Hi everybody,
my Orthanc with the Advanced auth plugin enabled, should call a custom authorization web service. If the web service uses the https protocol, is that enough to call the correct url (setting inside the configuration as “https://web_service_url”)? Or is it necessary to pass the certificate to the client for calling this web service? If yes, is there a configuration that allows this operation?
Tks everybody.
Gio
Hi,
First of all, you should use the mainline binaries because the current official release of the auth plugin (0.9.0) does not support HTTPS. (release notes)
Note that I’ll probably release 0.9.1 next week.
Best,
Alain.
Hi Alain,
thank you for the answer. So with the 0.9.1 release of the advanced authorization plugin it will be possible to call an external web service for the authorization over the https protocol? To do that do I need just to set the correct url inside the Orhtanc configuration (in the “Authorization” section)?
Tks a lot
Gio
Hi Alain,
tks for your answer. Now I am using the last “full” image of orthanc:25.5.0 that should provide support for calling the authorization service over https.
Of course, testing in local, I am using a self-signed certificates and docker desktop. As my architecture will be deployed over kubernates, in order to simulate different “kubernates namespace”, I have three different docker-compose, each of them runs an nginx istance that uses a self-signed certificate. But what I am getting is the following error in orthanc (during the call to the user/get-profile API): “Error in network protocol: libCURL error: Could not connect to serve while accessing https://nginx_auth_service:8443/orthanc-auth-service/user/get-profile”. But If I call the API via postman (disabling the SSL certificate verification) it works. The only difference is that inside orthanc configuration I set the url to “https://nginx_auth_service:8443/orthanc-auth-service/user/get-profile” instead in postman I have to call “https://localhost:8443/orthanc-auth-service/user/get-profile”. Of course If I use localhost inside orthanc configuration I get the same error. Any idea? Is that a problem related to the certificate?
Tks,
Gio
Hi,
Very likely not.
You should docker exec into your container, install curl and execute something like curl -k -v -X POST https://nginx_auth_service:8443/orthanc-auth-service/user/get-profile and see what you get …
Hi Alain,
I tried what you suggested, but I have the same error as you can see in the following screenshot:
The strange thing is that, If I call the API from postman (but using localhost instead of nginx_auth_service, it works correctly. Why is that in your opinion?
Tks a lot.
Gio
Docker or nginx configuration related issue…
Hi GioBlank,
Are you certain that your inside and outside ports are the same in nginx_auth_service ? Maybe it’s 443 inside the compose network? (just a random idea)
Hi Alain,
tks for your answer. You were right, it seems like it was a wrong docker configuration. But now, I have this error linked (I think) to the SSL certificate.
Is that correct? Or in your opinion there is another problem?
Moreover I was wondering, where can I find the configuration files for the last orthancteam/orthanc-keycloak-25.5.0 image?
Tks a lot,
Gio
Hi
This indeed looks like an cert issue.
The sample setup and the image source code is all we have I think .
Best regards,
Alain
Hi Alain,
so do you think that when I will have a valid certificate the auth service can be in https without any problems, right?
About keycloak, is that possible to get a refresh token from keycloak together with the access token inside the auth service? In this way my frontend application can ask for a new access token for the logged user, after the previous one has expired.
Tks Gio
I guess so …
We are definitely not Keycloak experts and the auth-service code is available for you to look into and for any customizations you would like to perform…