https://medplum.com logo
Join Discord
Powered by
Google Authentication Configuration
# support
t
We are trying to provide Google Authentication for Elovu. So we used startGoogleLogin helper method but that requires googleCredentials. https://www.medplum.com/docs/sdk/core.googleloginrequest Could you please explain how can we get this googleCredential? I tried with Client Secret but din't work.
r
@tanveerqamar_97071 , the google credential is passed from the google sign on page to you application via the Google rredirect flow
If you are just starting your development, I highly recommend using our 
SignInForm
react component directly in your application. This takes care of a lot of the redirect logic necessary for managing the Google authentication flow
t
@rahul1 I used the SignInForm react component for Google Authentication and it worked but what if we have a user who is logging in for first time. Does this component handle creating the user if it doesn't exist?
r
No this component does not handle user registration. For that you can use the Register Form https://storybook.medplum.com/?path=/story/medplum-auth-registerform--basic
@tanveerqamar_97071 - if your interested in patient open onboarding I'll point you to two resource: - Foo Medical: This is a sample application, built as a patient porta; https://github.com/medplum/foomedical - Our documentaiton on open patient registration:https://www.medplum.com/docs/auth/open-patient-registration
t
Thank for this @rahul1 . We are working on registration but we have another requirement. We already have an authentication implementation on our mobile and web app with cognito. We don't want to touch the existing authentication flow with cognito so we thought if we can do token exchange with medplum. I tried following this documentation https://www.medplum.com/docs/auth/methods/token-exchange and used exchangeExternalAccessToken helper method. But getting an error with status code 400 saying: "Failed to verify code - check your identity provider configuration"
We checked our user pool and app client configuration
but seems ok to us
r
Hi @tanveerqamar_97071 , can you please open a new support ticket, as this is a new issue?
@tanveerqamar_97071 typically this indicates some kind of error was returned from your external identity provider. These kinds of errors can depend on your specific provider, but common examples include: - **PKCE errors**: you can try setting the "PKCE Optional" flag in your IdentityProvider - authentication issues: The external 
/token
endpoint usually requires some form of authentication, and the client_id / client_secret might not be configured correctly on your medplum CLientApplicatoin - **redirect_uri issues**: Your external IDP might not be configured correctly to have 
api.medplum.com/auth/external
set up as your redirect URI You can see the code for where this error was thrown here: https://github.com/medplum/medplum/blob/0d4741d0a589a5001f92a0d5cab1bb2a1b1d39df/packages/server/src/oauth/utils.ts#L738C1-L741C4
@tanveerqamar_97071 - I wanted to follow up. Were you able to get your authentication working?
t
@rahul1 No, I tried all the possible but no luck. Nothing worked for token exchange.
For one of our app, we need Google authentication. Which we implemented but another application needs cognito authentication which we are not able to implement.
r
@tanveerqamar_97071 , if you are willing to furnish me with your Project Id, I can try to look into our logs see if we can find the error message sent by Cognito
t
@rahul1 Our project Id: fa6c9261-cc04-4f61-b6fd-6e0cbe556be6
r
@tanveerqamar_97071 - I didn't see any erroneous error messages come through in the last week. Can you Share the email address which you are using to log in with Cognito?
c
Hello @rahul1 , @tanveerqamar_97071 is off for this and next week . I have started looking into this issue in his absence . he was using tanveer@elovu.health 's token
Hai @rahul1 if it helps , i tried the auth using the cognito hosted UI for Medplum client i get this error when user is redirected back to 
https://api.medplum.com/auth/external?code=240a9fcf-879c-49c3-a0e5-b753ec23cbd4
{"resourceType":"OperationOutcome","issue":[{"severity":"error","code":"invalid","details":{"text":"Missing state"}}],"extension":[{"url":"https://medplum.com/fhir/StructureDefinition/tracing","extension":[{"url":"requestId","valueId":"3993d263-4367-42c3-a789-45a358a87df7"},{"url":"traceId","valueId":"8b2bccbc-2fe2-428f-b659-32e05d487112"}]}]}
This is using 'Authorization code grant'
this time the email used is 
charith@elovu.health
and the response was
Copy code
{
  "resourceType": "OperationOutcome",
  "issue": [
    {
      "severity": "error",
      "code": "invalid",
      "details": {
        "text": "Missing code"
      }
    }
  ],
  "extension": [
    {
      "url": "https://medplum.com/fhir/StructureDefinition/tracing",
      "extension": [
        {
          "url": "requestId",
          "valueId": "91ceaa78-0119-4c69-be44-31864be29400"
        },
        {
          "url": "traceId",
          "valueId": "2382773a-b786-46fb-9efb-53fa71f4581c"
        }
      ]
    }
  ]
}
Hello @rahul1 Just checking see if you were able to find anything regarding this issue. Also i have a question can we do custom authorization using bots ? if the oauth doesn't work , we want to try an different approach were we implement our custom authorization using bots, we will send cognito access_token to the bot where we talk with cognito using aws SDK to verify the token and return self signed medplum token based on decoded user's email or external ID.
