Question about usage of the Advanced authorization plugin

sdscotti · April 26, 2023, 6:36am

Hello,

I just started digging into how this works by setting up a little ‘fake’ auth server that captures the data posted by Orthanc, processes the requests, and for now always returns the granted JSON.

{
  "granted": true,
  "validity" : 0
}

https://book.orthanc-server.com/plugins/authorization.html

I tried integrating it with OE2, and I am getting an error like this for the:

https://localhost:8042/ui/api/configuration route:

|Details|List of strings expected in field: permissions|
|HttpError|Bad Request|
|HttpStatus|400|
|Message|Bad file format|
|Method|GET|
|OrthancError|Bad file format|
|OrthancStatus|15|
|Uri|/ui/api/configuration|

thrown in: E0426 01:25:04.904496 PluginsManager.cpp:153]

The generated config for Authorization is like this:

{
   "Authorization": {
     "WebServiceRootUrl": "http://nginx/",
     "WebService": "http://nginx/",
     "WebServiceIdentifier": "change-me",
     "TokenHttpHeaders": [
       "token"
     ],
     "TokenGetArguments": [
       "token",
       "auth-token",
       "authorization"
     ],
     "StandardConfigurations": [
       "osimis-web-viewer",
       "stone-webviewer",
       "orthanc-explorer-2"
     ],
     "CheckedLevel": "studies",
     "Permissions": [
       [
         "post",
         "^/auth/tokens/decode$",
         ""
       ],
       [
         "post",
         "^/tools/lookup$",
         ""
       ],
       [
         "post",
         "^/tools/find$",
         "all|view"
       ],
       [
         "get",
         "^/(patients|studies|series|instances)/([a-f0-9-]+)$",
         "all|view"
       ],
       [
         "get",
         "^/(patients|studies|series|instances)/([a-f0-9-]+)/(studies|study|series|instances)$",
         "all|view"
       ],
       [
         "get",
         "^/instances/([a-f0-9-]+)/(tags|header)$",
         "all|view"
       ],
       [
         "get",
         "^/statistics$",
         "all|view"
       ],
       [
         "get",
         "^/changes$",
         "all|view"
       ],
       [
         "put",
         "^/auth/tokens/(viewer-instant-link|meddream-instant-link)$",
         "all|view"
       ],
       [
         "put",
         "^/auth/tokens/(download-instant-link)$",
         "all|download"
       ],
       [
         "put",
         "^/auth/tokens/(stone-viewer-publication|meddream-viewer-publication|osimis-viewer-publication|ohif-viewer-publication)$",
         "all|share"
       ],
       [
         "post",
         "^/instances$",
         "all|upload"
       ],
       [
         "get",
         "^/jobs/([a-f0-9-]+)$",
         "all|send|modify|anonymize|q-r-remote-modalities"
       ],
       [
         "post",
         "^/(peers|modalities)/(.*)/store$",
         "all|send"
       ],
       [
         "get",
         "^/(peers|modalities)$",
         "all|send|q-r-remote-modalities"
       ],
       [
         "post",
         "^/modalities/(.*)/echo$",
         "all|send|q-r-remote-modalities"
       ],
       [
         "post",
         "^/modalities/(.*)/query$",
         "all|q-r-remote-modalities"
       ],
       [
         "get",
         "^/queries/([a-f0-9-]+)/answers$",
         "all|q-r-remote-modalities"
       ],
       [
         "post",
         "^/modalities/(.*)/move$",
         "all|q-r-remote-modalities"
       ],
       [
         "get",
         "^/DICOM_WEB_ROOT/servers$",
         "all|send|q-r-remote-modalities"
       ],
       [
         "get",
         "^/DICOM_WEB_ROOT/(servers)/(.*)/stow$",
         "all|send"
       ],
       [
         "post",
         "^/(patients|studies|series|instances)/([a-f0-9-]+)/modify(.*)$",
         "all|modify"
       ],
       [
         "post",
         "^/(patients|studies|series|instances)/([a-f0-9-]+)/anonymize(.*)$",
         "all|anonymize"
       ],
       [
         "delete",
         "^/(patients|studies|series|instances)/([a-f0-9-]+)$",
         "all|delete"
       ],
       [
         "post",
         "^/tools/bulk-delete$",
         "all|delete"
       ],
       [
         "put",
         "^/tools/log-level$",
         "all|settings"
       ],
       [
         "get",
         "^/tools/log-level$",
         "all|settings"
       ]
     ]
   }
}

