Getting started with OIDC for AWS HealthImaging - AWS HealthImaging
Setting up resources for OIDCSetup steps

Getting started with OIDC for AWS HealthImaging

The following topics describe how to get started with OpenID Connect (OIDC) for AWS HealthImaging. They include the resources you must provision in your AWS account, creation of an OIDC-enabled HealthImaging datastore, and an example of how a DICOMweb client application interacts with an identity provider (IdP) and HealthImaging.

  • Required AWS account resources

  • Creating an OIDC-enabled datastore

  • DICOMweb client interactions with identity providers

Setting up resources for OIDC

The following elements work together in a workflow to make an OIDC-authenticated DICOMweb request:

  • End user – A person using a DICOMweb viewer (for example, OHIF, SLIM, MONAI).

  • Client application (Relying Party) – The viewer that requests tokens and calls HealthImaging DICOMweb APIs.

  • OpenID Provider (IdP) – An OIDC/OAuth 2.0–compliant server (for example, Amazon Cognito, Okta, Auth0) that authenticates users and issues JWT access tokens.

  • HealthImaging datastore – A datastore configured for OIDC by a customer-managed Lambda authorizer that HealthImaging invokes.

Note

We recommend completing these tasks before creating your OIDC-enabled HealthImaging datastore:

  • Set up the IdP and define the scopes/claims you plan to use

  • Create the Lambda authorizer (if using the Lambda option)

You must have the LambdaAuthorizerArn at datastore creation time. To enable a Lambda authorizer on an existing datastore, open an AWS Support case.

You must use JSON Web Tokens (JWTs) as a part of OpenID Connect (OIDC) and OAuth 2.0 frameworks to restrict client access to your APIs.

Setup steps

  1. Set up an authorization server (IdP)

    Configure an OIDC-compliant IdP to authenticate users and issue OAuth 2.0 Bearer tokens (JWTs) that your client application will send to HealthImaging.

  2. Define scopes on the IdP to control DICOMweb access

    Use OAuth 2.0 scopes (for example, read/search/write groupings appropriate for your viewer) to implement least-privilege access to your datastore via DICOMweb operations. You will map users or groups to IAM roles that enforce these permissions in HealthImaging.

  3. Create a token validation path

    Customer-managed Lambda authorizer – Create a Lambda function that validates JWTs from your IdP and returns required claims and an IAM role ARN to assume for the request. Ensure the Lambda has a resource-based policy that allows invocation by HealthImaging and that it returns in ≤ 1 second.

  4. Create an OIDC-enabled HealthImaging datastore

    Create the datastore and provide the LambdaAuthorizerArn parameter.

After creation, your client can call DICOMweb APIs with Authorization: Bearer <token> instead of SigV4. (SigV4 remains supported and unchanged.)