Authentication

Authentication is setup to use OAuth2. Any authentication provider that supports OAuth2 should be able to be configured with ToF.

Client-side

When a user presses the login button, they are redirected to the configured authentication provider. When auth0 authenticates the user, they are returned to /login of Trifolia-on-FHIR. The application startup logic is should call handleAuthentication() and detect that authentication token information is being passed to ToF by the auth provider in the url.

The AuthService stores the authentication information in the local storage of the browser (so that if the browser refreshes, it still has the authentication information), including the token and the id_token. Whenever the client application makes a request to the server, it includes the id_token in the request to the server as the Bearer Authorization header.

Server-side

When a request is made to the server that requires authentication, the jwks-rsa module is used to retrieve the public key from the auth.jwksUri configuration property, and the signature in the JWT passed to the server in the Authorization header is validated using the public key.

Once the JWT is validated, we use the information in the body of the JWT as the user profile.

Authentication Flow Diagram

The login process may be improved in the future by loading the auth0 redirection in a new window, and after the user is logged in, it could redirect to a static .html page that uses JavaScript to tell the main application what the authentication token/information is.

ToF expects the JWT (token) to be signed with an RS256 algorithm (which can be decoded using the "secret" assigned to the OAuth app).