Hi everybody, I want to implement user permissions based authentication. I’m following Orthanc Book/Advanced authorization plugin. My config.json has the following values:
"AuthenticationEnabled":false,
"Authorization": {
"WebServiceUserProfileUrl":"http://localhost:8000/user/profile",
"StandardConfigurations":["orthanc-explorer-2"],
"CheckedLevel":"Studies"
}
Then I have my local service implemented in python with flask, something like that:
@app.route('user'profile', methods=['POST'])
def get_profile():
print("Method: /user/profile")
....
but when I go to the following url http://localhost:8042/ui/app/?token=1234 it opens empty OE2 without any DICOM element, and the python service is not called. Why? Is it mandatory to define the “ROOT” web service? But in that case I need to implement all the four REST APIs?
Thank you,
GioB
Hi,
I tried the exact same thing, but If i don’t define in the configuration file the ROOT for the webservice the auth plugin doesn’t call my get-profile api. Maybe we are doing the same mistake. Hope somebody answer to your request.
By,
Lorenzo
Tks Lorenzo for your reply, any news? I didnt’ managed to solve this problem. Is there anybody else that has my same problem?
Tks GioB
Hi,
OE2 is not designed to take a token in the GET argument so it is not forwarding it when sending requests to Orthanc → therefore, the auth web service is not called.
Using a token in a url to authenticate as a user looks very weak from the security point of view. Tokens in url are always used to grant access to a single resource (if the token leaks, only one resource leaks, not an entire user access).
That’s why, right now, OE2 only supports Keycloak (aka OpenID) to handle users → because user tokens are used in HTTP headers only and are refreshed every few minutes like in any modern web application.
Hope this helps,
Alain
Hi Alain,
yes, I know that using token inside url as GET argument is weak from security point of view, but I can manage a token generation strategy by myself. Reading the documentation of the Orthanc book I read that if I don’t implement all four authentication routes I don’t have to insert “WebServiceRootUrl”, and if I implement only the user profile route, I have to define the key “WebServiceUserProfileUrl”. But if I insert only this, as described in the book documentation with the value “http://localhost:8000/user/profile”, my web service doesn’t receive any call to get the user profile. Of course my endpoint is defined as @app.route(‘user/profile’, methods=[‘POST’]) but I also tried to define it with @app.route(‘user/get-profile’, methods=[‘POST’]). Why?
Thanks
GioBlank
That’s because OE2 is not designed to take a token in the GET argument so it is not forwarding it when sending requests to Orthanc → therefore, the auth web service is not called.