pacs_system/oauth2__middleware_8cpp_source.html

// BSD 3-Clause License

// Copyright (c) 2021-2025, 🍀☀🌕🌥 🌊

// See the LICENSE file in the project root for full license information.


// IMPORTANT: Include Crow FIRST before any PACS headers

#include "crow.h"


#include "kcenon/pacs/web/auth/oauth2_middleware.h"


#include "kcenon/pacs/security/access_control_manager.h"

#include "kcenon/pacs/security/role.h"

#include "kcenon/pacs/security/user.h"

#include "kcenon/pacs/security/user_context.h"

#include "kcenon/pacs/web/rest_types.h"


#include <string>


namespace kcenon::pacs::web::auth {


// =============================================================================

// oauth2_middleware Implementation

// =============================================================================


oauth2_middleware::oauth2_middleware(const oauth2_config& config)

    : config_(config), validator_(config) {}


void oauth2_middleware::set_jwks_provider(

    std::shared_ptr<jwks_provider> provider) {

    jwks_provider_ = std::move(provider);

}


void oauth2_middleware::set_access_control_manager(

    std::shared_ptr<security::access_control_manager> manager) {

    security_manager_ = std::move(manager);

}


std::optional<auth_result> oauth2_middleware::authenticate(

    const crow::request& req, crow::response& res) const {


    // Extract Bearer token from Authorization header

    auto bearer = extract_bearer_token(req);

    if (!bearer) {

        set_unauthorized(res, "Missing or invalid Authorization header");

        return std::nullopt;

    }


    // Decode JWT

    auto [token, decode_err] = validator_.decode(*bearer);

    if (decode_err != jwt_error::none) {

        set_unauthorized(res, std::string(jwt_error_message(decode_err)));

        return std::nullopt;

    }


    // Validate claims (issuer, audience, expiration)

    auto claims_err = validator_.validate_claims(token.claims);

    if (claims_err != jwt_error::none) {

        set_unauthorized(res, std::string(jwt_error_message(claims_err)));

        return std::nullopt;

    }


    // Verify signature using JWKS

    if (!verify_signature(token)) {

        set_unauthorized(res, "Token signature verification failed");

        return std::nullopt;

    }


    // Create user_context from JWT subject

    // Try to find existing user in RBAC system, or create an OAuth-based context

    security::User user;

    user.id = token.claims.sub;

    user.username = token.claims.sub;

    user.active = true;


    // If we have an access control manager, try to look up the user

    if (security_manager_) {

        auto user_result = security_manager_->get_user(token.claims.sub);

        if (user_result.is_ok()) {

            user = user_result.unwrap();

        } else if (config_.allow_unknown_users) {

            // Backward compatibility: grant Viewer role to unknown OAuth users

            user.roles = {security::Role::Viewer};

        } else {

            set_unauthorized(res, "Unknown user: not registered in access control system");

            return std::nullopt;

        }

    } else if (config_.allow_unknown_users) {

        user.roles = {security::Role::Viewer};

    } else {

        set_unauthorized(res, "Unknown user: no access control manager configured");

        return std::nullopt;

    }


    auto ctx = security::user_context(std::move(user), token.claims.jti);

    ctx.set_source_ip(std::string(req.remote_ip_address));

    ctx.touch();


    return auth_result{std::move(ctx), std::move(token.claims)};

}


bool oauth2_middleware::require_scope(

    const jwt_claims& claims,

    crow::response& res,

    std::string_view required_scope) const {


    if (!jwt_validator::has_scope(claims, required_scope)) {

        set_forbidden(res,

            "Insufficient scope: requires " + std::string(required_scope));

        return false;

    }

    return true;

}


bool oauth2_middleware::require_any_scope(

    const jwt_claims& claims,

    crow::response& res,

    const std::vector<std::string>& required_scopes) const {


    if (!jwt_validator::has_any_scope(claims, required_scopes)) {

        std::string scope_list;

        for (size_t i = 0; i < required_scopes.size(); ++i) {

            if (i > 0) scope_list += " or ";

            scope_list += required_scopes[i];

        }

        set_forbidden(res, "Insufficient scope: requires " + scope_list);

        return false;

    }

    return true;

}


bool oauth2_middleware::enabled() const noexcept {

    return config_.enabled;

}


const jwt_validator& oauth2_middleware::validator() const noexcept {

    return validator_;

}


// =============================================================================

// Private Helpers

// =============================================================================


std::optional<std::string_view> oauth2_middleware::extract_bearer_token(

    const crow::request& req) const {


    auto auth_header = req.get_header_value("Authorization");

    if (auth_header.empty()) return std::nullopt;


    std::string_view header_view(auth_header);


