-
Notifications
You must be signed in to change notification settings - Fork 10
/
serverless.azure.example.yml
230 lines (205 loc) · 5.79 KB
/
serverless.azure.example.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
# This is an example of using Okta as the authorization server as part of a SMART/FHIR deployment.
# This serverless configuration file is for deploying the solution on Azure cloud services.
# It includes the following features:
# - standalone launch with launch parameters
# - a patient picker screen and OAuth2 scope selection and consent.
# - applicable proxies for properly handling public client authentication as well as returning launch parameters in a flexible way.
service: okta-smartfhir-auth-reference
#Don't include stuff from the aws or google folder
package:
exclude:
- aws/**
- google/**
- deploy/**
provider:
name: azure
runtime: nodejs12
region: West US 2
os: linux
stage: sandbox
apim:
apis:
- name: okta-smart-api
subscriptionRequired: false
displayName: Okta SMART Endpoints
description: Okta SMART Endpoints
protocols:
- https
path: ${self:provider.stage}
authorization: none
backends:
- name: smart-backend
url: api/smartendpoints
cors:
allowCredentials: false
allowedOrigins:
- "*"
allowedMethods:
- GET
- POST
allowedHeaders:
- "*"
exposeHeaders:
- "*"
environment:
#Once the solution is deployed for the first time, this will require update.
GATEWAY_URL: https://GRAB_REAL_VALUE_HERE
AUTHZ_ISSUER: YOUR OKTA AUTHZ ISSUER
AUTHZ_SERVER: AUTHZ SERVER ID
OKTA_ORG: YOUROKTAORG.oktapreview.com
STATE_COOKIE_SIGNATURE_KEY: JustPutAReallyLongValueHere!
EXPECTED_AUD_VALUE: ${self:provider.environment.GATEWAY_URL}
#TODO: Get rid of.
API_KEY: OKTA_API_KEY
PICKER_DISPLAY_NAME: Patient Picker
PICKER_CLIENT_ID: PATIENT_PICKER_CLIENT_ID
PICKER_CLIENT_SECRET: PATIENT_PICKER_SECRET
#Disable redirect_uri validation.
DISABLE_REDIRECT_URI_VALIDATION: true
CACHE_TABLE_NAME: 'refreshtokencache'
CACHE_TTL_MINS: 1440
#These will require update after first deployment
CACHE_ENDPOINT: YOUR_COSMOSDB_ENDPOINT_VALUE_HERE
CACHE_KEY: YOUR_PRIMARY_COSMOSDB_KEY_HERE
##UNCOMMENT THIS AFTER FIRST DEPLOYMENT!!
#Bug in serverless deploy: https://github.com/serverless/serverless-azure-functions/issues/516
# armTemplate:
# file: ./azure/cosmosdb_arm.json
# parameters:
# accountName:
# value: ${self:service}-${self:provider.stage}
#
# location:
# value: ${self:provider.region}
#
# databaseName:
# value: ${self:provider.environment.CACHE_TABLE_NAME}
#
# containerName:
# value: ${self:provider.environment.CACHE_TABLE_NAME}
#
# throughput:
# value: 400
plugins:
localPath: './azure/node_modules'
modules:
- serverless-azure-functions
#Azure functions
functions:
##AUTHORIZE ENDPOINTS
smart-authorize-proxy:
handler: ${self:provider.name}/authorize.authorizeHandler
events:
- http: true
authLevel: anonymous
route: smartendpoints/authorize
methods:
- get
apim:
api: okta-smart-api
backend: smart-backend
operations:
- method: GET
urlTemplate: /authorize
picker-oidc-callback:
handler: ${self:provider.name}/authorize.pickerCallbackHandler
events:
- http: true
authLevel: anonymous
route: smartendpoints/picker_oidc_callback
methods:
- get
apim:
api: okta-smart-api
backend: smart-backend
operations:
- method: GET
urlTemplate: /picker_oidc_callback
smart-proxy-callback:
handler: ${self:provider.name}/authorize.authorizeCallbackHandler
events:
- http: true
authLevel: anonymous
route: smartendpoints/smart_proxy_callback
methods:
- get
apim:
api: okta-smart-api
backend: smart-backend
operations:
- method: GET
urlTemplate: /smart_proxy_callback
##TOKEN ENDPOINT
smart-token-proxy:
handler: ${self:provider.name}/token.tokenHandler
events:
- http: true
authLevel: anonymous
route: smartendpoints/token
methods:
- post
apim:
api: okta-smart-api
backend: smart-backend
operations:
- method: GET
urlTemplate: /token
##PATIENT PICKER UI
patient_picker_get:
handler: ${self:provider.name}/patient_picker.patientPickerGetHandler
events:
- http: true
authLevel: anonymous
route: smartendpoints/patient_authorization
methods:
- get
apim:
api: okta-smart-api
backend: smart-backend
operations:
- method: GET
urlTemplate: /patient_authorization
patient_picker_post:
handler: ${self:provider.name}/patient_picker.patientPickerPostHandler
events:
- http: true
authLevel: anonymous
route: smartendpoints/patient_authorization
methods:
- post
apim:
api: okta-smart-api
backend: smart-backend
operations:
- method: POST
urlTemplate: /patient_authorization
##TOKEN HOOK
token_hook:
handler: ${self:provider.name}/token_hook.tokenHookHandler
events:
- http: true
authLevel: anonymous
route: smartendpoints/tokenhook
methods:
- post
apim:
api: okta-smart-api
backend: smart-backend
operations:
- method: POST
urlTemplate: /tokenhook
##MOCK PATIENT API
mock_patient_service:
handler: ${self:provider.name}/mock_patient_service.mockPatientServiceHandler
events:
- http: true
authLevel: anonymous
route: smartendpoints/patientMockService
methods:
- get
apim:
api: okta-smart-api
backend: smart-backend
operations:
- method: GET
urlTemplate: /patientMockService