...
For some clients (client_type = MSP, PHARMASY, ..) we need require mandatory access only transfer across MIS (MIS is a broker).
Proposed use new column attribute `access_over_brokertype` (boolean) in table `client_typeswith values (`DIRECT`, `BROKER`) in JSON object in column `client.priv_settings` for mark such clients.
We extract client _access type from token, analyze `access_over_brokertype` = TRUE BROKER, and require brokerbrokers (not own) API-key in WS request.
| Client_type | Purpose | access_over_brokertype |
|---|---|---|
Auth_FE | Auth frontEnd | DIRECT |
| MSP | Medical service provider | TRUEBROKER |
| MIS | Medical information system | DIRECT |
| NHS_Admin | Admin console of the NHS | DIRECT |
| MITHRIL ADMIN | Admin console of the Mithril itself | DIRECT |
| PHARMACY | Pharmacy | TRUEBROKER |
| UADDRESSES ADMIN | Admin of UA adresses | DIRECT |
Send & Get API-key
All Some clients (all client_typeswhich `access_type` = BROKER) must be send (mandatory) API-key as a attribute `API-key` in HEADER all request.
Example:
| Code Block |
|---|
curl --include \
--request POST \
--header "Content-Type: application/json" \
--header "Authorization: Bearer mF_9.B5f-4.1JqM" \
--header "API-key: d09vQUFlWTZ6Q0RXRDJISldUOVQ3dz09" \
--data-binary "{
\"medication_request_request\": {
.... |
Manage MIS
transferbroker scope
For some clients (client_type = MIS) which provide transfer for call API - we need mandatory validate possibility access to API endpoints.
Proposed use new column attribute `validate_broker_scopes` (boolean) in table in JSON object in column `client.priv_typessettings`.
If attribute `broker_scopes` not exist in `client.priv_settings` - we don`t need validate access over broker!
| Client_type | Purpose | validate_broker_scopes |
|---|---|---|
Auth_FE | Auth frontEnd | |
| MSP | Medical service provider | |
| MIS | Medical information system | TRUE"broker_scopes": "legal_entity:read declaration:read employee:read" |
| NHS_Admin | Admin console of the NHS | |
| MITHRIL ADMIN | Admin console of the Mithril itself | |
| PHARMACY | Pharmacy | |
| UADDRESSES ADMIN | Admin of UA adresses |
For clients (client_type = MIS) on which we will check access for call API endpoint - we need describe the list `broker_scopes`.
Proposed manage & store list `broker_scopes` in attribute `settings` in table `clients`.
Example:
| Code Block | ||
|---|---|---|
| ||
{
"allowed_grant_types": [
"password",
"access_token"
],
"access_type": "direct",
"broker_scopes":
"legal_entity:read
declaration:read
employee:read"
} |
In case of need complex disconnect MIS for transfer of call API endpoints - we need full clear him `broker_scopes`.
Clear, but not delete!
Validate MIS transfer scope
When MSP call specific API endpoint over (transfer) MIS we need validate possibility to access.
- Get `client_id` from `token`
- Read `clients` for `client_id`. (further in the text - `REQUEST_CLIENT`)
- Read `API-key` from `API-key`from HEADER
- Validate `API-key`.
- Validate exists `secret` in table `clients`
- if invalid - return error "Not found API-key!" (!!! TBD)
- Read `client_types` for REQUEST_CLIENT. Validate `access_over_broker`=TRUE
- If invalid - break validation.
- Read `clients` with `secret`(API-key) in header. (further in the text - `BROKER_CLIENT`)
Read `client_types` for this BROKER_CLIENT.
Validate `validate_broker_scopes`=TRUE- if invalid - return error "Incorrect API-key!" (!!! TBD)
- Validate exists `secret` in table `clients`
- Get `broker_scopes` from `settings` in table `clients` for `BROKER_CLIENT`
- Read needed scopes for call API Endpoint (read from GateWay configuration)
- Validate exist all needed scopes in `broker_scopes` of `BROKER_CLIENT`.
- if invalid - return error "Conflict !" (!!! TBD)