Purpose & Requirements
- separate MIS API-key has to be introduced
- API-key would be issued for new specific user-type in mithrill (i.e. MIS)
- each MIS would have list of allowed scopes as per mithril spec
- MIS API key authorization has to take precedence over all other user (i.e. MSP/client) authorization checks. For example: if MIS is unauthorized to register Declaration, but MSP is authorized, request has to be REJECTED, because MIS check has higher priority.
- we have to decide on a specific error message to be returned in case of unauthorized MIS. Message should be very specific, and not overlapping with any other messages in the system, i.e "403 Forbidden Client"
Implementation
MIS API-key
For identifiers MIS clients (client_type = MIS) we use term API-key. We store API-key in `secret` attribute шт 'clients` table.
Condition for validate MIS API-key mandatory
For some clients (client_type = MSP, PHARMASY, ..) we need require mandatory access only transfer MIS.
Proposed use new column `api_key_required` (boolean) in table `client_types`.
We extract client_type from token, analyze `api_key_required` = TRUE, and require in API-key in WS request.
| Client_type | Purpose | api_key_required |
|---|---|---|
Auth_FE | Auth frontEnd | |
| MSP | Medical service provider | TRUE |
| MIS | Medical information system | |
| NHS_Admin | Admin console of the NHS | |
| MITHRIL ADMIN | Admin console of the Mithril itself | |
| PHARMACY | Pharmacy | TRUE |
| UADDRESSES ADMIN | Admin of UA adresses |
Send & Get API-key
MIS must be send (mandatory) own API-key as a attribute `API-key` in HEADER all request.
Example:
curl --include \
--request POST \
--header "Content-Type: application/json" \
--header "Authorization: Bearer mF_9.B5f-4.1JqM" \
--header "API-key: d09vQUFlWTZ6Q0RXRDJISldUOVQ3dz09" \
--data-binary "{
\"medication_request_request\": {
....
Manage MIS transfer scope
For some clients (client_type = MIS) which provide transfer for call API - we need mandatory validate possibility access to API endpoints.
Proposed use new column `validate_transfer_scopes` (boolean) in table `client_types`.
| Client_type | Purpose | validate_transfer_scopes |
|---|---|---|
Auth_FE | Auth frontEnd | |
| MSP | Medical service provider | |
| MIS | Medical information system | TRUE |
| NHS_Admin | Admin console of the NHS | |
| MITHRIL ADMIN | Admin console of the Mithril itself | |
| PHARMACY | Pharmacy | |
| UADDRESSES ADMIN | Admin of UA adresses |
For clients (client_type = MIS) on which we will check access for call API endpoint - we need describe the list `transfer_scopes`.
Proposed manage & store list `transfer_scopes` in attribute `settings` in table `clients`.
Example:
{
"allowed_grant_types": [
"password",
"access_token"
],
"transfer_scopes":
"legal_entity:read declaration:read employee:read"
}
In case of need complex disconnect MIS for transfer of call API endpoints - we need full clear him `transfer_scopes`.
Validate MIS transfer scope
When MSP call specific API endpoint over (transfer) MIS we need validate possibility to access.
- Get `client_id` from `token`
- Read `clients` for `client_id`. (further in the text - `REQUEST_CLIENT`)
- Read `client_types`. Validate `api_key_required`=TRUE
- If invalid - break validation.
- Read `API-key` from `API-key`
- Validate `API-key`.
- Validate exists `secret` in table `clients`
- if invalid - return error "Not found API-key!" (!!! TBD)
- Read `clients` with `secret`(API-key) in header. (further in the text - `TRANSFER_CLIENT`)
Read `client_types` for this client.
Validate `validate_transfer_scopes`=TRUE- if invalid - return error "Incorrect API-key!" (!!! TBD)
- Validate exists `secret` in table `clients`
- Get `transfer_scopes` from `settings` in table `clients` for `TRANSFER_CLIENT`
- Validate crossing (INNER JOIN) `scopes` needed for call API Endpoint (read from GateWay configuration) with `transfer_scopes` of `TRANSFER_CLIENT`.
- if invalid - return error "Conflict !" (!!! TBD)