Versions Compared

Old Version 8

changes.mady.by.user Sukreet Roy Choudhury

Saved on

compared with

New Version Current

changes.mady.by.user Angshuman Sarkar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Authentication & Authorization

Authenticating with HIE

API Access


All systems making any HIE api call (except for Terminology Service) must have an "API Token". This token must be passed as "X-Auth-Token" header while making an API request.

...

  1. Login using IdP API

    Panel
    borderStyledashed

    Request : 

    POST http://{IdP-URL}/api/1.0/sso/signin

    Headers :

    client_id = {client id of the user representing the organization}
    X-Auth-Token = {Secret API Token given to the user representing the Organization}

    Form Data :
    email = {user email}
    password = {user password}

     Example response on successful login (HTTP Status code 200)

    Info
    {
      "access_token": "UXmbhELOU47hC5bA7rvvtx2lMuePIF1kOTgyVAhcAX",
    }

    Example response on failed login (HTTP STATUS code 404)

    Info

    {

       "error": true,

       "message": "Not authenticated",

       "code": 401

    }


  2. Logout using IdP API 

    Panel
    borderStyledashed

    Request : 

    POST http://{IdP-URL}/api/1.0/sso/signout/{access_token}

    Headers :

    client_id = {client id of the user representing the organization}
    X-Auth-Token = {Secret API Token given to the user representing the Organization}
    content-type :application/x-www-form-urlencoded

    Form Data :

    email = {user email}
    password = {user password}

     

  3. Get user info from access token

    Panel
    borderStyledashed

    Request : 

    GET http://{IdP-URL}/api/1.0/sso/token/{access_token}

    Headers :

    client_id = {client id of the user representing the organization}
    X-Auth-Token = {Secret API Token given to the user representing the Organization}


...

For example: the following userinfo may be returned to the service provider, when they try to identify the requester (example, someone is trying to create/POST a patient). Note the profiles associated. 

Code Block
{
    "id": 6,
    "name": “Dr. X Y Z”,
    "email": "xyz@gmail.com",
    "is_active" : true,    
    "activated": true,
    "activated_at": null,
    "last_login": "2015-01-20 09:52:58",
    "access_token": "xyz_token",
    "created_at": "2014-09-04 13:26:14",
    "updated_at": "2015-01-20 09:52:58",
    "deleted_at": null,
    "groups": ["MCI Admin", "API Consumer"], 
    "profiles": [
      { 
         type: "provider",
         id: "123",
         catchment: ["302618","302614"]
      },
      {
         type: "admin",
         id: "2",
         catchment: ["3026"]
      }, 
      {
         type: "facility",
         id: "10000069",
         catchment: ["302618"]
      },
      {
         type: "patient",
         id: "10091232131",
         catchment: []
      }
    ]    
}

...