| Table of Contents | ||||
|---|---|---|---|---|
|
Before a client system can interface with the eHealth Infrastructure a set of items must be carried out and complied with:
A client application to the eHealth Infrastructure must implement an OpenID Connect "code flow" in order to login and get a set of tokens.
A client application must be created and setup in the login server and assigned a name, and the URL's used to redirect back to the client must be whitelisted.
A client can be either confidential (like a server application) or public (like an app or a web application). Confidential clients authenticate themselves with a password. Public client must use PKCE (pronounced "pixi"). Explanations can be found many places, for instance here and here.
| Info |
|---|
Information on redirect URL. These URIs specifies where client sends (redirects) their users to to after log-ins/log-outs/refresh. The URLs that the Keycloak shall redirects to shall be whitelisted. The URLs shall be specific and may not contain ’wildcards’ (*) as this can be a security risk (see Securing Applications and Services Guide (keycloak.org)). This could be pages like ‘ |
Having completed these bullets, the Authorization Server (AS) will delegate parts of the login to potentially other federated servers, but that is transparent for the client (provided the login is handled by a generic browser window that can handle redirects).
...
To end a session, use end_session_endpoint found in the openid-configuration of the environment (e. g. : openid-configuration)
Example:
...