5 Using the OAuth 2.0 protected API

HDR FHIR offers a suite of REST APIs implemented per HL7 FHIR specification and secured using the OAuth 2.0 security framework. This article outlines the steps needed for clients/admin users to obtain a secure access token from HDR's OAuth Server and use the access token to invoke the HDR FHIR REST APIs.

5.1 Prerequisites

Prerequisites for using the OAuth protected API are as follows:

HDR FHIR is successfully registered with an OAuth Server as a Resource Server (that is protecting its endpoints).
A client representing the HDR FHIR API admin user has been registered with OAuth Server as an OAuth Client and is authorized to invoke HDR FHIR APIs.

5.2 How It Works

Figure 5-1 Access Token Process

Client application or user authenticates with the OAuth Server (at say, the /ms_oauth/oauth2/endpoints/tokens endpoint) using the client ID and secret. The client ID and secret would have been obtained at the time of registering the OAuth client with OAuth Server.
OAuth Server validates the client ID and secret.
OAuth Server responds with an Access Token.
Client application or user uses the Access Token to call an HDR FHIR API.
HDR FHIR server intercepts the request and validates the Access Token.
HDR FHIR API responds with requested data.

5.3 Obtaining the Access Token from the OAuth Server

The client/user can ask the OAuth Server for tokens for any of the authorized applications by issuing the following API call:

curl --request POST \
  --url https://example.oauthserver.com/ms_oauth/oauth2/endpoints/tokens \
  --header 'content-type: application/json' \
  --data '{"client_id":"CqwUDq2VQ6AH416sf7n42CZ2rNyElkDW","client_secret":"iA6bJ9OQ-tMWhVNUZylx6Km1_9tMuxVyKC4xNfWtPye72MjXyC3f1GJ38ttQ0oH9","audience":"hdr_fhir_api","grant_type":"client_credentials"}'

In this example, client_id and client_secret are assigned random representative values. You should change these values with the actual client Id and secret, obtained after registering the client with OAuth Server.

{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI........N7KT4ig",
  "token_type": "Bearer",
  "expires_in":600
}

You can now extract the access_token property value from the response to make authorized requests to your API.

5.4 Calling the HDR FHIR API with an Access Token

You can use this bearer token with an Authorization Header in your request to obtain authorized access to the HDR FHIR API.

curl --request GET \
  --url  http://<SERVER BASE URL>/fhir/Medication \
  --header 'accept: application/json' \
  --header 'authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI........N7KT4ig'

5.5 Error Messages

Here is a list of a few common OAuth-related error messages that can be thrown by HDR FHIR APIs and the associated remediation steps.

Table 5-1 OAuth-Related Error Messages

HTTP Status Code	Message	Meaning	Remediation
401	BAD_TOKEN: Invalid Algorithm. Algorithm is empty or not supported.	Signature algorithm is empty or not supported by the FHIR server.	Recommended algorithm is RS256. Make sure JWT header contains - "alg": "RS256".
200, 201	--	Success.	Authentication was successful. Operation was successful.
401	BAD_TOKEN: Invalid JWT token. Bad claims. Expired JWT	Unauthorized - expired OAuth token sent in request.	Current access token has expired. Obtain a fresh access token from OAuth Server and use it.
401	BAD_TOKEN: Invalid JWT token. Token is null or empty.	Unauthorized - no OAuth token sent in request.	Obtain a valid access token from OAuth Server. Pass it in request as bearer token in HTTP Auth header.
401	<Other error messages that start with "BAD_TOKEN: Invalid JWT token'' >	Unauthorized - reason to be investigated.	Contact HDR administrator with the error message for further assistance.
401	BAD_TOKEN: Invalid JWT token. Bad claims. Invalid 'aud' attribute. Expected audience '<correct_audience>' does not exist in audience '<incorrect_audience>'	Unauthorized - token sent has incorrect audience value specified.	Ensure that you are using a correct audience value while requesting access token from OAuth Server.