RFC: Auth SDK/CLI

[tonylee80]

RFC: Auth SDK/CLI -

Status: Draft

Problem

The usage of Medplum CLI commands with options to specify auth flows can often become verbose and challenging to read.

medplum bulk export -e Group/all --base-url https://sandbox.bcda.cms.gov --fhir-url-path api/v2/ --token-url https://sandbox.bcda.cms.gov/auth/token --client-id {{BCDA Client ID}} --client-secret {{BCDA Client Secret}}

To support different authentication types, it is necessary to add additional options such as grant type, client assertion type, scopes, redirect URI, and code.

The authentication types are:

• Authorization Code
• Implicit: The access token is directly returned to the client application as a fragment identifier in the redirect URL.
• Client Credentials
• Client Assertion
• Refresh Token
• JWT Bearer
• Authorization Code with PKCE

Goals

The following goals should be achieved with the proposed changes:

1. Ability to manage between multiple active logins with different FHIR servers.
2. Precedence of options should follow a consistent order:
   1. command options → environment variables → profiles.

Proposed Changes

Medplum SDK

The MedplumClient has become large and complex, with approximately 3,000 lines of code. To improve maintainability and readability, break down the client into logical components.

1. Auth Manager
   1. manages user/client authentication, logging in/out, keeps track of tokens
2. Auth Class(es)
   • Supports OAuth flows from different FHIR services.
   • Includes support for basic authentication and JWT assertions.
   • Handles grant types, client assertion types, scopes, redirect URIs, and codes.
   • Possibly have different auth classes for different auth types
3. Request Class(es)
   • Handles FHIR REST API requests.
   • Includes endpoints specific to Medplum, such as /admin and /auth.
4. Secondary Goal: Move client to be it’s own package@medplum/client - Extract MedplumClient and directly related utilities from core
   • Package structure #1172

Medplum CLI

• CLI: Add a global option --auth-type to explicitly specify the type of authorization used.

  • Update the Medplum Client SDK constructor to accept authType as an option.
  • Default to basic authentication if the client ID and client secret are set via CLI global options or environment variables.
  • Allow clients to specify different OAuth flows for requesting access tokens.

• Profiles (config options?)

  • Replaces the need to enter several command line options

  • Stores command line options.

  • Manage multiple client accounts and FHIR servers.

    • Profiles can be created for various services and environments (e.g., Sandbox, Dev, Staging, Production).
    • Profile commands include:
      • medplum profile set <profileName> <property> <value> : Sets the specified profile with associated options.
      • medplum profile unset <profileName> <property> : Unset the specified profile property.
      • medplum profile delete <profileName>: Deletes the specified profile and logs out profile if it’s being use
      • medplum profile list: Lists all available profiles.
      • medplum profile describe <profileName>: Describes the details of a specific profile.
      • medplum login --profile <profileName>: Logs in using the specified profile.
      • medplum whoami: Displays the details of the current logged-in and optional profile.

  • medplum login with profiles

    $ medplum login --profile bcda
    
    $ medplum login --profile prod
    
    $ medplum login --profile staging
    
    $ medplum login --profile example

  • $ medplum login --profile bcda
    
    $ medplum whoami
    
    Logged in with profile: bcda
    {
    	"baseUrl": "https://sandbox.bcda.cms.gov",
    	"fhirPath": "api/v2",
    	"tokenUrl": "https://sandbox.bcda.cms.gov/auth/token",
    	"clientId": "*clientId*",
    	"clientSecret": "*clientSecret*",
    	"authType": "basic"
    }

• Storage: Modify the ~/.medplum/credentials file to include a new property called "profiles."

