This project implements a secure medical imaging viewer setup that protects the PACS Server using OpenID authentication (compatible with corporate SSO). The solution uses OpenResty (nginx + lua) and Keycloak for OpenID authentication, leveraging the lua-resty-openidc library.
- Single-host deployment eliminating CORS issues
- Corporate SSO integration via OpenID
- Streamlined service proxying through OpenResty
- OHIF Viewer integration with Orthanc PACS
All services are proxied through a single host (viewer container), which combines OpenResty and the OHIF viewer. This approach completely eliminates CORS-related issues by having all services available under one domain.
Session timing can be configured through the nginx configuration:
- Use
session.cookie.renewto set renewal timing - Use
session.cookie.lifetimeto set session duration
To set a custom cookie domain:
local session_opts = { cookie = { domain = ".mydomain.com" } }docker-compose up --buildNote: Initial startup may take a minute while Keycloak initializes its database. If the startup appears to hang, check the logs:
docker-compose logs -fIf needed, restart the stack:
docker-compose restart- Access the Keycloak admin console at http://localhost:3333 (credentials in docker-compose.yml)
- Create a new realm named
imagingrealm:- Use the realm dropdown (top left)
- Select "Add realm"
- Create a client named
imagingwith the following settings:- Redirect URL:
* - Access Type:
confidential - Web Origins:
+
- Redirect URL:
- Copy the client secret from Keycloak to
openid-keycloak-secrets.env:- Set as
OPENID_CLIENT_SECRET
- Set as
- Create a user account and set their password in the "Credentials" tab
- Restart nginx to apply the new configuration:
docker-compose stop viewer docker-compose up -d
- OHIF Viewer: http://localhost/
- Main viewer interface connected to Orthanc
- Admin Console: http://localhost/pacs-admin/
- Use to upload DICOM files (upload button in top right corner)
- API Example: http://localhost/pacs/series
- Demonstrates Orthanc API access
A development SSL key is included in this repository. DO NOT USE IN PRODUCTION.
Generate a new SSL key pair for production:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout nginxenv/ssl/nginx.key \
-out nginxenv/ssl/nginx.crt