OHDSI Home | Forums | Wiki | Github

Oauth Implementationin OHDSI

Hi @Ajit_Londhe ,

We are trying to implement oauth authentication in our ohdsi environment
Atlas - v2.13.0
WebAPI - v2.13.0

Can you help us with some examples on how to acheive this with google cloud

Thanks in advance!

If using Broadsea, refer to section 5 of the .env file that’s provided. Aside from enabling AtlasRegularSecurity, you’ll need to fill out OAuth details here:

If not using Broadsea, you will need to fill out similar settings in your settings XML file that you use to build your WebAPI WAR file.

1 Like

Hi @Ajit_Londhe
For the same we are trying to oauth configuration using PingFederate now. Since our usecase requrement is to use oauth using pingfederate.
So please let us know what exactly we need to configure at OHDSI side and please provide the parameter names exactly we need to configure.

Currently we are using below parameters according to Broadsea3.0 github page
SECURITY_OAUTH_CALLBACK_API:
SECURITY_OID_APISECRET:
SECURITY_OID_CLIENTID:
SECURITY_OID_LOGOUTURL:
SECURITY_OID_LOGOUTURL:
SECURITY_OID_REDIRECTURL:
SECURITY_OID_URL:
SECURITY_ORIGIN:

But from the PingFederate side they are asking us enable two more parameters at OHDSI side those are below can you also let us what exactly the parameters name we need to use to configure this. Many thanks.

Auth endpoint:
Token endpoint

Hi @Ajit_Londhe
Can you please help us here
Also please let us know If you need any info further
Thankyou in advance

Unfortunately, we lack an OAuth testing environment to run our unit tests on. We only have coverage of AD and LDAP.

Can you please refer to the pom file WebAPI uses and let us know which settings we need to add?

Hello friend!

I’m back from an arduous few months away from the project. I have good news. I have an OAtuth testing environment here:

dev.acumenus.net

Let me know how I can assist.
-Sanjay

Hey Sanjay,

Can you share the env file and any guidance on how you set it up?

Thanks,
Ajit

Ajit,

In the inimitable words of Dak Prescott: “Yeaaah, Hereee We Gooo!” Currently my test environment is air-gapped from the internet due to switching to Hostinger from its original DNS registrar. Apparently it takes 4-6 DAYS for the DNS to re-propagate and I have everything setup for SSL. We should be back up and running by Monday I hope.

My OAuth experiments aren’t complete yet. Neither is my SAML. However, I’m sharing some screenshots to show you how I have my OHDSI “lab” organized:

“Homepage”:

Utilities:

SAML Setup in Authentik:


And finally the #SAML section of the .env:

SAML
SECURITY_SAML_ENABLED=“false”
SECURITY_SAML_ENTITYID=“authentik”
SECURITY_SAML_IDPMETADATALOCATION=“https://dev.acumenus.net:7443/api/v3/providers/saml/3/metadata/?download
SECURITY_SAML_KEYMANAGER_KEYSTOREFILE=""
SECURITY_SAML_KEYMANAGER_STOREPASSWORD=""
SECURITY_SAML_KEYMANAGER_DEFAULTKEY=""
SECURITY_SAML_KEYMANAGER_PASSWORDS_ARACHNENETWORK=""
SECURITY_SAML_METADATALOCATION="/home/acumenus/Projects/Broadsea/broadsea_authentik_meta.xml"
SECURITY_SAML_CALLBACKURL=“https://dev.acumenus.net/Atlas/#/welcome
SECURITY_SAML_SLOURL=“https://dev.acumenus.net:7443/application/saml/atlas/slo/binding/post/
SECURITY_SAML_MAXIMUMAUTHENTICATIONLIFETIME=“60”

I will add the OAuth/OpenID section for you once I confirm it is running. I am still running your Broadsea 3.0 OpenLDAP setup for now. But I am intent on transitioning to either SAML or OpenID:

In the meantime, I found these videos very helpful in setting up Authentik as my internal/lab auth solution:

I’ll get back to you guys as soon as my lab is accessible again and grant you accounts to sandbox your efforts.

Yours,
-Sanjay

t