  • Below would be the state of the credentials file after running these commands

  $ medplum profile set bcda --auth-type basic --base-url https://sandbox.bcda.cms.gov --fhir-url-path api/v2/ --token-url https://sandbox.bcda.cms.gov/auth/token --client-id *clientId* --client-secret *clientSecret*
  
  $ medplum profile set example --auth-type jwt-assertion --base-url https://example.com --fhir-url-path r4 --token-url https://example.com/oauth2/token --client-id *clientId* --private-key *localfile.pem*
  
  $ medplum profile set medplum-staging --auth-type basic --base-url https://staging.api.medplum.com --client-id *clientId* --client-secret *clientSecret*
  
  $ medplum profile set medplum-prod --client-id *clientId* --client-secret *clientSecret*
  
  $ medplum login --profile bcda
  
  $ medplum login --profile medplum-prod
  
  $ medplum login --profile medplum-staging
  
  $ medplum login --profile example

  {
  	"logins": [
      {
          "accessToken": "e........",
          "project": {
              "reference": "Project/d2c65e1e-793b-4faa-b3a3-b0b2e8b1f847",
              "display": "Massachusetts Sample Data"
          },
          "profile": {
              "reference": "Practitioner/2fdb088d-5080-4237-a118-fdeeb1e84f1a",
              "display": "Tony Lee",
  		"name": "medplum-prod"
          }
      },
      {
          "accessToken": "e........",
          "project": {
              "reference": "Project/d2c65e1e-793b-4faa-b3a3-b0b2e8b1f847",
              "display": "Massachusetts Sample Data"
          },
          "profile": {
              "reference": "Practitioner/2fdb088d-5080-4237-a118-fdeeb1e84f1a",
              "display": "Tony Lee",
  		"name": "medplum-staging"
          }
      },
      {
          "accessToken": "e........",
          "project": {
              "reference": "Project/d2c65e1e-793b-4faa-b3a3-b0b2e8b1f847",
              "display": "Massachusetts Sample Data"
          },
          "profile": {
              "reference": "Practitioner/2fdb088d-5080-4237-a118-fdeeb1e84f1a",
              "display": "Tony Lee"
          }
      },
      {
  				"profile": {
  					"name": "bcda"
  				}
  				"accessToken": "e.......",
      },
      {
  				"profile": {
  					"name": "example"
  				}
  				"accessToken": "*accesstoken*",
      }
  ],
  	"activeLogins":{
  				"profile": {
  					"name": "example"
  				}
  				"accessToken": "*accesstoken*",
     },
  	"profiles":{
  			"bcda": {
  				"baseUrl": "https://sandbox.bcda.cms.gov",
  				"fhirPath": "api/v2",
  				"tokenUrl": "https://sandbox.bcda.cms.gov/auth/token",
  				"clientId": "*clientId*",
  				"clientSecret": "*clientSecret*",
  				"authType": "basic"
  			}, 
  			"example": {
  				"baseUrl": "https://example.com",
  				"fhirPath": "r4",
  				"tokenUrl": "https://example.com/oauth2/token",
  				"clientId": "*clientId*",
  				"privateKey": "*localfile.pem*",
  				"authType": "jwt-assertion"
  			}, 
  			"medplum-staging": {
  				"baseUrl": "https://staging.api.medplum.com",
  				"clientId": "*clientId*",
  				"clientSecret": "*clientSecret*",
  				"authType": "basic"
  			},
  			"medplum-prod": {
  				"baseUrl": "http://api.medplum.com",
  				"clientId": "*clientId*",
  				"clientSecret": "*clientSecret*",
  			},  
  	}
  }

  • medplum commands with and without profiles

  $ medplum get Patient
  
  $ medplum get Patient --profile medplum-staging
  
  $ medplum get Patient --client-id *clientId* --client-secret *clientSecret* --baseUrl https://staging.api.medplum.com --auth-type basic

  Questions

  • Should profile be required?

    • The profile should be optional and used to manage (global) options for the Medplum CLI.

  • What happens if the profile is not specified?

    • Continue using active login. The 'medplum whoami' command should identify the current authentication state of the CLI. Using profiles should not override active login. To override active login with a profile, use the 'medplum login —profile' command.

  • Is there a default profile?

    • Benefits of a default profile

      • Enables users to customize their default FHIR server settings. This can be especially helpful for self-hosted customers.

    • No default

      -Encourage users to create profiles.

  • Would an interactive CLI tool be helpful?

    • Create a profile

      $ medplum profile create <profileName>
      
      What's the base url? (default https://api.medplum.com)
      
      What's the FHIR URL path? (default "fhir/r4")
      
      What's the token URL? (default https://api.medplum.com/auth/token)
      
      etc...

