How to authenticate users?

Out of the box, the embedded Web server of Orthanc supports HTTP Basic access authentication. To configure user authentication for Orthanc, make sure to properly set the following configuration options:

  • RemoteAccessAllowed to true.

  • AuthenticationEnabled to true.

  • In RegisteredUsers, assign a username and a password to all your users.

Important: Make sure to read the FAQ about how to secure Orthanc.

Once a user has logged in, she will have full access, in read-write mode, to all the features offered by the REST API of Orthanc. This built-in mechanism might be of limited usefulness in enterprise scenarios, for which you would need features such as:

  • Fine-grained access to the REST resources (e.g. restrict the URIs that are visible per user).

  • Read-only access (i.e. limit full access to a short list of trusted system administrators).

  • Integration with an LDAP server.

  • Handling groups of users.

Depending on your scenario, you can consider the following options:

  • Implement a Lua callback to filter incoming REST requests. This is the most simple solution, and would notably allow you to implement read-only access or, more generally, access control lists.

  • Develop a C/C++ plugin that uses the OrthancPluginRegisterIncomingHttpRequestFilter(), or a Python plugin that uses orthanc.RegisterIncomingHttpRequestFilter(). This solution is potentially useful if you wish to integrate with an LDAP server.

  • Use Orthanc as a reverse proxy (e.g. behind nginx, Apache, or Microsoft IIS), and use the authentication mechanisms of the main Web server.

  • Create a new Web user interface on the top of the REST API of Orthanc, using your favorite framework (Meteor, AngularJS, Ember.js, Node.js…).

  • Pass an authorization token in the url search params when opening the Orthanc Explorer.