We hope you'll join us for our 4/23 webinar on using data tables to apply reference ranges and AE codes in OC4. For more information and to register, visit https://register.gotowebinar.com/register/2882170018956684555

Get user account data with OAuth

Hi, I'm trying to authenticate an user to my application using an user from OpenClinica through OAuth2, but I'm little confused.

I have read this document https://docs.openclinica.com/3.1/technical-documents/rest-api-specifications/oauth-and-openclinica and I follow this steps in my application:

1. When the user call the REDIR_URI, my application redirect to: MyOCInstall/oauth/user/authorize?client_id=designer&redirect_uri=REDIR_URI&response_type=code

2. OC redirect to: REDIR_URI&code=CODE

3. My application reads the code and calls: MyOCInstall/oauth/authorize?client_id=designer&redirect_uri=REDIR_URI&code=CODE

4. From OpenClinica obtains this JSON:
"access_token": "0110a29b-bf15-4256-82ee-42415c2f4cfb",
"expires_in": 43199,
"refresh_token": "1efbccfe-fabf-4a32-8d1d-bcd2f5d2d3dc",
"token_type": "undefined"

But now if I want to obtain from OpenClinica the user account data what I have to do?





  • toskriptoskrip Posts: 279 ✭✭✭
    Hi Luca,

    I don't claim that I am an OAuth expert, but I presume that obtaining the "access_token" is the confirmation that authorisation was successful. I don't think that you will get any user details data out of it, OAuth serves its one purpose that is authorisation (no more, no less). Basically:
    - tell me whether the user is logged in and can access certain study (access_token)
    - if the user is not logged in provide me with login form

    but again practically I did not use it with OC. What exactly are you trying to accomplish? Why do you need user account data?

  • GagliaGaglia Posts: 3
    the company where I work has developed a web application for showing charts on certain data stored in a database.
    This application has it's own users and every user has roles and permissions in this application.
    The company also use OpenClinica because it's work with medical data (It's not my field so I don't know exactly what they do).
    Now we have connected OpenClinica with our application for showing charts on medical data, but when the user it's redirected to the application he must to login again.
    So they asked me to use OAuth for authenticate the user, the idea it's to have the same username on both applications and than get the username from OC using OAuth.


  • toskriptoskrip Posts: 279 ✭✭✭
    Ok, if I understand correctly. This is the workflow that you want to have for user:
    - user is logged in OpenClinica
    - user navigates to your application (now OAuth2 takes place to authenticate user in your application)
    - if authentication is successful your application needs to have username in order to find appropriate user and associated role in your application
    - your application user is found and the content is shown according to role

    this is doable (OC Designer is using this approach). You have to modify the way how you navigates to your application from OpenClinica. If you take the approach of Designer than this is how the URL to access your app from OpenClinica should look like.


    As you see you need to pass the the OpenClinica username as a query parameter (together with the study OID). You are basically passing all necessary details to initiate OAuth2 process.

    Once your app receives username, you can store it in session and once you get confirmation that OAuth2 was successful (access token), than you just read the stored username and locate the appropriate user entity form your app database.

    hope it helps


  • GagliaGaglia Posts: 3
    edited September 2015
    the workflow is correct.
    I've already saw that the OC pass the username to the designer with a parameter, but unfortunately it's not check if the user passed it's the user that was authenticated on OC.
    I made a test with OC demo (https://www.openclinica.com/self-guided-demo) and after made the authentication with "manager" user I call the designer replacing the username with another text (e.g. "TEST"), it's work perfectly, I obtain
    the access to the designer!
    Test url: https://ruledesigner.eclinicalhosting.com/Designer-1.2/access?host=https://demo.eclinicalhosting.com&app=OpenClinica&study_oid=S_NCT01928&provider_user=TEST&path=pages/studymodule

    This is not safe, in my case, because in this way if you have access to OC, you're able to autenthicate on my application as any user you want.

    I think this is not important in the designer because it's write/read data using the token, so it can access only the data of the user associated to that token.

    Thanks for your help


  • toskriptoskrip Posts: 279 ✭✭✭
    Than it should be reported to issue tracking system, because such behaviour is obviously a bug. I tested it as well in my setup and you are absolutely right. This means that OC only check if there is existing user session open in OC. It is not a good idea to use it when it is broken.

    You could move the user name from query parameter to request header value, or do some additional procedures which will make it harder for user to access it, but it will not fix the broken service.

    There is no documented way of getting user account data from OC.

    There is an alternative way dealing with authentication especially when we are talking about web services. If you are OK with modifying OpenClinica source code, you can do the following:
    - extend the OC user account entity and your user account about additional attribute yourAppApiKey
    - for each user generate long enough secret ApiKey
    - pass apiKey instead of user name to your application when calling it from OC
    - OC OAuth will authenticate just fine and in your app according to ApiKey you can find the proper user account and role.

  • lindsay.stevenslindsay.stevens Posts: 404 ✭✭✭
    via Email
    Wow. Good find guys! There is a pull request on the OpenClinica github repo
    for SAML consumer auth, in case that's any use instead.
This discussion has been closed.