    // Check for "Bearer " prefix (case-insensitive for "Bearer")

    constexpr std::string_view bearer_prefix = "Bearer ";

    if (header_view.size() <= bearer_prefix.size()) return std::nullopt;


    // Case-sensitive check per RFC 6750

    if (header_view.substr(0, bearer_prefix.size()) != bearer_prefix) {

        return std::nullopt;

    }


    auto token = header_view.substr(bearer_prefix.size());

    if (token.empty()) return std::nullopt;


    return token;

}


bool oauth2_middleware::verify_signature(const jwt_token& token) const {

    if (!jwks_provider_) return false;


    // Try to get key by kid from the token header

    std::optional<jwk_key> key;

    if (!token.header.kid.empty()) {

        key = jwks_provider_->get_key(token.header.kid);

    }


    // Fall back to algorithm-based lookup

    if (!key) {

        key = jwks_provider_->get_key_by_alg(token.header.alg);

    }


    if (!key) return false;


    // Verify based on algorithm

    if (token.header.alg == "RS256") {

        return validator_.verify_rs256(token, key->pem);

    } else if (token.header.alg == "ES256") {

        return validator_.verify_es256(token, key->pem);

    }


    return false;

}


void oauth2_middleware::set_unauthorized(crow::response& res,

                                         std::string_view message) {

    res.code = 401;

    res.add_header("Content-Type", "application/json");

    res.add_header("WWW-Authenticate", "Bearer");

    res.body = make_error_json("UNAUTHORIZED", message);

}


void oauth2_middleware::set_forbidden(crow::response& res,

                                      std::string_view message) {

    res.code = 403;

    res.add_header("Content-Type", "application/json");

    res.body = make_error_json("FORBIDDEN", message);

}


}  // namespace kcenon::pacs::web::auth

access_control_manager.h
Core RBAC logic.

kcenon::pacs::security::user_context
Represents the security context for a user session.
Definition user_context.h:29

kcenon::pacs::web::auth::jwt_validator
Definition jwt_validator.h:124

kcenon::pacs::web::auth::jwt_validator::verify_es256
bool verify_es256(const jwt_token &token, std::string_view public_key_pem) const
Verify ES256 (ECDSA-SHA256) signature.
Definition jwt_validator.cpp:451

kcenon::pacs::web::auth::jwt_validator::has_any_scope
static bool has_any_scope(const jwt_claims &claims, const std::vector< std::string > &scopes) noexcept
Check if token has any of the specified scopes.
Definition jwt_validator.cpp:471

kcenon::pacs::web::auth::jwt_validator::validate_claims
jwt_error validate_claims(const jwt_claims &claims) const
Validate JWT claims against configuration.
Definition jwt_validator.cpp:283

kcenon::pacs::web::auth::jwt_validator::has_scope
static bool has_scope(const jwt_claims &claims, std::string_view scope) noexcept
Check if token has a specific scope.
Definition jwt_validator.cpp:463

kcenon::pacs::web::auth::jwt_validator::verify_rs256
bool verify_rs256(const jwt_token &token, std::string_view public_key_pem) const
Verify RS256 (RSA-SHA256) signature.
Definition jwt_validator.cpp:445

kcenon::pacs::web::auth::jwt_validator::decode
std::pair< jwt_token, jwt_error > decode(std::string_view token_string) const
Decode a JWT token string into its components.
Definition jwt_validator.cpp:181

kcenon::pacs::web::auth::oauth2_middleware::enabled
bool enabled() const noexcept
Check if OAuth 2.0 is enabled.
Definition oauth2_middleware.cpp:138

kcenon::pacs::web::auth::oauth2_middleware::authenticate
std::optional< auth_result > authenticate(const crow::request &req, crow::response &res) const
Authenticate a request using OAuth 2.0 Bearer token.
Definition oauth2_middleware.cpp:45

kcenon::pacs::web::auth::oauth2_middleware::jwks_provider_
std::shared_ptr< jwks_provider > jwks_provider_
Definition oauth2_middleware.h:189

kcenon::pacs::web::auth::oauth2_middleware::require_any_scope
bool require_any_scope(const jwt_claims &claims, crow::response &res, const std::vector< std::string > &required_scopes) const
Check if the request has any of the required scopes.
Definition oauth2_middleware.cpp:121

kcenon::pacs::web::auth::oauth2_middleware::set_unauthorized
static void set_unauthorized(crow::response &res, std::string_view message)
Set 401 Unauthorized response.
Definition oauth2_middleware.cpp:199

