Skip to content

ADR-004: Authentication API #251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
reinkrul wants to merge 9 commits into
base: main
Choose a base branch
from
Open

ADR-004: Authentication API #251

reinkrul wants to merge 9 commits into from

Conversation

@reinkrul
Copy link
Member

@reinkrul reinkrul commented Nov 10, 2025

See "Proposal" at the bottom of the document.

@reinkrul reinkrul requested a review from a team as a code owner November 10, 2025 12:27
Copilot AI reviewed Nov 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces an Architecture Decision Record (ADR) documenting the authentication API strategy for the Knooppunt system. The ADR evaluates different approaches for EHR-to-Knooppunt authentication in both machine-to-machine and end-user scenarios.

  • Evaluates three main authentication options: Nuts v2 auth API, OAuth2/OpenID Connect, and various OAuth2 grant types
  • Documents trade-offs between simplicity, security, and integration complexity
  • Proposes using optional OIDC Provider for end-user auth and OAuth2 API with Client Credentials and Token Exchange grants

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

reinkrul and others added 5 commits November 10, 2025 13:31
@reinkrul
fix
f8014ea
@reinkrul
Update docs/adr/004-authentication-api.md
db326c9 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@reinkrul
Update docs/adr/004-authentication-api.md
4e1cb36 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@reinkrul
feedback
9c3b48c
@reinkrul
no auth API as option
96282d7
reinkrul
reinkrul commented Nov 11, 2025
View reviewed changes
stevenvegt
stevenvegt requested changes Nov 12, 2025
View reviewed changes
docs/adr/004-authentication-api.md Outdated
- The EHR will still need to integrate DEZI (an OpenID Connect API) for caregiver authentication.
- The DEZI id_token will have to be wrapped in a Verifiable Credential for usage in Nuts, adding complexity.

### OAuth2 / OpenID Connect
Copy link
Member

@stevenvegt stevenvegt Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OAuth for machine-2-machine authentication makes semantically no sense. You are pretending to be an OAuth token endpoint, but it is only an endpoint to initiate the request to another token endpoint. This can lead to confusion and misuse.

@reinkrul
Copy link
Member Author

reinkrul commented Dec 1, 2025

@stevenvegt I've updated the ADR;

  • Added API authentication (EHR invoking Knooppunt) as use case this ADR covers
  • Restructured the options; they're now categorized in the 3 use cases (end-user logging in, data exchange, API authentication)
  • Added the disadvantages you noted
  • Moved the decision outcome to above the options, for easier reading

Copilot AI reviewed Dec 1, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 9 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

docs/adr/004-authentication-api.md
- **Security**: Should promote secure deployments.
- **Simplicity**: Should be as simple as possible to implement and deploy.

## Decision outcome
Copy link

Copilot AI Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The section is titled "Decision outcome" but appears before the "Considered Options" section. Standard ADR format typically presents options first, then the decision. Consider either:

  1. Moving this section after "Considered Options", or
  2. Renaming it to "Proposal" or "Recommended Solution" to clarify this is the proposed approach being evaluated

Copilot uses AI. Check for mistakes.
docs/adr/004-authentication-api.md
Comment on lines +163 to +174
```
grant_type=urn:ietf:params:oauth:grant-type:token-exchange
&audience=<remote EHR system (remote OAuth2 issuer URL)>
&subject_token=<Dezi id_token>
&subject_token_type=urn:ietf:params:oauth:token-type:id_token
&actor_token=<Nuts subject ID>
&actor_token_type=nuts-subject-id
&requested_token_type=urn:ietf:params:oauth:token-type:access_token
&scope=<requested scopes>
&client_id=<EHR client ID>
&client_secret=<EHR client secret>
```
Copy link

Copilot AI Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inconsistent formatting: The code block at lines 104-111 uses a multi-line format with ampersands on new lines and leading spaces, while the code block at lines 163-174 uses the same multi-line format. However, both should clarify that this is illustrative formatting for readability, as actual OAuth2 requests would be URL-encoded on a single line or properly formatted as HTTP requests.

Copilot uses AI. Check for mistakes.
Copy link
Member Author

@reinkrul reinkrul Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@copilot open a new pull request to apply changes based on this feedback

docs/adr/004-authentication-api.md Outdated
&client_id=<EHR client ID>
&client_secret=<EHR client secret>
&dezi_id_token=<Dezi id_token> (optional)
&nuts_subject_id=<Nuts subject ID>
Copy link

Copilot AI Dec 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The parameter dezi_id_token is marked as optional but nuts_subject_id is not. The description doesn't clarify whether nuts_subject_id is always required or only in specific scenarios. Consider documenting when each parameter is required/optional.

Suggested change
&nuts_subject_id=<Nuts subject ID>
&nuts_subject_id=<Nuts subject ID> (required; always needed to identify the organization or end-user context)

Copilot uses AI. Check for mistakes.
@reinkrul
Update docs/adr/004-authentication-api.md
40528c6 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI mentioned this pull request Dec 1, 2025
Closed
Copy link
Contributor

Copilot AI commented Dec 1, 2025

@reinkrul I've opened a new pull request, #270, to work on those changes. Once the pull request is ready, I'll request review from you.

@reinkrul
Update docs/adr/004-authentication-api.md
3e90ea5 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Dirklectisch Dirklectisch Awaiting requested review from Dirklectisch

@gasperr gasperr Awaiting requested review from gasperr

@JorisHeadease JorisHeadease Awaiting requested review from JorisHeadease

@stevenvegt stevenvegt Awaiting requested review from stevenvegt

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reinkrul @stevenvegt