Use custom auth headers (JWT, X.509, Basic etc.)

[ZuSe]

Hi guys,

i would love to use the library in one of of our backend components. It's a microservice that has to listen to changes in several fhir ressources and act accordingly. So basically there is no user authentication in the whole process.
For security reasons we are either using JWT or X.509 Certs as authentication between our services.

So my question is it possible to use the lib with one of those methods e.g. giving a static custom Authorization header to the client?

Best
Patrick

[vincentmajor]

I'm trying to do the same thing and after reading through the code I've determined it is not possible to use a JWT cert to authenticate. I'm trying to auth first and then update the client state, not sure if it will work.

The long story is that for a JWT cert (for Epic at least), to get an access token, you need to pass the JWT cert encoded with RS384 with 'grant_type': 'client_credentials'. This code (v4 at least) hardcodes 'grant_type': 'authorization_code' in _code_exchange_params called within handle_callback().

[ZuSe]

Hi @vincentmajor

don't think so complex about that. What would help for now would be the option to provide any kind of Custom Authorization Header. It's then up to the client developer from where he gets the proper value.
Not even Basic Auth possible at the moment.