403 error while saving a measurements report from OHIF

General
1

We are using a Orthanc instance with the integrated OHIF plugin.
We authenticate through Keycloak which acts as a broker for our institutional Azure EntraID (former Active Directory) and we have setup the orthanc-auth-plugin for authorization. So far, it looks like the integration is working. We use custom labels in Orthanc to build collections of studies.

When in OHIF, if we make a measurement, when we try to Create Report, we get a Create Report request failed pink error message at the bottom right.

Here are the HTTP request and response from the Web developer tool in my browser

Request

POST /dicom-web/studies HTTP/1.1
Host: orthanc-preprod.paradim.science
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br, zstd
Content-Type: multipart/related; type="application/dicom"; boundary="844ed95c-28c7-fbf3-ab70-cdf41edc7f8d"
Authorization: Bearer TOKEN REDACTED
Content-Length: 4555
Origin: https://orthanc-preprod.paradim.science
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Referer: https://orthanc-preprod.paradim.science/ohif/viewer?hangingprotocolId=mprAnd3DVolumeViewport&StudyInstanceUIDs=1.2.826.0.1.3680043.6.35090.51976.20170424143854.976.12.7735
Cookie:  COOKIE REDACTED
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

Response

HTTP/1.1 403 Forbidden
server: nginx/1.22.1
date: Tue, 17 Dec 2024 22:11:05 GMT
content-length: 0
x-content-type-options: nosniff
access-control-allow-origin: *
access-control-allow-methods: GET, POST, OPTIONS
access-control-allow-headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range
access-control-expose-headers: Content-Length,Content-Range

Orthanc server generates an error message in the log console

W1217 17:22:14.318589 HTTP-48 PluginsManager.cpp:158] The UserProfile for 'Anonymous' does not contain any authorized labels

The Bearer token sent for the request seems to be of the wrong type. I decoded it using CyberChef JWT decode:

{
    "id": null,
    "resources": [
        {
            "dicom_uid": "1.2.826.0.1.3680043.6.35090.51976.20170424143854.976.12.7735",
            "orthanc_id": "49149567-dee7c8b5-f07db365-0fb59818-2f785498",
            "url": null,
            "level": "study"
        }
    ],
    "type": "viewer-instant-link",
    "expiration_date": "2024-12-17T21:52:31.140682+00:00",
    "validity_duration": 3600
}

I would have expected the token to be of type “ohif-viewer-publication” since it’s what I configured in Orthanc.

Here are some extracts from our Orthanc configuration file:

  "Plugins" : [
      "/usr/share/orthanc/plugins/","/usr/local/share/orthanc/plugins/"
  ],

  "OrthancExplorer2": {
    "IsDefaultUI": true,
    "OrthancApiPublicRoot": "/",
    "UiOptions": {
      "EnableOpenInOhifViewer3": true,
      "OhifViewer3PublicRoot": "/ohif/",
      "EnableShares": true,
      "DefaultShareDuration": 0,
      "ShareDurations": [0, 7, 15, 30, 90, 365],
      "ViewersIcons" : {
        "ohif": "bi bi-grid",
        "ohif-vr": "bi bi-grid-1x2",
        "ohif-tmtv": "bi bi-grid-3x3-gap",
        "ohif-seg": "fa-solid fa-shapes fa-button",
        "volview": "bi bi-box",
        "wsi": "fa-solid fa-microscope fa-button"
      },
      "MaxStudiesDisplayed": 100,
      "AvailableLanguages": ["en", "fr"],
      "DefaultLanguage" : "fr",
      "StudyListSearchMode": "search-button",
      "StudyListContentIfNoSearch": "empty"
    },
    "Tokens" : {
      "InstantLinksValidity": 3600,
      "ShareType": "ohif-viewer-publication"
    },
    "Keycloak" : {
      "Enable": true,
      "Url": "${KC_HOSTNAME_URL}",
      "Realm": "orthanc",
      "ClientId": "orthanc"
    }
  },

  "OHIF" : {
    "DataSource": "dicom-web"
  },

  "Authorization" : {
    "WebServiceRootUrl" : "${ORTHANC_AUTH_SERVICE_URL}",
    "WebServiceUsername": "${ORTHANC_AUTH_SERVICE_USERNAME}",
    "WebServicePassword": "${ORTHANC_AUTH_SERVICE_PASSWORD}",
    "TokenHttpHeaders" : [ "api-key" ],
    "StandardConfigurations": [               // new in v 0.4.0
      "orthanc-explorer-2",
      "ohif"
    ],
    "CheckedLevel" : "studies"
  },

Are there any issues in this excerpt from our configuration file ?

Do we need to configure an Anonymous user to upload DICOM files on the /dicom-web/studies endpoint, if so, how can we do that ?

2

Hi @francoispelletier

First of all, congratulations for the detailed message ! It’s a real pleasure to analyze !

Actually, that is a use case that we have not planned so far.

I’ll try to summarize:

  • When a user is logged-in, all his requests are authenticated by a user-token.
  • This user-token has a very short validity (5 min) and needs to be refreshed continuously. OE2 takes care of refreshing the token.
  • When the user clicks on the “OHIF” button, since OHIF is not able to refresh a user-token, we actually create a new resource-token (aka viewer-instant-link) that grants a read-only access to the study for a short period of time (200s by default - defined in the InstantLinksValidity configuration).

For security reasons, we’d like to avoid handing over a user-token to OHIF that would have a validity of more than 5 minutes; especially if its lifespan can be configured. Furthermore, since the annotation can be created more than 5 minutes after opening the viewer, this token lifespan shall probably be 15 minutes or more.

So, what you would actually need is a read-write-resource-token with a 15-60 minutes validity and that would grant a read-only access to the single resource + a write access to push a new instance on /dicom-web/studies.

However, that would even be nicer if OHIF could push the new annotations to /dicom-web/studies/1.2.3.4 since, in that case, this read-write-resource-token would then really only grant access to a single resource. Could you check with OHIF whether this is possible ?

Implementing this read-write-resource-token is not straightforward - I still need to analyze a bit deeper. I have created an issue for it. If you want to expedite the feature, don’t hesitate to contact http://orthanc.team :wink:

Best,

Alain.