Custom access/authorization control for DICOM images (DWV/Osimis)

Hey folks, I’d like to ask for your help.

I’m trying to find a way to implement a custom authorization control for DICOM images on DWV or Osimis. I need to dynamically grant some users to access specific resources on DWV/Osimis. instead of give them access for all the resources. And this access should be made only one time. That means the same link will not be available once it’s used already. So every time a user want to access a resource, a new link (with validation token?) will be generated.

Does anyone did already something similar? Or does anyone have an idea on how I could implement it?

I’m willing to pay for this small freelance job if someone is available.

Thanks in advance.


As you probably know, that's not the purpose of Orthanc (see also

As you highlighted, this would require the development of a plugin on top of Orthanc to create a kind of patient portal.

There are commercial solutions available on the market like Osimis product Lify which embeds such a patient portal which feets the requirements you described.

Kind regards,


Hi Michael,

Thanks for your reply.

Yeah, I suppose this must be done with a custom plugin and I am willing to pay for it if anyone is interested. If you know someone, please send me his/her contact.

I’ll take a look at Lify, but thing is that the only part that interest me is the custom access to the resources. I’d pay for a whole product just to use one feature :confused:

Anyways, thanks again for your reply.

Hi, I’m doing the same thing now, I am using Advanced authorization plugin and DICOMweb plugin to fullfill this.
I set up a custom authorization server with Go Lang (JWT), then put the authorization server address in config.json.

“Authorization” : {
“WebService” : “http://localhost:9300/”,
“TokenGetArguments”: [“token”],
“TokenHttpHeaders” : [“Authorization”]

There are two ways to add authorization to your request.

1. Add token in your request header (support any request method)


2. Add token to request URL param (support GET method only), just like format below:


And you can make your own frontend app based on DICOM Web API now.

在 2019年6月14日星期五 UTC+8上午5:26:16,Thiago Régis写道:

Hi Ritchie,

Great! Thanks for your reply :slight_smile:

So, basically, Orthanc will try to authenticate on your GoLang app before render the image. And it will only allow the user to access the image if the authentication succeeds. Is it right?

Would you share your GoLang app? My app is written in PHP, so I would just use your code as an inspiration.

Thanks again for your time.


Hi Thiago,

FYI, here’s a link to a more than basic auth-server written in node.js that gives you an idea of what you shall implement:


Thanks Alain!


Hi Thigo, Your understanding is right!

I am so sorry that my project is still under development, I can’t share private code with you now, but I can share my steps here:

  1. Install Advanced authorization plugin and DICOMweb plugin
  2. Write an authorization service with PHP/Golang or any backend language
  3. Config two plugins in your Orthanc config.json


“DicomWeb”: {
“Enable”: true,
“Root”: “/api/”,
“EnableWado”: true,
“WadoRoot”: “/wado”,
“Ssl”: false,
“StowMaxInstances”: 10,
“StowMaxSize”: 20,
“QidoCaseSensitive”: false

“Authorization”: {
“WebService” : “http://localhost:9300/”,
“TokenGetArguments”: [“token”],
“TokenHttpHeaders”: [“Authorization”],
“UncheckedFolders”: [

(http://localhost:9300 is my authorization service address, replace with yours)

  1. When user login successfully (store token in user’s local storage)
  2. As every request to DICOM Web API, get token from user’s local storage
  3. Put the token in user’s request headers like the format below:


Bearer your_long_token_string_here

  1. Write any logic in authorization service to control user access now, for detail in plugin’s document.
  2. If you are using the osimis-viewer, just put the user’s token as a URL param to control access to the viewer, but there will a pitfall here

BTW, for my project, I have two user roles: admin and user,


  • access study list
  • access all studies in osimis-viewer
  • upload Dicom files
  • remove Dicom files
  • download Dicom files


  • upload Dicom files
  • access study list uploaded by self
  • access study uploaded by self

在 2019年6月20日星期四 UTC+8下午2:44:38,Thiago Régis写道:

Hi all,

I’ve just implemented support for auth token passed as url parameters in the viewer.
Check the following example:

It’s currently available in osimis/orthanc:19.6.4 docker image if you define WVB_ALPHA_ENABLED=true




I am trying to achieve something similar.
How do you know which user uploaded data?