Skip to main content

Universal Login Page Workflow Diagram Text Description

  1. The OAuth workflow redirects the user to the Universal Login Page on the OAuth server.

  2. The user enter their credentials. Note that a separate password reset workflow may occur here if password reset is enabled. The password reset workflow is described in a separate diagram later in this chapter. There is also a forgot password workflow option. See the links below the diagram.

  3. Once it acquires user credentials, the OAuth server redirects the authentication request to the HealthShare Registry by sending it an AuthenticateAuthorize message. The Registry handles authentication and then authorization of the user.

  4. When it receives the AuthenticateAuthorize message, the Registry invokes the OnAuthenticate callback in the security domain callback class. The security domain callback class is your custom class that extends HS.Registry.Person.User.HSAuth.

    • In an internal security domain, the HealthShare user/clinician registry validates the user's credentials.

    • In an external security domain, the OnAuthenticate callback designates an external source such as an LDAP server to validate the credentials.

  5. Now that the credentials are validated, the Registry invokes the OnAuthorize callback in the security domain callback class:

    • In an internal security domain, the HealthShare user/clinician registry obtains roles for the login ID.

    • In an external security domain, the OnAuthorize callback designates an external source such as an LDAP server to obtain the roles, given the username and login ID.

  6. The Registry returns the username and roles to the OAuth server in an AuthResponse message.

  7. If two-factor authentication is enabled:

    1. The Registry invokes the SendTwoFactorToken callback in the security domain callback class. The security domain callback class is your custom class that extends HS.Registry.Person.User.HSAuth.

    2. The callback delivers the two-factor token to the user.

    3. The Registry displays the HealthShare two-factor user interface page.

    4. The user enters the two-factor token on the page. If the user instead requests the token to be resent, then the SendTwoFactorToken callback is invoked again.

    5. HealthShare validates the two-factor token.

  8. Control returns to the ValidateUser callback in the OAuth workflow.

FeedbackOpens in a new tab