Authantication not working for orthanc explorer 2

I have configured Orthanc to enable Authorization in the orthanc.json file, with the following settings:


 "Authorization": {
        "WebServiceRootUrl": "http://host.docker.internal:8000",
        "TokenHttpHeaders": [
            "token"
        ],
        "CheckedLevel": "studies",

      "Permissions": []

This configuration works well for the default Orthanc UI, but I’m encountering issues with Orthanc Explorer 2 (OE2). When I check the network tab, I see the following error:

http://localhost:8042/ui/api/configuration
{
	"Details" : "List of strings expected in field: permissions",
	"HttpError" : "Bad Request",
	"HttpStatus" : 400,
	"Message" : "Bad file format",
	"Method" : "GET",
	"OrthancError" : "Bad file format",
	"OrthancStatus" : 15,
	"Uri" : "/ui/api/configuration"
}

I am new to this orthanc authentication plugin. Any insights into why this might be happening and how to resolve it would be greatly appreciated.

1 Like

Hi,

Your authorization web-service is not returning the response in the format the authorization plugin is expecting.

I know this is not really well documented - but, if you plan to make OE2 work with the auth-plugin, you must very likely implement something similar to this webservice.

Note that the legacy UI is not supposed to work together with the authorization plugin unless you provide a token argument in the url.

OE2 requires your webservice to implement “user permissions” such that OE2 can show/hide the accessible features in the UI.

HTH,

Alain.

Hi alainmazy
Thanks for your reply.

I created my own orthanc-auth-service and returned the granted JSON(as in the format the authorization plugin is expecting.)

{
  "granted": true,
  "validity" : 0
}

but still getting the same error. why is that? Can’t we create our own auth-service?

Hi

As mentioned earlier:

OE2 requires your webservice to implement “user permissions” such that OE2 can show/hide the accessible features in the UI.

Which means you need a permissions field in your response.

FYI, here’s the model definition of requests and responses your webservice might need to handle:

HTH,

Alain

HI Alain ,
so i have set up the keycloak and orthanc-auth-service container its running . got the message like “Got the public key from Keycloak” on orthanc-auth-service docker console…
then i hit http://localhost:8042/app/explorer.html but i am getting 403 error
in the docker console getting error like this

INFO:root:validating token: {"dicom_uid":null,"orthanc_id":null,"token_key":null,"token_value":null,"server_id":null,"level":"system","method":"get","uri":"/app/explorer.html"}
INFO:root:validate token: {"granted":false,"validity":60}
INFO:root:validating token: {"dicom_uid":null,"orthanc_id":null,"token_key":null,"token_value":null,"server_id":null,"level":"system","method":"get","uri":"/app/explorer.html"}
INFO:root:validate token: {"granted":false,"validity":60}

why its getting this error ?how exactly the keycloak flow ?
i have gone through the repo and reademe file several time…but i am not getting properly.
pls help

I’m sorry but I can not help based on the information you provide.

You should really first run one of the demo setup: orthanc-auth-service/minimal-setup at main · orthanc-team/orthanc-auth-service · GitHub and then change components one by one …

FYI, I have just completely reworked the documentation of this plugin.

Hope this helps,

Alain

1 Like

Hi Alain,
I am able to run orthanc-auth-service(orthanc-auth-service/minimal-setup/keycloak at main · orthanc-team/orthanc-auth-service · GitHub),
I have a web app that has user accounts for admin and doctors already …so can’t we use my users credentials to access OE2?how can i add those user with credentials on keycloak ?

There might be a way to make a bridge between keycloak and your webapp but I actually don’t know much about Keycloak.

If your users are already logged in your app, you might probably just not need Keycloak and have the auth-service use the HTTP headers from your webapp and interface with your webapp instead of interfacing with Keycloak.

HTH,

Alain

Hi alain ,
I am facing issue with /studies/c19fe95d-b4f70025-ecc1f9cb-0d94d411-aaff3f39/statistics api

Thanks for the support so far

Hi Alain
i want this kind of url format(viewer?url=…/studies/c19fe95d-b4f70075-ecc1f9ab-0d94d411-aaff3f39/ohif-dicom-json) to open viewer…so i added token like below,
(http://localhost/ohif/viewer?url=../studies/c19fe95d-b4f70075-ecc1f9ab-0d94d411-aaff3f39/ohif-dicom-json&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6bnVsbCwicmVzb3VyY2VzIjpbeyJkaWNvbV91aWQiOiIxLjIuODQwLjExMzYxOS4yLjI5MC4zLjI4MzExODg3NTEuNTYzLjE3MDA3OTQ1NDcuODEwIiwib3J0aGFuY19pZCI6ImMxOWZlOTVkLWI0ZjcwMDc1LWVjYzFmOWFiLTBkOTRkNDExLWFhZmYzZjM5IiwidXJsIjpudWxsLCJsZXZlbCI6InN0dWR5In1dLCJ0eXBlIjoib2hpZi12aWV3ZXItcHVibGljYXRpb24iLCJleHBpcmF0aW9uX2RhdGUiOm51bGwsInZhbGlkaXR5X2R1cmF0aW9uIjpudWxsfQ.dTbXqK1iyE3tKOnEpzawCStambYdzdu-MRoEOx_YkkY)
then i hit enter but its not opening the ohif viwer…and url is chnaged like this ,
http://localhost/viewer?url=..%2Fstudies%2Fc19fe95d-b4f70075-ecc1f9ab-0d94d411-aaff3f39%2Fohif-dicom-json
%2F in my URL instead of /
why is this happening?
dicom-web url (http://localhost/ohif/viewer?StudyInstanceUIDs=1.2.840.113619.2.290.3.2831188751.563.1700794547.810&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6bnVsbCwicmVzb3VyY2VzIjpbeyJkaWNvbV91aWQiOiIxLjIuODQwLjExMzYxOS4yLjI5MC4zLjI4MzExODg3NTEuNTYzLjE3MDA3OTQ1NDcuODEwIiwib3J0aGFuY19pZCI6ImMxOWZlOTVkLWI0ZjcwMDc1LWVjYzFmOWFiLTBkOTRkNDExLWFhZmYzZjM5IiwidXJsIjpudWxsLCJsZXZlbCI6InN0dWR5In1dLCJ0eXBlIjoib2hpZi12aWV3ZXItcHVibGljYXRpb24iLCJleHBpcmF0aW9uX2RhdGUiOm51bGwsInZhbGlkaXR5X2R1cmF0aW9uIjpudWxsfQ.dTbXqK1iyE3tKOnEpzawCStambYdzdu-MRoEOx_YkkY
)
fromat wokring fine …able to validate token opening the viwer

pls help

Hi,

We actually never tried to make it work with dicom-json source since the dicom-web source is working fine. Any reason not to use the dicom-web source ?

I’ll add a TODO to support ohif-dicom-json but I can not commit on when this will be done.

BR,

Alain.

Hi
Because in our web app, we used dicom-JSON data source.its giving fast response than dicom-web

if we enable basic authentication (by enabling AuthenticationEnabled.and RegisteredUsers) the ohif route (http://localhost:8042/ohif/viewer?url=../studies/c19fe95d-b4f70075-ecc1f9ab-0d94d411-aaff3f39/ohif-dicom-json)also get authenticated so it will ask for username and password…i dont want like this

is there any way to skip authantication for this perticaular routes?
or without showing alert box , authanticate this route ?