Authorization Epic

[alexanderkiel]

Currently Blaze only supports authentication.

At some point, we like to have authorization in Blaze.

Options

• SMART Authorization
• policies-as-coode via Open Policy Agent
• https://github.com/ory/keto
• https://github.com/cerbos/cerbos
• https://github.com/authzed/spicedb

Research

• Google Zanzibar

[hoffmka]

I was wondering if BLAZE supports SMART-on-FHIR, but apparently it doesn't yet. Right? I tested a bit with BLAZE and KEYCLOAK as ID provider and the python library fhirclient, but without success. I was hoping that I could somehow integrate SMART-on-FHIR apps into BLAZE, maybe with the keycloak-extensions-for-fhir. I am very new to this field and would like to exchange ideas with experts. Maybe there is also what I can contribute, test or get to know. Would be nice to hear from you. Best, Katja

[quotentiroler]

I think that SMART is the right way to go but the role and access management is something to figure out still.

@hoffmka it should be possible with OAuth2 Proxy
.well-known smart configuration only contains one auth server endpoint. This auth server needs to serve as an identity broker if several identity providers are being used.

[alexanderkiel]

Hi @hoffmka, @quotentiroler Blaze doesn't support SMART yet. However Blaze has authentication support via an OpenID Connect Identity Provider. OpenID Connect is even required if one like to use the UI. The deployment is documented here. I know that SMART exists but have not read much about it. We have currently other important issues to handle. If one of you like to contribute here, we can talk about it.