When I have a blank config:

{
    "Authorization" : {}
}

I get this, which I presume is the expected behavior:

W0426 02:02:15.926832 PluginsManager.cpp:261] Registering plugin 'authorization' (version 0.5.1)
W0426 02:02:15.927938 PluginsManager.cpp:157] Initializing the authorization plugin
W0426 02:02:15.933596 PluginsManager.cpp:157] Authorization plugin: no url defined for Token Validation
W0426 02:02:15.934575 PluginsManager.cpp:157] Authorization plugin: no url defined for User Profile
W0426 02:02:15.935509 PluginsManager.cpp:157] Authorization plugin: no base url defined for Token Creation
W0426 02:02:15.936585 PluginsManager.cpp:157] Authorization plugin: ----------- insecure setup ---------- No Token Validation or User Profile url defined -> will only be able to generate tokens.  Authentication is not enabled -> anyone will have access to all API routes.

alainmazy · April 26, 2023, 10:14am

Hi Stephen,

Note that I have updated the orthanc book since the documentation was obsolete.

If trying to integrate with OE2, you should start from this project that does the job already.

If you still encounter some issues, please provide a full docker-compose sample for us to reproduce.

Best regards,

Alain.

sdscotti · April 26, 2023, 1:07pm

Alain,

Thank you.

NICE !!

Looks a little complicated to configure, but it might be the worth the effort at this point since I want to integrate Med Dream now as well. There are apparently “Lite” and “Full” versions of Med Dream. Is the integration basically the same for either one ?

Maybe just start with this to fully understand how it all is suppose to work ?

Looks like most of the containers are configured via reverse proxy in “enabled-reverse-proxies” ?

/keycloak
/meddream
/orthanc-api/studies/ (with basic auth)
orthanc/ui/app/#/ (with basic auth)

I cloned that one and have it up and running to experiment around with, but it will take a bit figure out how it all works and to configure it.

If I need some assistance or a tutorial on how to integrate this into new or existing setups are you able to recommend someone ? I realize most people are busy, including myself.

/sds

sdscotti · April 27, 2023, 4:55pm

I started to look into orthanc-auth-service a little bit by just installing the following services from that package because I’m not sure I would want to use KeyCloak just yet, and I already have Orthanc instances with the MedDream Python script. I have a web app that has user accounts for patients and doctors already, linked to their PatientID’s and ReferringPhysicianNames (unique).

meddream-token-service
meddream-viewer

From what I can tell, a curl request like this:

curl http://meddream-token-service:8088/v3/generate -H 'Content-Type: application/json' -d '{"items" : [{"studies":{"study":"1.3.6.1.4.1.56016.1.1.1.5119.1680097720","storage":"Orthanc"}}]}'

does indeed return a token like this:

h8nRqia0aCYyfwg72TlWmNa1KozeTRvSwk-isbhoIdlDsVIsmjPmaf6wjEdpWtbLL-0FFojTOreXDcdvVbOFNlH5Z-uLND33TUMVCnoV3Ezbs1v130U=

which I presume is a base64 encode jwt that is encrypted or something ?

and then:

curl http://meddream-token-service:8088/v3/validate?token=h8nRqia0aCYyfwg72TlWmNa1KozeTRvSwk-isbhoIdlDsVIsmjPmaf6wjEdpWtbLL-0FFojTOreXDcdvVbOFNlH5Z-uLND33TUMVCnoV3Ezbs1v130U=

returns:

Token not found or expired or:

{"items":[{"studies":{"study":"1.3.6.1.4.1.56016.1.1.1.5119.1680097720","storage":"Orthanc"}}]}

which is just the original body that was posted.

