It is often desirable for some requests to be permitted anonymously.
For example, on a FHIR endpoint that is SMART on FHIR enabled, the CapabilityStatement (/metadata endpoint) is often left unsecured so that clients can use it to discover the location of the authorization server.
In order to enable anonymous requests on a FHIR endpoint, the Allow Anonymous Access property should be enabled on the endpoint configuration.
When this setting is enabled, any requests that do not supply any credentials will be granted the authorities of the designated Anonymous user. By default this is a user with the username "ANONYMOUS", but this can be modified using the Anonymous Account Username setting.
It is important to realize that the Anonymous user is a user like any other user, although it will typically (but not necessarily) have fewer permissions than a normal user. Anonymous users must be granted the
ROLE_ANONYMOUS permission in order to distinguish them from regular users.
As an example, you might grant the anonymous user the
FHIR_CAPABILITIES permission so that unauthenticated users can access the FHIR endpoint CapabilityStatement (i.e. the metadata operation) but not grant any other permissions.
This user must be declared in an Inbound Security Module that is configured as a dependency of the endpoint module being secured.
There are several ways of doing this:
If you have multiple endpoints that should have different anonymous behaviour, it can be useful to create a dedicated anonymous account for this endpoint.
To create a dedicated anonymous account, use the user manager to create a new account. This account must be granted the