The OHIF Viewer can be configured to work with authorization servers that support one or more of the OpenID-Connect authorization flows. The Viewer finds it's OpenID-Connect settings on the oidc configuration key. You can set these values in your configuration files. For instance you can take a look at our
google.js configuration file.
// ~ REQUIRED
// Authorization Server URL
response_type: 'id_token token',
'email profile openid https://www.googleapis.com/auth/cloudplatformprojects.readonly https://www.googleapis.com/auth/cloud-healthcare', // email profile openid
// ~ OPTIONAL
You need to provide the following information:
- authority: The URL of the authorization server.
- client_id: The client id of your application (provided by the authorization server).
- redirect_uri: The callback URL of your application.
- response_type: The response type of the authorization flow (e.g. id_token token, learn more about different flows).
- scope: The scopes that your application needs to access
- post_logout_redirect_uri: The URL that the user will be redirected to after logout.
- revoke_uri: The URL that the user will be redirected to after logout.
- automaticSilentRenew: If true, the user will be automatically logged in after the token expires.
- revokeAccessTokenOnSignout: If true, the access token will be revoked on logout.
How it works
The Viewer uses the
userAuthenticationService to set the OpenID-Connect settings. The
userAuthenticationService is a singleton service that is responsible for authentication and authorization. It is initialized by the app and you can grab it
const userAuthenticationService = servicesManager.services.userAuthenticationService;
Then the userAuthenticationService will inject the token as Authorization header in the requests that are sent to the server (both metadata and pixelData).
Token based authentication
Sometimes (although not recommended), some servers like to send the token in the query string. In this case, the viewer will automatically grab the token from the query string and add it to the userAuthenticationService and remove it from the query string (to prevent it from being logged in the console in future requests).
and example would be