Versions Compared

Version Old Version 1 New Version 2
Changes made by

Angshuman Sarkar

Angshuman Sarkar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Authenticating with HIE

...

  • The system and an user account for the system must be setup in the central Identity Provider (IdP). Please see the documentation regarding onboarding a system/facility for SHR integration.
    • This is an offline process: an organization will request the authority (DGHS) for access to HIE (naming the components that they want to access) with intended purpose. There will be policies that the participating organization will have to comply and upon resolution of such aspects, the authority will grant access to the organization. 
    • Once the setup is done, the organization will be given the following details
      • API Token - this is a long living token and disclosed to and can be used only by organizations who have gone through the above procedure.
      •  client_id - disclosed only to the organization, and this must be communicated with every API request
      • registered email and password for the user of that organization

         
  • Get hold of an "access_token" from the central Identity Provider (IdP)
     
    • Make an HTTP POST to the IdP login api. see below for info
    • an "access_token" will be returned. this access token is short lived and can be invalidated too by the user. 

  •  Make service calls with the "access_token" passed.
    •  Subsequent API calls to any HIE services, should pass only the "access_token". Note, at no point should you be sending your "API TOKEN" to any other service other than the IdP login service.

...

  1. Login using IdP API

 

         POST http://<IdP-URL>/api/1.0/sso/signin

with headers:

  • client_id = (client id of the user representing the organization)
  • X-Auth-Token = (Secret API Token given to the user representing the Organization)

...

Info

{

   "error": true,

   "message": "Not authenticated",

   "code": 401

}

 

  1. Logout using IdP API 
    POST http://<IdP-URL>/api/1.0/sso/signout/{access_token}   

    with headers:

      
      • client_id = (client id of the user representing the organization)
      • X-Auth-Token = (Secret API Token given to the user representing the Organization)
      

    with form-data (content-type :application/x-www-form-urlencoded)

      
      • email
      • password
     
  2. Get user info from access token
    GET http://<IdP-URL>/api/1.0/sso/token/{access_token}

  3.  Accessing a service/resource provider
    As explained earlier, once an "access_token" is received, you may call other HIE APIs. All API calls must accompany the following details.
    with headers: 
      • client_id = (client id of the user representing the organization)
      • X-Auth-Token = (access token fetched earlier)
      • from = (email id of the requester, one thats used for login)


...

For example: the following userinfo may be returned to the service provider, when they try to identify the requester (example, someone is trying to create/POST a patient). Note the profiles associated. 

Info
{
    "id": 6,
    "name": “Dr. I.K.Rohan”,
    "email": "rohanik@gmail.com",
    "is_active" : true,    
    "activated": true,
    "activated_at": null,
    "last_login": "2015-01-20 09:52:58",
                "access_token": "xyz_token",
    "created_at": "2014-09-04 13:26:14",
    "updated_at": "2015-01-20 09:52:58",
    "deleted_at": null,
    "groups": ["MCI Admin", "API Consumer"], 
    "profiles": [
      { 
         type: "provider",
         id: "123",
         catchment: ["302618","302614"]
      },
      {
         type: "admin",
         id: "2",
         catchment: ["3026"]
      }, 
      {
         type: "facility",
         id: "10000069",
         catchment: ["302618"]
      },
      {
         type: "patient",
         id: "10091232131",
         catchment: []
      }
    ]    
}

...