Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 49 Next »

The eHealth Infrastructure has two Authorization Service (AS) configurations providing authentication and authorization for client systems and internal use.

Authorization Service Configurations

The Authorization Service configurations support the following user types of the eHealth Infrastructure:

  • citizen

  • clinical and/or administrative employee

  • service, support & logistics (SSL) supplier employee

  • system users

  • system administrator users

The AS configurations consists of:

  • One KeyCloak with

    • realm ehealth - for clinical and/or administrative employee login

    • realm nemlogin - for citizen login

  • One SSL KeyCloak with

    • realm ssl - SSL supplier employee login

System users and system administrator users exist in all the realms.

Authentication and Authorization Flow

The login protocol between the client systems and the login component is the OpenID Authentication Code Flow of OpenID Connect 1.0.

OIDC-OAuth 2 Authorization Code Flow (Simplified)

Further details on the client’s initiation are described in Client Use. As a reaction, the Authorization Service initiates federation of authentication and possibly authorization depending on the realm:

In non-production environments, login without this federation actually taking place can be simulated through use of the so-called mocked users. Mocked users are authenticated (and authorized depending on variant) in the eHealth Authentication Services.

After successful authentication, three tokens are issued for separate purposes:

  • an ID token – information for the client system about the authenticated user.

  • an Access Token (AT) – a token with a relatively short period of validity (few minutes), which the client systems must include in all service requests.

  • a Refresh Token (RT) – a token with a long validity, which can be used to renew the AT, thereby extending or resuming the session without the user having to authenticate again.

The set of services and service operations that the client is authorized to use privileges is conveyed through the Access Token. The set depends on user type and/or federated authentication. The eHealth services perform access control based on the Access Token, often constrained by additional contexts that must be set in the Access Token.

Authorization Based on User Type and Contexts set in the Access Token

The eHealth infrastructure defines the following contexts:

  • Organization Context

  • Careteam Context

  • Patient Context

  • Episode of Care Context

The following is an informative overview of user types must present what contexts. The normative mapping is described in Access Control in eHealth Services.

Citizen User Type and Contexts

A citizen user type is authorized to see almost all data pertaining to the citizen.

This user type will have the Patient Context set.

In general, modifying data requires the Episode of Care Context being set.

Citizens that logs into the infrastructure using NemID are looked up as FHIR Patient resources with the social security number found in the SAML assertion. If a match is found, the FHIR Patient resource ID will be present in the Refresh Token handed back to the client. If no match to a FHIR Patient resource is found, no FHIR Patient resource ID will be present in the Refresh Token. This means that citizens that are not part of any treatment in the infrastructure will be allowed to login, but won't have any rights to read or write any data.

Clinical and/or Administrative Employee User Type and Contexts

Whenever clinicians passes a successful loginflow the data from the SAML assertion is parsed and converted to the matching FHIR resources Practitioner, PractitionerRole and CareTeam which are updated in the infrastructure. This means that clinicians (FHIR Practitioners) will be present after login. This also means that clinicians that haven't logged in, won't be present as FHIR resources. Besides the creation and update of the FHIR resources, the loginflow also results in short lived session within the AS (Keycloak). The lifetime of the Keycloak session follows the lifetime of the Refresh Token.

  • No labels