Role-based Access Control Solution for GraphQL-based Fast Healthcare Interoperability Resources Health Application Programming Interface

Abstract

Recently, GraphQL, a query language for Application Programming Interface (API), attracts many organizations and implementers in different domains, including healthcare informatic, to utilize it as an alternative to Representational State Transfer (REST) API. It is believed that GraphQL overcomes some issues of REST API. Moreover, GraphQL is known for its security issues as identified by OWASP organization, specifically Broken Object Level Authorization (BOLA) and Broken Function Level Authorization (BFLA) which are basically access control related issues. Furthermore, to the best of our knowledge there is no solution exists, in the academia or industry, to protect GraphQL-based Fast Healthcare Interoperability Resources (FHIR) API against BOLA and BFLA. In this paper, we present a Role-based Access Control (RBAC) solution to intercept all FHIR GraphQL requests to prevent related BOLA and BFLA vulnerabilities. To prove our work, we have implemented the RBAC solution as a server interceptor based on the HAPI FHIR reference implementation. Moreover, our evaluation showed that the suggested solution introduced minimal overhead.