Secure authentication on POSOS API

Good to know: this documentation explains the recovery of a secure token allowing you to connect to Posos APIs and does not concern access to FHIR warehouses

Posos API is protected by a Google Cloud Identity-Aware Proxy authentication layer, ensuring secure access to APIs and data. This interface uses the OAuth 2 and OpenID Connect protocols to authorize access, and validates the identity of the caller using a private key. This key is transmitted to you by POSOS in the form of a .json file and is strictly secret. It must be able to be changed quickly in the event of revocation.

In principle, the caller constructs an access token containing his request, sends it to the Google Auth API which returns an identity token. This proof of authentication will then be attached in the header of subsequent requests.

The reference documentation can be found at the following address:

Programmatic authentication | Identity-Aware Proxy | Google Cloud

The caller needs two things:

its private key (.json file)
an OAuth Client identifier specific to the called environment. This character string is transmitted to you by POSOS at the same time as the key. It is stable for each environment (preprod, production)
Client ID value per environment:

Client ID

20286154155-852pf0ti456nd81ongbiecmjqgag84q3.apps.googleusercontent.com

Requesting an identity token can be done with any technology capable of making an HTTP request, but certain languages have official libraries capable of carrying out the operation automatically.

Implementation examples

All the libraries offered by Google simplify the configuration if you define the environment variable GOOGLE_APPLICATION_CREDENTIALS to point to the .json file of the private key.

This link provides examples in several languages:
Get an OIDC token for the default service account
A list of libraries allowing you to build and sign a JWT is available here:
JWT.IO - JSON Web Tokens Libraries

Examples

from google.auth.transport.requests import Request
from google.oauth2 import id_token
 
# The private key is in the file designated by the variable
environment # GOOGLE_APPLICATION_CREDENTIALS
 
# The client_id is the OAuth client identifier and
# should be provided by an environment variable too
client_id = ".........."
 
token = id_token.fetch_id_token(Request(), client_id)
# token contains the identity token to attach to requests

Sending authenticated requests

The identity token must be attached to the request header in the Authorization header in the format Bearer <token content>.

curl --request GET --url 'https://api.preprod.posos.co/[...]' --header 'Authorization: Bearer <token>'

Required configuration Contextual calls