We protect the PACS Server with OpenID, like corporate SSO.
Based on OpenResty (nginx + lua) and Keycloak for OpenID auth.
Use https://github.com/zmartzone/lua-resty-openidc for authentication.
A simple solution that works well, unlike others we've tried.
We solve CORS issues by proxying all services through a single host.
Services are proxied from viewer, which combines OpenResty and OHIF viewer.
This eliminates CORS problems.
Adjust session.cookie.renew and session.cookie.lifetime for session timing.
Set cookie domain with authenticate()'s fourth argument:
local session_opts = { cookie = { domain = ".mydomain.com" } }
docker-compose up --build
Allow time for container startup and Keycloak DB initialization. Initial start may take a minute. No special sync for start; if it hangs, check logs:
docker-compose logs -f
Restart if needed:
docker-compose restart
Setup in Keycloak:
- Access Keycloak admin console at http://localhost:3333 (credentials in docker-compose.yml).
- Create realm
imagingrealm(top left, "Add realm" in dropdown). - Create client
imaging:Redirect URL:*access-type:confidentialWeb Origins:+
- Add secret key from Keycloak user PACS Credentials to
openid-keycloak-secrets.env, varOPENID_CLIENT_SECRET. - Create a user, set password in
Credentials, to access nginx protected resources with OpenIDC. - Restart nginx to apply new secret key.
docker-compose stop viewer
docker-compose up -d
- Admin Console: http://localhost/pacs-admin/
Upload DICOM files here (uploadbutton top right). Don't forgetStart upload. - OHIF Viewer: http://localhost/
Connected to Orthanc. - API Example: http://localhost/pacs/series
Calls Orthanc API.
SSL key included for development. DO NOT USE in production. Secret key is public in this repo.
Regenerate for production:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginxenv/ssl/nginx.key -out nginxenv/ssl/nginx.crt