Custom access/authorization control for DICOM images (DWV/Osimis)

Thiago_Regis · June 13, 2019, 9:26pm

Hey folks, I’d like to ask for your help.

I’m trying to find a way to implement a custom authorization control for DICOM images on DWV or Osimis. I need to dynamically grant some users to access specific resources on DWV/Osimis. instead of give them access for all the resources. And this access should be made only one time. That means the same link will not be available once it’s used already. So every time a user want to access a resource, a new link (with validation token?) will be generated.

Does anyone did already something similar? Or does anyone have an idea on how I could implement it?

I’m willing to pay for this small freelance job if someone is available.

Thanks in advance.

Michel_Rozpendowski1 · June 14, 2019, 6:08am

Hi,

As you probably know, that's not the purpose of Orthanc (see also https://book.orthanc-server.com/faq/improving-interface.html).

As you highlighted, this would require the development of a plugin on top of Orthanc to create a kind of patient portal.

There are commercial solutions available on the market like Osimis product Lify which embeds such a patient portal which feets the requirements you described.

Kind regards,

Michel

Thiago_Regis · June 18, 2019, 12:34pm

Hi Michael,

Thanks for your reply.

Yeah, I suppose this must be done with a custom plugin and I am willing to pay for it if anyone is interested. If you know someone, please send me his/her contact.

I’ll take a look at Lify, but thing is that the only part that interest me is the custom access to the resources. I’d pay for a whole product just to use one feature

Anyways, thanks again for your reply.

Ritchie_Zhu · June 18, 2019, 12:52pm

Hi, I’m doing the same thing now, I am using Advanced authorization plugin and DICOMweb plugin to fullfill this.
I set up a custom authorization server with Go Lang (JWT), then put the authorization server address in config.json.

{
“Authorization” : {
“WebService” : “http://localhost:9300/”,
“TokenGetArguments”: [“token”],
“TokenHttpHeaders” : [“Authorization”]
}
}

There are two ways to add authorization to your request.

1. Add token in your request header (support any request method)

2. Add token to request URL param (support GET method only), just like format below:

http://localhost:8042/osimis-viewer/app/index.html?study=54e414a5-db14d3c6-624da506-0fc46b38-ea5c77bd&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1NjE0NDk5NjMsImp0aSI6IjEiLCJpYXQiOjE1NjA4NDUxNjMsImlzcyI6IkVhc3lCb3NzIn0.xJbhurRzzGi6_ifnXCVtSTKrcXmBPE0AbhsvepVcifU

And you can make your own frontend app based on DICOM Web API now.

在 2019年6月14日星期五 UTC+8上午5:26:16，Thiago Régis写道：

Thiago_Regis · June 19, 2019, 7:52pm

Hi Ritchie,

Great! Thanks for your reply

So, basically, Orthanc will try to authenticate on your GoLang app before render the image. And it will only allow the user to access the image if the authentication succeeds. Is it right?

Would you share your GoLang app? My app is written in PHP, so I would just use your code as an inspiration.

Thanks again for your time.

Alain_Mazy3 · June 20, 2019, 8:13am

Hi Thiago,

FYI, here’s a link to a more than basic auth-server written in node.js that gives you an idea of what you shall implement:
https://bitbucket.org/osimis/orthanc-setup-samples/src/8e7cbe9f5400867e3736a24bd0fdb25efe2fc48c/docker/authorization-plugin/node-auth-server/auth-service.js

Thiago_Regis · June 21, 2019, 12:35pm

Thanks Alain!

Ritchie_Zhu · June 21, 2019, 1:46pm

Hi Thigo, Your understanding is right!

I am so sorry that my project is still under development, I can’t share private code with you now, but I can share my steps here:

Install Advanced authorization plugin and DICOMweb plugin
Write an authorization service with PHP/Golang or any backend language
Config two plugins in your Orthanc config.json

{

“DicomWeb”: {
“Enable”: true,
“Root”: “/api/”,
“EnableWado”: true,
“WadoRoot”: “/wado”,
“Ssl”: false,
“StowMaxInstances”: 10,
“StowMaxSize”: 20,
“QidoCaseSensitive”: false
},

“Authorization”: {
“WebService” : “http://localhost:9300/”,
“TokenGetArguments”: [“token”],
“TokenHttpHeaders”: [“Authorization”],
“UncheckedFolders”: [
“/osimis-viewer/”
]
}
}

(http://localhost:9300 is my authorization service address, replace with yours)

When user login successfully (store token in user’s local storage)
As every request to DICOM Web API, get token from user’s local storage
Put the token in user’s request headers like the format below:

Authorization:

Bearer your_long_token_string_here

Write any logic in authorization service to control user access now, for detail in plugin’s document.
If you are using the osimis-viewer, just put the user’s token as a URL param to control access to the viewer, but there will a pitfall here

BTW, for my project, I have two user roles: admin and user,

admin:

access study list
access all studies in osimis-viewer
upload Dicom files
remove Dicom files
download Dicom files

user:

upload Dicom files
access study list uploaded by self
access study uploaded by self

在 2019年6月20日星期四 UTC+8下午2:44:38，Thiago Régis写道：

Alain_Mazy3 · June 27, 2019, 5:25pm

Hi all,

I’ve just implemented support for auth token passed as url parameters in the viewer.
Check the following example:
https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/authorization-plugin-viewer-query-args/

It’s currently available in osimis/orthanc:19.6.4 docker image if you define WVB_ALPHA_ENABLED=true

Best,

Alain

Atique_Ansari · November 28, 2019, 9:21am

Hello,

I am trying to achieve something similar.
How do you know which user uploaded data?