Skip to main content
Previous sectionNext section

Internet User Authorization (IUA) Support

InterSystems products have built-in support for OAuth 2.0 that satisfies the requirements of the IHE Internet User Authorization (IUA) profile, which provides an authorization profile for HTTP RESTful transactions. For an introduction to the IUA profile, see the IHE Wiki.

All of the IUA actors and transactions are supported by InterSystems products. Descriptions of how to implement these actors and transactions are found in sections of the Using OAuth 2.0 and OpenID Connect guide. For specific instructions related to an actor or transaction, see the links below. Note that the Using OAuth 2.0 and OpenID Connect guide uses the term access token, while the IHE profile uses the term authorization token.

IUA Actors

InterSystems products can act as all three IUA actors:

IUA Transactions

InterSystems products can successfully complete both IUA transactions: Get Authorization Token and Incorporate Authorization Token.

Get Authorization Token (ITI-71)

The Get Authorization Token transaction involves the Authorization Client and Authorization Server, both of which are supported by InterSystems products. The setup and process by which the Authorization Client requests and obtains an authorization token is described in the “Configuration Requirements” and “Obtaining Tokens” sections of “Using an InterSystems IRIS Web Application as an OAuth 2.0 Client”. The setup and basic logic for handling a client’s request for an authorization token and the granting of that token is described in “Using InterSystems IRIS as an OAuth 2.0 Authorization Server” in the Using OAuth 2.0 and OpenID Connect guide.

Incorporate Authorization Token (ITI-72)

Once an Authorization Client has successfully obtained an authorization token, the client must incorporate that token into the RESTful transaction request sent to the Resource Server. For details on how InterSystems products incorporate a token into a RESTful request, see “Adding an Access Token to an HTTP Request” in the Using OAuth 2.0 and OpenID Connect guide. You can also use InterSystems products as the Resource Server that is accepting the HTTP request. For guidance on how to build a Resource Server that extracts an authorization token from an incoming request and examines it, see “Code Requirements” in the Using OAuth 2.0 and OpenID Connect guide.

IUA Actor Options

According to the IUA profile, all actors are required to support the JSON Web Token format (JWT) for the authorization token. These actors can also support the SAML or OAuth Bearer Token formats. You can build your InterSystems Authorization Client and Resource Server to use any of the token formats, however InterSystems has not tested generating and handling a SAML token.

By default, when an InterSystems product is used as an Authorization Server, it generates OAuth Bearer Tokens. To switch to generating a JWT token:

  1. Open the Management Portal and navigate to System Administration > Security > OAuth 2.0 > Server.

  2. Select the Customization tab.

  3. In the Generate token class field, enter: %OAuth2.Server.JWT

  4. Complete all other requirements for using JWTs as described in Using OAuth 2.0 and OpenID Connect.