Internet User Authorization (IUA) Support
InterSystems products have built-in support for OAuth 2.0 that satisfies the requirements of the IHE Internet User Authorization (IUA) profile, which provides an authorization profile for HTTP RESTful transactions. For an introduction to the IUA profile, see the IHE WikiOpens in a new tab.
All of the IUA actors and transactions are supported by InterSystems products. Descriptions of how to implement these actors and transactions are found in sections of the Using OAuth 2.0 and OpenID Connect guide. For specific instructions related to an actor or transaction, see the links below. Note that the Using OAuth 2.0 and OpenID Connect guide uses the term access token, while the IHE profile uses the term authorization token.
IUA Actors
InterSystems products can act as all three IUA actors:
-
Authorization Client — Obtains an authorization token from the Authorization Server and attaches that token to a request to the Resource Server to prove that it is authorized to complete the transaction. For implementation details, see “Using an InterSystems IRIS Web Application as an OAuth 2.0 Client” in the Using OAuth 2.0 and OpenID Connect guide.
-
Authorization Server — Confirms the Authorization Client’s credentials and other information before issuing the client an authorization token it will use to complete a transaction with the Resource Server. For implementation details, see “Using InterSystems IRIS as an OAuth 2.0 Authorization Server” in the Using OAuth 2.0 and OpenID Connect guide.
-
Resource Server — Accepts a HTTP RESTful transaction request as long as the request includes a valid authorization token. For implementation details, see “Using an InterSystems IRIS Web Application as an OAuth 2.0 Resource Server” in the Using OAuth 2.0 and OpenID Connect guide.
IUA Transactions
InterSystems products can successfully complete both IUA transactions: Get Authorization Token and Incorporate Authorization Token.
Get Authorization Token (ITI-71)
The Get Authorization Token transaction involves the Authorization Client and Authorization Server, both of which are supported by InterSystems products. The setup and process by which the Authorization Client requests and obtains an authorization token is described in the “Configuration Requirements” and “Obtaining Tokens” sections of “Using an InterSystems IRIS Web Application as an OAuth 2.0 Client”. The setup and basic logic for handling a client’s request for an authorization token and the granting of that token is described in “Using InterSystems IRIS as an OAuth 2.0 Authorization Server” in the Using OAuth 2.0 and OpenID Connect guide.
Incorporate Authorization Token (ITI-72)
Once an Authorization Client has successfully obtained an authorization token, the client must incorporate that token into the RESTful transaction request sent to the Resource Server. For details on how InterSystems products incorporate a token into a RESTful request, see “Adding an Access Token to an HTTP Request” in the Using OAuth 2.0 and OpenID Connect guide. You can also use InterSystems products as the Resource Server that is accepting the HTTP request. For guidance on how to build a Resource Server that extracts an authorization token from an incoming request and examines it, see “Code Requirements” in the Using OAuth 2.0 and OpenID Connect guide.
IUA Actor Options
According to the IUA profile, all actors are required to support the JSON Web Token format (JWT) for the authorization token. These actors can also support the SAML or OAuth Bearer Token formats. You can build your InterSystems Authorization Client and Resource Server to use any of the token formats, however InterSystems has not tested generating and handling a SAML token.
By default, when an InterSystems product is used as an Authorization Server, it generates OAuth Bearer Tokens. To switch to generating a JWT token:
-
Open the Management Portal and navigate to System Administration > Security > OAuth 2.0 > Server.
-
Select the Customization tab.
-
In the Generate token class field, enter: %OAuth2.Server.JWT
-
Complete all other requirements for using JWTs as described in Using OAuth 2.0 and OpenID Connect.