Is that basically how that part is supposed to work, and I can look into how to create links with the tokens ?

I can read the documentation there for the “Working with MedDream” part. Looks quite nice.

Stephen D. Scotti

sdscotti · May 1, 2023, 8:54am

Just a little follow up about this. I implemented it thus far without the KeyCloak integration, i.e. just the MedDream Viewer and the Token Service for MedDream, along with my own NGINX front-end.

It works quite nicely so far with the token method. However, I am using a single Orthanc Instance (i.e. it is handling DICOM and the API). I presume that it might be helpful to add the dedicated orthanc-for-meddream or orthanc-for-api as a dedicated Orthanc instance to handle the API requests for the MedDream custom Python script rather than having the single Orthanc instance handle everything ?

There is also quite a bit of tweaking to do go get MedDream to render / return encapsualted PDF’s with the token links, etc., and it seems that there might be some configuration options related to memory allocation / etc. within the MedDream package itself (?com.softneta.preparation.coreThreadCount=#)

For anyone interested, in the application.properties, adding DOCUMENT_VIEW seems to render PDF’s with the token links:

authorization.defaultHisPermissions=EXPORT_ISO,EXPORT_ARCH,DOCUMENT_VIEW

and with the token request, explicitly adding DOCUMENT_VIEW to permissions seems to work.


{
	"items": [{
		"studies": {
			"study": "'.$post['StudyInstanceUID'].'",
			"storage": "PROD"
		}
	}],
	"permissions": ["DOCUMENT_VIEW"]
}

In the current setup, it is not a very busy facility ( < 10 MRI’s per day only), so I am not sure it is necessary really, but might be helpful ?

Holakunle69 · May 6, 2023, 5:36pm

@alainmazy

Hello

Thanks so much for the contributions towards making orthanc better. How ever i have a few questions about the orthanc + keycloak authentication which is

The login url "localhost/Orthanc/app/ui/ do not work out the host machine… i have a system on the same network and once i try to open the URL it returns nothing. Just the header alone says orthanc. No login no feedback…

Please can you point me to what to do to make this available on the entire network when called

Your help will be much appreciated

Holakunle69 · May 6, 2023, 5:41pm

@sdscotti

Hello Stephen

Have was having the same issues before untill when i tried the project " orthanc with keycloak by Alain and it worked quite well. However when you try to call the URL "http://localhost/orthanc/*****/ outside the host machine from another system on the same network it returns nothing except the header where you see orthanc explorer 2…

Do you know what i can do to change this.?

alainmazy · May 9, 2023, 4:34pm

Hi @Holakunle69

What do you mean by

Just the header alone says orthanc. No login no feedback…

maybe you should provide a screen capture of your browser with the dev tools opened ?

Best regards,

Alain

Holakunle69 · May 9, 2023, 5:26pm

@alainmazy

Thanks alain for the response.

Orthanc runns perfectly well on the host machine. How ever when i tried to open the same url which is http://localhost/orthanc/ui/app/ on another workstation on the same network. It returns this image. i replaced the localhost with the host ip address of the host machine…

Image 2.

See image below.
newwwwwwwwwwwwwwww

your help will be much appreciated

alainmazy · May 10, 2023, 9:31am

Hi,

I have just clarified the documentation wrt accessing the system from a remote computer:

HTH,

Alain

Holakunle69 · May 10, 2023, 7:13pm

@alainmazy

Thanks once again alain
But i guess this hasnt really answered my question.

The above documentation i guess will work for clients over the internet. How ever my setup is over INTRANET for now and i think this documentation is yet to address that… is it possible to have http://: port/keycloak/ instead of the .com.

Thank you

alainmazy · May 11, 2023, 3:07pm

@Holakunle69 why don’t you try instead of asking ?

I have tested it with a numeric IP in a LAN while writing the doc.