Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/andgineer/openidc-ohif-orthanc

OHIF Viewer with OpenID-Protected PACS Server (Orthanc)
https://github.com/andgineer/openidc-ohif-orthanc

docker docker-compose keycloak nginx ohif ohif-viewer openid-connect openresty orthanc pacs ssl sso

Last synced: 1 day ago
JSON representation

OHIF Viewer with OpenID-Protected PACS Server (Orthanc)

Host: GitHub
URL: https://github.com/andgineer/openidc-ohif-orthanc
Owner: andgineer
Created: 2023-03-15T08:34:45.000Z (over 1 year ago)
Default Branch: main
Last Pushed: 2024-11-04T05:21:26.000Z (11 days ago)
Last Synced: 2024-11-04T06:21:42.088Z (11 days ago)
Topics: docker, docker-compose, keycloak, nginx, ohif, ohif-viewer, openid-connect, openresty, orthanc, pacs, ssl, sso
Language: JavaScript
Homepage:
Size: 24.4 KB
Stars: 0
Watchers: 2
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

README

# OHIF Viewer with OpenID-Protected PACS Server (Orthanc)

This project implements a secure medical imaging viewer setup that protects the PACS Server using OpenID authentication (compatible with corporate SSO). The solution uses OpenResty (nginx + lua) and Keycloak for OpenID authentication, leveraging the [lua-resty-openidc](https://github.com/zmartzone/lua-resty-openidc) library.

## Features

- Single-host deployment eliminating CORS issues
- Corporate SSO integration via OpenID
- Streamlined service proxying through OpenResty
- OHIF Viewer integration with Orthanc PACS

## Architecture

### CORS Handling
All services are proxied through a single host (`viewer` container), which combines OpenResty and the OHIF viewer. This approach completely eliminates CORS-related issues by having all services available under one domain.

### Authentication Configuration
Session timing can be configured through the nginx configuration:
- Use `session.cookie.renew` to set renewal timing
- Use `session.cookie.lifetime` to set session duration

To set a custom cookie domain:
```lua
local session_opts = { cookie = { domain = ".mydomain.com" } }
```

## Deployment

### Quick Start
```bash
docker-compose up --build
```

**Note:** Initial startup may take a minute while Keycloak initializes its database. If the startup appears to hang, check the logs:
```bash
docker-compose logs -f
```

If needed, restart the stack:
```bash
docker-compose restart
```

### Keycloak Configuration

1. Access the Keycloak admin console at http://localhost:3333 (credentials in docker-compose.yml)
2. Create a new realm named `imagingrealm`:
- Use the realm dropdown (top left)
- Select "Add realm"
3. Create a client named `imaging` with the following settings:
- Redirect URL: `*`
- Access Type: `confidential`
- Web Origins: `+`
4. Copy the client secret from Keycloak to `openid-keycloak-secrets.env`:
- Set as `OPENID_CLIENT_SECRET`
5. Create a user account and set their password in the "Credentials" tab
6. Restart nginx to apply the new configuration:
```bash
docker-compose stop viewer
docker-compose up -d
```

## Access Points

- OHIF Viewer: http://localhost/
- Main viewer interface connected to Orthanc
- Admin Console: http://localhost/pacs-admin/
- Use to upload DICOM files (upload button in top right corner)
- API Example: http://localhost/pacs/series
- Demonstrates Orthanc API access

## Security Notes

### SSL Configuration
A development SSL key is included in this repository. **DO NOT USE IN PRODUCTION**.

Generate a new SSL key pair for production:
```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout nginxenv/ssl/nginx.key \
-out nginxenv/ssl/nginx.crt
```