kcenon::pacs::web::auth::oauth2_middleware::require_scope
bool require_scope(const jwt_claims &claims, crow::response &res, std::string_view required_scope) const
Check if the authenticated request has a required scope.
Definition oauth2_middleware.cpp:108

kcenon::pacs::web::auth::oauth2_middleware::validator_
jwt_validator validator_
Definition oauth2_middleware.h:188

kcenon::pacs::web::auth::oauth2_middleware::extract_bearer_token
std::optional< std::string_view > extract_bearer_token(const crow::request &req) const
Extract Bearer token from Authorization header.
Definition oauth2_middleware.cpp:150

kcenon::pacs::web::auth::oauth2_middleware::set_jwks_provider
void set_jwks_provider(std::shared_ptr< jwks_provider > provider)
Set the JWKS provider for signature verification.
Definition oauth2_middleware.cpp:35

kcenon::pacs::web::auth::oauth2_middleware::verify_signature
bool verify_signature(const jwt_token &token) const
Verify token signature using JWKS keys.
Definition oauth2_middleware.cpp:173

kcenon::pacs::web::auth::oauth2_middleware::set_access_control_manager
void set_access_control_manager(std::shared_ptr< security::access_control_manager > manager)
Set the access control manager for RBAC integration.
Definition oauth2_middleware.cpp:40

kcenon::pacs::web::auth::oauth2_middleware::config_
oauth2_config config_
Definition oauth2_middleware.h:187

kcenon::pacs::web::auth::oauth2_middleware::oauth2_middleware
oauth2_middleware(const oauth2_config &config)
Construct middleware with OAuth 2.0 configuration.
Definition oauth2_middleware.cpp:32

kcenon::pacs::web::auth::oauth2_middleware::set_forbidden
static void set_forbidden(crow::response &res, std::string_view message)
Set 403 Forbidden response.
Definition oauth2_middleware.cpp:207

kcenon::pacs::web::auth::oauth2_middleware::validator
const jwt_validator & validator() const noexcept
Get the underlying JWT validator.
Definition oauth2_middleware.cpp:142

kcenon::pacs::web::auth::oauth2_middleware::security_manager_
std::shared_ptr< security::access_control_manager > security_manager_
Definition oauth2_middleware.h:190

kcenon::pacs::security::Role::Viewer
@ Viewer
Read-only access to studies.

kcenon::pacs::web::auth
Definition jwks_provider.h:29

kcenon::pacs::web::auth::jwt_error::none
@ none
No error.

kcenon::pacs::web::auth::jwt_error_message
std::string_view jwt_error_message(jwt_error error) noexcept
Get human-readable description for a JWT error.
Definition jwt_validator.cpp:144

kcenon::pacs::web::make_error_json
std::string make_error_json(std::string_view code, std::string_view message)
Create JSON error response body with details.
Definition rest_types.h:79

oauth2_middleware.h
OAuth 2.0 middleware for DICOMweb endpoint authorization.

rest_types.h
Common types and utilities for REST API.

role.h
Role definitions for RBAC.

kcenon::pacs::security::User
Represents a user in the system.
Definition user.h:26

kcenon::pacs::security::User::id
std::string id
Definition user.h:27

kcenon::pacs::web::auth::auth_result
Result of a successful OAuth 2.0 authentication.
Definition oauth2_middleware.h:71

kcenon::pacs::web::auth::jwt_claims
Decoded JWT claims (payload)
Definition jwt_validator.h:47

kcenon::pacs::web::auth::jwt_header::kid
std::string kid
Key ID for key selection.
Definition jwt_validator.h:41

kcenon::pacs::web::auth::jwt_header::alg
std::string alg
Algorithm (RS256, ES256)
Definition jwt_validator.h:39

kcenon::pacs::web::auth::jwt_token
Decoded JWT token with raw segments for signature verification.
Definition jwt_validator.h:61

kcenon::pacs::web::auth::jwt_token::header
jwt_header header
Definition jwt_validator.h:62

kcenon::pacs::web::auth::oauth2_config
OAuth 2.0 configuration for DICOMweb authorization.
Definition oauth2_config.h:30

kcenon::pacs::web::auth::oauth2_config::enabled
bool enabled
Enable OAuth 2.0 authorization (disabled by default for backward compat)
Definition oauth2_config.h:32

kcenon::pacs::web::auth::oauth2_config::allow_unknown_users
bool allow_unknown_users
Allow unknown OAuth users not found in RBAC to access as Viewer When false (default): unknown users r...
Definition oauth2_config.h:52

user.h
User definition for RBAC.

user_context.h
User context for session-based access control.