If `access_type` = `DIRECT
        1. break validation.


      Configuration examples 

      Commentsclients.priv_settings
      MSP{ "allowed_grant_types": [ "password", "access_token" ], "access_type": "broker" }
      Normal MIS{ "allowed_grant_types": [ "password", "access_token" ], "access_type": "direct", "broker_scopes": "legal_entity:read declaration:read employee:read" }
      Blocked MIS{ "allowed_grant_types": [ "password", "access_token" ], "access_type": "direct", "broker_scopes": "" }
      Incorrect MIS{ "allowed_grant_types": [ "password", "access_token" ], "access_type": "direct" }
      Incorrect MIS 2{ "allowed_grant_types": [ "password", "access_token" ], "access_type": "broker", "broker_scopes": "legal_entity:read declaration:read employee:read" }