Security


OpenLMIS v3 security was chosen around the following needs:

  • Microservices environment - not only do people and third party systems need to be authorized, but so to do other microservices.  These other microservices might have different levels of access between one another than the person or system invoking the original request.
  • Highly interoperable - OpenLMIS often sits in a complex web of interacting health and supply chain systems.
  • Standalone - OpenLMIS may also be launched alone to start, with implementation aspirations that the web of health and supply chain systems will grow.
  • Single sign on - At least the basic need that one login can be used across multiple applications.  TBD if this also implies a need to seamlessly sign into many systems "at once".
  • Mobile and web ready - OpenLMIS has a web UI, however the need for mobile clients is strong.
  • Work in occasionally connected environments - OpenLMIS client applications are not always connected to the internet.
  • REST - The OpenLMIS API is RESTful.


To this end OpenLMIS supports:

  • OAuth2 Authorization Server (auth service)
  • OAuth2 Grants we're using:
    • Password Grant - the most often used from web UI. i.e. it works directly with the Auth service.
    • Implicit Grant (OLMIS-2851) for services such as Tableau's Web Data Connector.
    • Client grant - for service to service
  • Token format:
    • Currently Simple Web Token bearer token
    • Originally the plan was to use JWT, however the simpler SWT has been used so far, we'll likely want to revisit this as we discuss SSO.


Topics to revisit:

  • OpenID Connect is far more popular today than it was before.
  • JWT
  • The flows we're supporting - particularly as we look at mobile
  • How servers such as HEARTH might work


OpenLMIS: the global initiative for powerful LMIS software