GCP Healthcare API Part 2: Attempting Authentication

GCP Healthcare API - Attempting Authentication

Again, I've found this to be tricky, hence why I'm documenting here, to hopefully make it easier for someone else. Remember, we should now have a FHIR store. The one I've setup exists at:

https://healthcare.googleapis.com/v1/projects/fhirfli/locations/us/datasets/fhirfli/fhirStores/fhirfli

So I've probably thrown these words around and not completely understanding the difference, so, for your edification:

  • Authentication: who you are

  • Authorization: what you can do

  • Auditing logs: what you did

This comes from Google's page on Authentication. I think we should use OAuth 2.0 client (partly because that's what SMART and most other authentication processes use), and because, it's for, Accessing private data on behalf of an end user. Sounds exactly what we're looking for. And google has an Authenticating as an end user page. It suggests we go to the IAM section of our project. Mine looks like this.



Clicking on ROLES and ADD, and then searching FHIR, gives me these options. I decided to go for Editor.


After this, go to the top left hamburger, and select APIs & Services, then go to Oauth consent screen. If you have an organization you can choose internal, but in order to test it, I'm going to choose external.



Fill out the information on the next page. Make sure you fill out all with a * (they're mandatory!).


Click ADD OR REMOVE SCOPES, and add Cloud Healthcare API (you can just search for health).



Next page you can add users (this is done by their email). If you selected internal, they will need to have an email within the domain of your organization. Then review, and go BACK TO DASHBOARD and select Credentials -> +CREATE CREDENTIALS -> OAuth client ID.



For this case, we're going to be creating an android app (I believe you have to register it separately for iOS).


As a note, I recommend changing the package name to all lowercase and no punctuation (including hyphens and underscores), I've had some issues, and if you can stay away from them, it's probably safer. If you ensure the keytool is installed (I'm going to let you google that), the command line command is: keytool -list -v -keystore ~/.android/debug.keystore -alias androiddebugkey -storepass android -keypass android

This will produce something like the following:

Alias name: androiddebugkey

Creation date: Dec 21, 2020

Entry type: PrivateKeyEntry

Certificate chain length: 1

Certificate[1]:

Owner: C=US, O=Android, CN=Android Debug

Issuer: C=US, O=Android, CN=Android Debug

Serial number: 1

Valid from: Mon Dec 21 12:26:54 EST 2020 until: Wed Dec 14 12:26:54 EST 2050

Certificate fingerprints:

SHA1:

12:34:56:78:90:AB:CD:EF:GH:IJ:KL:MN:OP:QR:ST:UV:WX:YZ:11:11

SHA256:

12:34:56:78:90:AB:CD:EF:GH:IJ:KL:MN:OP:QR:ST:UV:WX:YZ:11:11

:22:33:44:55:66:77:88:99:AA:BB:CC:DD

Signature algorithm name: SHA1withRSA (weak)

Subject Public Key Algorithm: 2048-bit RSA key

Version: 1


Warning:

The certificate uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.

After entering these values, click CREATE, and you'll get your Client ID. (it probably looks like: "${alphanumericstring}.apps.googleuserconent.com"

In order to connect, we'll need to use the 3 pieces of data we got above.

  1. Client ID - what we just got above

  2. URL of your FHIR store - link at the beginning with "/fhir" on the end

  3. Scope - we only need one for now, "https://www.googleapis.com/auth/cloud-platform"

In order to make your app able to connect, there are a number of files you must change. There are references to com.example.app, you must change these to your own applicationId (e.g. org.my.project).

  • android/app/build.gradle

  • android/app/src/debug/AndroidManifest.xml

  • android/app/src/main/AndroidManifest.xml

  • android/app/src/main/kotlin/com/example/example/MainActivity.kt

  • android/app/src/main/kotlin/dev/{package name}/example/MainActivity.kt

  • android/app/src/profile/AndroidManifest.xml

  • ios/Runner.xcodeproj/project.pbxproj

Follow the instructions here for flutter_appauth. These include for the file

android/app/build.gradle

There should be a section that looks like this:

defaultConfig {

applicationId 'org.my.project'

minSdkVersion 21

targetSdkVersion 29

versionCode flutterVersionCode.toInteger()

versionName flutterVersionName

manifestPlaceHolders = [

'appAuthRedirectScheme': 'org.my.project'

]

}

For the file ios/Runner/Info.plist there should be a section:

<key>CFBundleUrlTypes</key>

<array>

<dict>

<key>CFBundleTypeRole</key>

<string>Editor</string>

<key>CFBundleUrlSchemes</key>

<array>

<string>org.my.project</string>

</array>

</dict>

</array>

And that's the bulk of it. I can do a quick post about how the actual interaction is coded, but this should get you most of the way.