User permission

GioBlank · January 28, 2025, 10:43am

Hi everybody, I want to implement user permissions based authentication. I’m following Orthanc Book/Advanced authorization plugin. My config.json has the following values:

"AuthenticationEnabled":false,
"Authorization": {
    "WebServiceUserProfileUrl":"http://localhost:8000/user/profile",
    "StandardConfigurations":["orthanc-explorer-2"],
    "CheckedLevel":"Studies"
}

Then I have my local service implemented in python with flask, something like that:

@app.route('user'profile', methods=['POST'])
def get_profile():
  print("Method: /user/profile")
....

but when I go to the following url http://localhost:8042/ui/app/?token=1234 it opens empty OE2 without any DICOM element, and the python service is not called. Why? Is it mandatory to define the “ROOT” web service? But in that case I need to implement all the four REST APIs?
Thank you,
GioB

Lorenzo · January 29, 2025, 8:19am

Hi,
I tried the exact same thing, but If i don’t define in the configuration file the ROOT for the webservice the auth plugin doesn’t call my get-profile api. Maybe we are doing the same mistake. Hope somebody answer to your request.
By,
Lorenzo

GioBlank · January 30, 2025, 5:43pm

Tks Lorenzo for your reply, any news? I didnt’ managed to solve this problem. Is there anybody else that has my same problem?
Tks GioB

alainmazy · January 31, 2025, 5:40pm

Hi,

OE2 is not designed to take a token in the GET argument so it is not forwarding it when sending requests to Orthanc → therefore, the auth web service is not called.

Using a token in a url to authenticate as a user looks very weak from the security point of view. Tokens in url are always used to grant access to a single resource (if the token leaks, only one resource leaks, not an entire user access).

That’s why, right now, OE2 only supports Keycloak (aka OpenID) to handle users → because user tokens are used in HTTP headers only and are refreshed every few minutes like in any modern web application.

Hope this helps,

Alain

GioBlank · February 2, 2025, 10:02am

Hi Alain,
yes, I know that using token inside url as GET argument is weak from security point of view, but I can manage a token generation strategy by myself. Reading the documentation of the Orthanc book I read that if I don’t implement all four authentication routes I don’t have to insert “WebServiceRootUrl”, and if I implement only the user profile route, I have to define the key “WebServiceUserProfileUrl”. But if I insert only this, as described in the book documentation with the value “http://localhost:8000/user/profile”, my web service doesn’t receive any call to get the user profile. Of course my endpoint is defined as @app.route(‘user/profile’, methods=[‘POST’]) but I also tried to define it with @app.route(‘user/get-profile’, methods=[‘POST’]). Why?
Thanks
GioBlank

alainmazy · February 3, 2025, 10:13am

That’s because OE2 is not designed to take a token in the GET argument so it is not forwarding it when sending requests to Orthanc → therefore, the auth web service is not called.