    • Login (inspired by Github CLI)

      $ medplum login
      
      ? What account do you want to login into? [Use arrows to move, type to filter]
      > Medplum Web (https://app.medplum.com)
        Medplum API (api.medplum.com)
        Medplum Staging API (staging.api.medplum.com)
        BCDA Sandbox
        Cerner
        Epic

  • Should profiles considered to be only used for auth/global options? Could profiles be flexible enough for non auth use cases?

  References

• Medplum SDK enhancements to determine Auth and Client types #2191

• CLI Profiles: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html#cli-configure-files-using-profiles

[jamestouri]

Thanks for this write-up @tonylee80 . Would love suggestions and thoughts on this, as I write out the steps I’m taking towards completing this, which will turn into incremental tasks to completing the feature of multiple FHIR server connections on the CLI.  @codyebberson we spoke briefly on this today, will like to start creating the tasks associated with each step towards completion.

1. CLI storage
   • Modifying the ~/.medplum/credentials file to support profiles
2. Storage and profiles in the SDK
3. CLI profiles
   1. ‘Profile’ subcommand
      • Set
      • Unset
      • List
      • Describe
      • flag
   2. —profile flag for specific profile
4. —auth-type
   1. Add authType for Client SDK
   2. Add a global —auth-type for CLI
5. Create an AuthManager Folder in the SDK
   1. Basic Authentication Class
      • Manage user/client auth, logging in/out, keeps track of tokens
6. Medplum commands for specific profiles
   1. FHIR Rest requests
7. Support (Other Classes) for JWT assertions and OAuth Flows
   1. Add different Auth types
8. Interactive CLI tool
   1. Creating Profile
   2. Logging in

[codyebberson]

Original recommendations:

$ medplum profile set bcda --auth-type basic --base-url https://sandbox.bcda.cms.gov --fhir-url-path api/v2/ --token-url https://sandbox.bcda.cms.gov/auth/token --client-id *clientId* --client-secret *clientSecret*

$ medplum profile set example --auth-type jwt-assertion --base-url https://example.com --fhir-url-path r4 --token-url https://example.com/oauth2/token --client-id *clientId* --private-key *localfile.pem*

$ medplum profile set medplum-staging --auth-type basic --base-url https://staging.api.medplum.com --client-id *clientId* --client-secret *clientSecret*

$ medplum profile set medplum-prod --client-id *clientId* --client-secret *clientSecret*

$ medplum login --profile bcda

$ medplum login --profile medplum-prod

$ medplum login --profile medplum-staging

$ medplum login --profile example

Alternate recommendation:

$ medplum login --profile bcda --auth-type basic --base-url https://sandbox.bcda.cms.gov --fhir-url-path api/v2/ --token-url https://sandbox.bcda.cms.gov/auth/token --client-id *clientId* --client-secret *clientSecret*

$ medplum login --profile example --auth-type jwt-assertion --base-url https://example.com --fhir-url-path r4 --token-url https://example.com/oauth2/token --client-id *clientId* --private-key *localfile.pem*

$ medplum login --profile medplum-staging --auth-type basic --base-url https://staging.api.medplum.com --client-id *clientId* --client-secret *clientSecret*

$ medplum login --profile medplum-prod --client-id *clientId* --client-secret *clientSecret*

[jamestouri]

Following up on this, when a user runs profile set <profileName> ..., not only will this set their desired profile, but it will also automatically log them in and create an active session.

This feature should streamline the process and improve user experience, reducing the extra step for manual logins every time a profile is created. Also, it keeps the process aligned with the principle of maintaining an active and valid authentication token per profile in the CLI context.

Looking forward to hearing thoughts about this

[codyebberson]

but it will also automatically log them in and create an active session.

Hmmmm.... I'm unsure on this. I think this has risk of surprising the user, and that's not great.

If we want to combine "setup profile" and "login" into a single command, then I propose that we just use the "login" command.

[jamestouri]

Got it, just so we're aligned here, if we have "login" command, if the --profile flag is used should we use that as the profileName being set? e.g medplum login --profile <profile> --base-url <baseUrl> ...