r
Hi @charithv , I'm sorry I have not yet been able to find any additional debugging info in our logs
Unfortunately, the logs you sent me wont help, as they indicate a client-side issue, rather than a configuration issue with Cognito
c
@rahul1 , thanks for the response But can you suggest any alternative to make this working
r
But I can suggest a next step
Rather that implementing the "token exchange" flow as @tanveerqamar_97071 began, try implementing the "External Identity Provider" OAuth flow here: https://www.medplum.com/docs/auth/methods/external-identity-providers
We have a simple demo app that accompanies this instructions that will help you debug
With this flow, if Cognito throws an error, it will be returned to your browser, which will then allow further debugging if needed
c
Sure, will try this and keep you posted thanks
r
HI @charithv , we just performed a successful test integration with AWS Cognito. We've added a document with some pointers here: https://github.com/medplum/medplum/pull/4101
c
Thanks Rahul will check this out
Hai @rahul1 , just checking to see , you are using OAuth grant types as 
Authorization code grant
?
r
Yes! Are you referring to a specific "Cognito" setting, or just to some Cognito documentation
c
yeah i am referring to Cognito settings which is also part of 'Hosted UI' setting
also want to check if you had chance to try 
exchangeExternalAccessToken
with cognito . this approach fits well into our application where user can just login with out already configured UI without any additional changes
r
I did not have a chance, though the configuration should be similar. Once this flow works, I would expect 
exchangeExternalAccessToken
to also work
c
sure will try this today and keep you posted thanks for the effort
Hai @rahul1 , the cognito setup is working fine with 
signInWithExternalAuth
but not with 
exchangeExternalAccessToken
same client configuration and cognito configuration
can you pls try from your end to replicate the issue?
Hai @rahul1 , just checking to see if you had a chance to look into this .
Hello @rahul1 , After careful reading of 'Token Exchange' docs i understand the 'Access Token' is sent to /userinfo endpoint , but the access token we obtain is via basic (username and password) auth and does not have openid scope in it , passing the same access token to /userinfo endpoint returns 
{"error":"invalid_token","error_description":"Access token does not contain the 'openid' scope"}
. we have two apps a mobile and a web which uses cognito as primary idp, could suggest us a best method way forward. I would also like to mention this is blocker for us for successful integration of Medplum into our ecosystem .
Hello @rahul1 , one way i found it working is instead of custom login we federate login to aws cognito (using their hosted UI ) and then user is navigated back to app with oauth code we use that to get access token which has openid scopes in it, which i can exchange for medplum token . Have tested this flow seems to be working fine . only problem is user needs to navigate to different page , on web it not a big problem but on mobile app, user needs to redirected to browser and then back to app. Just checking if there is any other way around this process , example is implementing a custom authentication using bots. Were we share the general access token (without openid scopes) and in runtime call cognito with client id and secret to verify the token and generate a medplum token for the user . but open for any suggestions Thanks
r
Hi @charithv , I'm sorry I have not yet had a chance to validate the tokenExchange mechanism issue, and I appreciate your patience
> but the access token we obtain is via basic (username and password) auth and does not have openid scope in it , passing the same access token to /userinfo endpoint returns This is not the appropriate use of the tokenExchange mechanism. The primary way of using Token Exchange is the following: - Your app logs into AWS Cognito via OAuth2 to obtain an access token with the appropriate scopes. This would be done via a custom UI (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-integrate-apps.html) - Send that accessToken to Medplum to obtain a medplum access token
Unfortunately, it will not be possible to make this work with a basic-auth token
The guide I linked above describes how to build that AWS Cognito authentiation UI. As managing the redirect flows can get complicated, we offer our Medplum React Components that handle this logic for you. This is why I initially suggested the 
signInWithExternalAuth
flow.
@charithv , I just talked to my engineering team, and we think we have a solution for you that would avoid the mobile redirect issue. Similar to your idea of creating custom authentication. It will require you to set up a new Lambda function inside your AWS account (not a bot). Workflow would look like: 1. Set up a new unauthenticated Lambda inside your AWS 2. Give this lambda AdminInitiateAuth permissions (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html) 3. The client calls this Lambda with the user credentials, and the the Lambda use ClientId / ClientSecret to generate a token that can be passed back to the client
c
Hello @rahul1 , Thanks for all the input, I will give it a try today . Just one added complexity is we use AWS amplify in between the app and cognito . Also wondering if AdminInitiateAuth returns access tokens with openid scopes . Will keep you posted. Thanks
Hai @rahul1 , just validate 
admin_initiate_auth
also does not return 'openid' scopes in it .
r
@charithv - just backing up for a second, is it a hard requirement to use AWS cognito as the patient identity provider? For context, Medplum itself can be used as an IDP for patients.
c
atleast now we have a very minor footprint on AWS but its expected grow , now we use AWS pinpoint for push notifications and Cogntio to identify user device endpoints .
i found a way to open in app browser for cogntio federated login will give it a try and see if everybody is happy with it
r
I see. We also provide websocket capabilities and twilio integration, in case that is helpful for push notifications
c
@rahul1 we have successfully integrated with cognito federated sign-in . Thanks for all the input .
there is one more issue we are now tacking . we are using 'medplum/core' in our react-naitve app and when do 
medplum.signOut()
or 
medplum.clear()
it throws 
[ReferenceError: Property 'sessionStorage' doesn't exist]
. Any suggestions/ideas on how we can log user out on non-browser environments ?
clearActiveLogin
seems to be working fine!
r
@charithv , are you using Expo, with our expo-polyfills library?
138 Views
PreviousNext
Powered by