Skip to content

Commit

Permalink
Fix to 7631 - Update API_README (openemr#7639)
Browse files Browse the repository at this point in the history
* Changed all every 'Global' to 'Config'

* Changed 'Global' to 'Config' in FHIR_README
  • Loading branch information
lomaxanthony authored Aug 8, 2024
1 parent 8c2124a commit 5ff2ef5
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 7 deletions.
10 changes: 5 additions & 5 deletions API_README.md
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ Easy-to-use JSON-based REST API for OpenEMR. FHIR is also supported, see FHIR AP

## Prerequisite

Enable the Standard API service (/api/ endpoints) in OpenEMR menu: Administration->Globals->Connectors->"Enable OpenEMR Standard REST API"
Enable the Standard API service (/api/ endpoints) in OpenEMR menu: Administration->Config->Connectors->"Enable OpenEMR Standard REST API"

## Using API Internally

Expand All @@ -54,7 +54,7 @@ Multisite is supported by including the site in the endpoint. When not using mul

## Authorization

OpenEMR uses OIDC compliant authorization for API. SSL is required and setting baseurl at Administration->Globals->Connectors->'Site Address (required for OAuth2 and FHIR)' is required. The listing of scopes can be found in below Scopes section.
OpenEMR uses OIDC compliant authorization for API. SSL is required and setting baseurl at Administration->Config->Connectors->'Site Address (required for OAuth2 and FHIR)' is required. The listing of scopes can be found in below Scopes section.

### Scopes

Expand Down Expand Up @@ -298,7 +298,7 @@ Response:

### Password Grant

Recommend not using this mechanism unless you know what you are doing. It is considered far less secure than the standard authorization code method. Because of security implications, it is not turned on by default. It can be turned on at Administration->Globals->Connectors->'Enable OAuth2 Password Grant (Not considered secure)'.
Recommend not using this mechanism unless you know what you are doing. It is considered far less secure than the standard authorization code method. Because of security implications, it is not turned on by default. It can be turned on at Administration->Config->Connectors->'Enable OAuth2 Password Grant (Not considered secure)'.

Note that all scopes are included in these examples for demonstration purposes. For production purposes, should only include the necessary scopes.

Expand Down Expand Up @@ -413,7 +413,7 @@ The Patient Portal API is documented via Swagger. Can see this documentation (an

This is under development and is considered EXPERIMENTAL.

Enable the Patient Portal API service (/portal/ endpoints) in OpenEMR menu: Administration->Globals->Connectors->"Enable OpenEMR Patient Portal REST API (EXPERIMENTAL)"
Enable the Patient Portal API service (/portal/ endpoints) in OpenEMR menu: Administration->Config->Connectors->"Enable OpenEMR Patient Portal REST API (EXPERIMENTAL)"

OpenEMR patient portal endpoints Use `https://localhost:9300/apis/default/portal as base URI.`

Expand All @@ -433,7 +433,7 @@ curl -X GET 'https://localhost:9300/apis/default/portal/patient' \
## Security
- OpenEMR adminstrators / installers should ensure that the API is protected using an end to end encryption protocol such as TLS
- Password Grant SHOULD be turned off for any kind of production use as it has a number of security problems
- Setting the Admin -> Globals -> OAuth2 App Manual Approval Settings to be 'Manual Approval' prevents any OAuth2 application from accessing the API without manual approval from an administrator. This is the most secure setting. However, in the USA jurisdiction that must comply with CEHRT rules for ONC 2015 Cures Update, patient standalone apps must be approved within 48 hours of a patient requesting access in order to avoid pentalities under the Information Blocking Provisions from ONC. EHR administrators are not allowed to vet a patient's choice of an app as long as the app complies with OpenEMR's OAuth2 security requirements. If an app requests user/* or system/* scopes, administrators can vet an application and request additional information / security on an app by app basis. Leaving the setting at the default will auto-approve any patient standalone app.
- Setting the Admin -> Config -> OAuth2 App Manual Approval Settings to be 'Manual Approval' prevents any OAuth2 application from accessing the API without manual approval from an administrator. This is the most secure setting. However, in the USA jurisdiction that must comply with CEHRT rules for ONC 2015 Cures Update, patient standalone apps must be approved within 48 hours of a patient requesting access in order to avoid pentalities under the Information Blocking Provisions from ONC. EHR administrators are not allowed to vet a patient's choice of an app as long as the app complies with OpenEMR's OAuth2 security requirements. If an app requests user/* or system/* scopes, administrators can vet an application and request additional information / security on an app by app basis. Leaving the setting at the default will auto-approve any patient standalone app.
- Public apps (ones that can't securely store a secret) MUST implement the PKCE standard specified in [RFC 7636](https://www.rfc-editor.org/rfc/rfc7636). Confidential apps are still highly encouraged to implement PKCE to mitigate forms of MITM attacks such as multiple native app devices registering for the same custom url scheme used as the OAUTH2 redirect_uri in the authorization_code grant.

## For Developers
Expand Down
4 changes: 2 additions & 2 deletions FHIR_README.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ Easy-to-use JSON-based REST API for OpenEMR FHIR. See standard OpenEMR API docs

## Prerequisite

Enable the Standard FHIR service (/fhir/ endpoints) in OpenEMR menu: Administration->Globals->Connectors->"Enable OpenEMR Standard FHIR REST API"
Enable the Standard FHIR service (/fhir/ endpoints) in OpenEMR menu: Administration->Config->Connectors->"Enable OpenEMR Standard FHIR REST API"

## Using FHIR API Internally

Expand All @@ -50,7 +50,7 @@ Multisite is supported by including the site in the endpoint. When not using mul

## Authorization

OpenEMR uses OIDC compliant authorization for API. SSL is required and setting baseurl at Administration->Globals->Connectors->'Site Address (required for OAuth2 and FHIR)' is required.
OpenEMR uses OIDC compliant authorization for API. SSL is required and setting baseurl at Administration->Config->Connectors->'Site Address (required for OAuth2 and FHIR)' is required.

See [Authorization](API_README.md#authorization) for more details.

Expand Down

0 comments on commit 5ff2ef5

Please sign in to comment.