Securing a FHIR endpoint in Node-RED
March 15, 2019 2 Comments
So in a comment to the previous post on using Node-RED to create Tasks from Assessments, Michael suggested that I talk about some of the security considerations that you might have. There are a few ways you could make this more secure that I can think of.
- The simplest way would be to put the whole thing behind as API manager (such as APIgee or WSO2) and delegate security to that application. In effect you are trusting the API manager.
- Another way is to follow the SMART / OAuth process – check that a valid access token issued by an Authorization Server (Authz) has been provided in the call, rejecting the call if not.
- And yet another option is to perform the whole OAuth2 dance – look for a valid access token, taking on the role of the Authorization server if not – validating the user and issuing tokens.
(And there will be plenty of others I’m sure). Naturally all calls will use SSL.
Let’s look a bit further into the second option – checking for a valid access token, and simply rejecting the call if there is not one present.
Recent Comments