Skip to main content

Authentication

For accessing the APIs, you need to first obtain a client's credentials.

A client with all the required permissions is already created by default and is named "Admin". For more information on creating a client, see Creating a Client.

You can authenticate using the following methods:

  • Client Credentials flow: Using a client ID and a client secret.
  • Authorization Code flow: Using a client ID, and a user's credentials.

Both of these methods provide a way to obtain the Bearer token, which is used to authenticate the APIs.

Below you can find examples of how to authenticate using each of these methods.

Client Credentials Flow

Client credentials flow is analogous to the client authenticating itself. This flow is used when the client is acting on its own behalf. Steps for backend authentication:

  1. Obtain a client ID and client secret - by creating a Backend client

  2. Use the client ID and client secret to obtain a token - by sending a POST request to the token endpoint: https://dev.medblocks.com/oauth2/token.

    POST /oauth2/token

    [Headers]
    Content-Type: application/x-www-form-urlencoded

    [BasicAuth]
    client_id:client_secret

    [FormParams]
    grant_type: client_credentials

    This will return a JSON response with the access token.

    {
        "access_token": "<access-token>",
        "expires_in": 3599,
        "scope": "",
        "token_type": "bearer"
    }

  3. Use the access token to authenticate the APIs - by sending the access token in the Authorization header.

    GET /fhir/Patient

    [Headers]
    Authorization: Bearer <access_token>
    Content-Type: application/fhir+json

Authorization Code Flow

Authorization code flow is used when the client is acting on behalf of a user. This flow is used when the client is acting on behalf of the user. Steps for frontend authentication:

  1. Obtain a client ID - by creating a Single Page application client

  2. Redirect the user to the authorization endpoint - by sending a GET request to the authorization endpoint: https://dev.medblocks.com/oauth2/authorize.

    GET /oauth2/auth

    [QueryParams]
    response_type: code
    client_id: <client_id>
    redirect_uri: <redirect_uri>

    This will redirect the user to the login page, where the user can enter their credentials.

  3. Obtain an authorization code - by sending a POST request to the token endpoint: https://dev.medblocks.com/oauth2/token.

    POST /oauth2/token

    [Headers]
    Content-Type: application/x-www-form-urlencoded

    [FormParams]
    grant_type: authorization_code
    code: <authorization_code>
    client_id: <client_id>
    redirect_uri: <redirect_uri>

    This will return a JSON response with the access token.

    {
        "access_token": "<access_token>",
        "expires_in": 3599,
        "scope": "",
        "token_type": "bearer"
    }

  4. All the subsequent requests made by the client should include the access token in the Authorization header.

    GET /fhir/Patient

    [Headers]
    Authorization: Bearer <access_token>
    Content-Type: application/fhir+json