User based access control with label based resource access

benjamin.golinvaux · February 6, 2025, 2:34pm

Hi,

If you cannot use a reverse proxy, it means that only Orthanc can be running, right? (you can’t install KeyCloak, etc…)

So, you have to design something that works with Orthanc alone + plugins.

What the Avanced authorization plugin does is to intercept all HTTP endpoints to Orthanc, and only provide access if a certain web service that is configured responds to it (this web service can be Orthanc itself, if you write a plugin that overrides the correct routes (/tokens/validate), etc…)

If I understand correctly, you do not want to use a token in a header or in an URL argument and want to use basic auth.

I do not think (I could be wrong!) that the auth plugin is able to parse the basic auth string to call the web service so, in that case, I thought that your last resort was to do the same that this plugin does : check access to all the relevant endpoints on your own (those that provide access to resources in a way or another), with your own logic (as in the example above where you extract the authorization header). I think this is a lot of work.

Maybe I got that wrong, I don’t have much experience with authorization mgmt in Orthanc.

–B

alainmazy · February 6, 2025, 4:55pm

I would renegotiate the reverse-proxy and Keycloak limitations

Well, now that I understand your requirements, I think it makes sense to have a setup with Basic-auth and user profiles together.

This was actually forbidden to use basic auth and the auth-plugin together but it appears that this limitation was too tight so I have removed it.

Then, OE2 was forcing the use of tokens for download and viewers as soon as you were using user-profiles → I have added the ability to bypass that.

And, finally, I have built a sample setup which, I think, implements what you are trying to achieve:

its using basic auth
studies are labeled after upload with the username as a label
a basic auth-service is implemented only providing user-profiles

Hope this helps !

And do not hesitate to support the project

Alain

Lorenzo · February 7, 2025, 8:25am

Hi Alain, thank you so much! I will try the sample and let you know.
By the way, now it is (of course) a pre-release and experimental feature. Is that possible that this will become an official release feature in future releases?
Tks again,
Lorenzo

alainmazy · February 7, 2025, 1:47pm

yes, sure

Lorenzo · February 10, 2025, 1:31pm

Hi Alain,
I tested the pre-release branch of Orthanc with the example script you provided. It works perfectly as I expected. If there are no drawbacks, are you planning to release the feature in the next official version of the software or is there a longer waiting period?
Thanks a lot,
Lorenzo