Versions Compared

Old Version 11

changes.mady.by.user Edward Voloshin (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Гліб Ущенко

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
Purpose & Requirements

...

For some clients (client_type = MSP, PHARMASY, ..) we need require mandatory access only transfer across MIS (MIS is a broker).  
Proposed use new column attribute `access_over_brokertype` (boolean) in table `client_typeswith values (`DIRECT`, `BROKER`) in JSON object in column `client.priv_settings` for mark such clients.

We extract client _access type from token, analyze `access_over_brokertype` = TRUE BROKER, and require  brokerbrokers (not own) API-key in WS request. 


Clientclient_typePurposeaccess_over_brokertype

Auth_FE

Auth frontEndDIRECT
MSPMedical service providerTRUEBROKER
MISMedical information systemDIRECT
NHS_AdminAdmin console of the NHSDIRECT
MITHRIL ADMINAdmin console of the Mithril itselfDIRECT
PHARMACYPharmacyTRUEBROKER
UADDRESSES ADMINAdmin of UA adressesDIRECT


Info

For create new clients need validate object `client.priv_settings` on mandatory attribute `access_type` & mapping values (client_type :: access_type)


Send & Get API-key

All Some clients (all client_typeswhich `access_type` = BROKER) must be send (mandatory) API-key as a attribute `API-key` in HEADER all request.

Example:

Code Block
curl --include \
     --request POST \
     --header "Content-Type: application/json" \
     --header "Authorization: Bearer mF_9.B5f-4.1JqM" \
     --header "API-key: d09vQUFlWTZ6Q0RXRDJISldUOVQ3dz09" \
     --data-binary "{
  \"medication_request_request\": { 
....


Manage MIS

transfer

broker scope 

For some clients (client_type = MIS) which provide transfer for call API - we need mandatory validate possibility access to API endpoints.

Proposed use new column attribute `validate_broker_scopes` (boolean) in table `client_types`.in JSON object in column `client.priv_settings`.

If attribute `broker_scopes` not exist in `client.priv_settings` - we don`t need validate access over broker!

Client_typePurposevalidate_broker_scopesclient.priv_settings

Auth_FE

Auth frontEnd
MSPMedical service provider
MISMedical information systemTRUE"broker_scopes": "legal_entity:read declaration:read employee:read"
NHS_AdminAdmin console of the NHS
MITHRIL ADMINAdmin console of the Mithril itself
PHARMACYPharmacy
UADDRESSES ADMINAdmin of UA adresses

 



For clients (client_type = MIS) on which we will check access for call API endpoint - we need describe the list `broker_scopes`. 
Proposed manage & store list  `broker_scopes` in attribute `priv_settings` in table `clients`. 

Example:

Code Block
languagejs
{
  "allowed_grant_types": [
    	"password",
    	"access_token"
  ],
  "access_type": "direct",
  "broker_scopes": 
  		"legal_entity:read
		 declaration:read
		 employee:read"
}

In case of need complex disconnect MIS for transfer of call API endpoints - we need full clear him `broker_scopes`.
Clear, but not delete!

Validate MIS transfer scope

When MSP call specific API endpoint over (transfer) MIS we need validate possibility to access.

  1. Get `client_id` from `token`
  2. Read `clients` for `client_id`.   (further in the text - `REQUEST_CLIENT`)Read 
  3. Extract `access_type` from `priv_settings`. 
  4. If `access_type` = `BROKER
    1. Read   `API-key`
    from  `
    1. from HEADER
      1. if API-key
    `
      1. missing - return 401 error  "API-KEY header required !" 
    2. Validate  `API-key`.
      1. Validate exists `secret` in table `clients`
        1. if invalid - return 401 error  "
    Not found
        1. API-
    key
        1. KEY header required !"
    (!!! TBD)Read `client_types` for REQUEST_CLIENT.
        1.  
    Validate `access_over_broker`=TRUE If invalid - break validation.
      2. Read `clients` with `secret`(API-key) in header.  (further in the text - `BROKER_CLIENT`)
    Read
      1. Extract `
    client_types` for this BROKER_CLIENT
      1. broker_scopes` from `priv_settings` 
    Validate
        1. if not found `
    validate_
        1. broker_scopes`
    =TRUE if invalid - return
        1.  return 401 error  "Incorrect
    API-key
        1. broker settings!"
    (!!! TBD)
  5. Get `broker_scopes` from  `settings` in table `clients` for `BROKER_CLIENT`
        1.  
      2. Read needed scopes for call API Endpoint (read from GateWay configuration - "/gateway-config.yaml")
      3. Validate exist
    all
      1. needed scopes in `broker_scopes` of `BROKER_CLIENT`.
        1. if invalid - return 403 error 
    "Conflict !" (!!! TBD)
        1. " Scope is not allowed by broker"
  7. If `access_type` = `DIRECT
    1. break validation.


Configuration examples 

Commentsclients.priv_settings
MSP{ "allowed_grant_types": [ "password", "access_token" ], "access_type": "broker" }
Incorrect MSP{ "allowed_grant_types": [ "password", "access_token" ], "access_type": "direct" }
Normal MIS{ "allowed_grant_types": [ "password", "access_token" ], "access_type": "direct", "broker_scopes": "legal_entity:read declaration:read employee:read" }
Full blocked MIS{ "allowed_grant_types": [ "password", "access_token" ], "access_type": "direct", "broker_scopes": "" }
Non broker MIS{ "allowed_grant_types": [ "password", "access_token" ], "access_type": "direct" }


Tests

MIS Authorization Test Page