Difference between revisions of "SMART on FHIR Apps"
From Hiasobi - FHIR
Brett Esler (Talk | contribs) |
Brett Esler (Talk | contribs) |
||
| (19 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | = | + | =Hiasobi SMART on FHIR R4= |
| − | * | + | * Implements SMART App Launch Framework as per http://www.hl7.org/fhir/smart-app-launch/ |
| − | * | + | * Auth service is built into Oridashi Hiasobi with the following features: |
| − | * | + | ** Logged in user clinical system identity is used for authorisation (user authentication) |
| − | * | + | ** Direct login with Oridashi customer credentials may be performed (where user is not logged into clinical system) |
| − | * | + | ** Scopes supported are as per Oridashi Hiasobi capability statement read only for admin/health record + support for write document delivery/appointments |
| − | * | + | |
| − | + | ||
| − | = | + | =Registering Applications= |
| − | * | + | * Each customer has a self-managed application register |
| − | * | + | * Registering application launch and redirect urls is needed to ensure secure launch of applications (Auth service confirms) |
| − | + | * Access application manager at https://hiasobi-manager.azurewebsites.net/ login using customer credentials (see below for evaluation) | |
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | + | ||
| − | * | + | |
| − | + | ||
| − | = | + | =Evaluation Suite= |
| − | * | + | * Deploy evaluation adapter to desktop from http://oridashi.com.au/install/OridashiAdapterR4/OridashiAdapterR4.application |
| − | * | + | * Login to https://hiasobi-manager.azurewebsites.net/ to register applications using credentials '''samples2''' / '''67763F1A6A6146D9B5ADA858''' |
| + | * NOTE: this is visible to all evaluators if you require a private space let us know | ||
| + | * Each customer has their own self managed apps register | ||
| + | * See the registered sample application | ||
| + | ** Id: 4ae955ea-3a6c-4128-8f7b-0d45ca4e4fff | ||
| + | ** Display: Smart App Tester (R4) - sample javascript on these pages | ||
| + | ** Launch Url: https://oridashi.com.au/site/apps/smart-launch2.html (launch sequence, find auth server, redirect to auth server) | ||
| + | ** Redirect Url: https://oridashi.com.au/site/apps/smart-index2.html (destination redirect from auth server, token exchange for access token, example FHIR service call) | ||
| + | ** A Javascript Library is supplied implementing launch and token exchange sequence https://oridashi.com.au/site/apps/smart2.js and used in the example app | ||
| + | * Registered apps appear in the evaluation adapter (right click menu; refresh on restart of adapter) | ||
| − | == | + | =Hiasobi Identity Scheme= |
| − | + | ||
| − | + | Scope Request ('''fhirUser'''), | |
| + | Response: '''id_token''' | ||
| + | * user claim details | ||
| + | * id_token contains a JWT (JSON web token) | ||
| + | * See: https://github.com/smart-on-fhir/smart-on-fhir.github.io/blob/master/authorization/smart-on-fhir-jwt-examples.ipynb | ||
| + | * Example token exchange response includes JWT in id_token | ||
| + | <pre> | ||
| + | { | ||
| + | "access_token":"ZTQyNzVmOTctMGQxYy00NjZmLTgxM2MtNzk4Nzg0OTI0ODIx", | ||
| + | "token_type":"Bearer", | ||
| + | "expires_in":"86361", | ||
| + | "scope":null, | ||
| + | "state":"28564762", | ||
| + | "patient":"36", | ||
| + | "encounter":null, | ||
| + | "location":null, | ||
| + | "resource":null, | ||
| + | "id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo4MTAyIiwic3ViIjoidGVzdFxcODAwMzYxMDgzMzM0MDg1MFxcMSIsImF1ZCI6Imh0dHBzOi8vb3JpZGFzaGkuY29tLmF1L3NpdGUvYXBwcy9zbWFydC1pbmRleC5odG1sIiwiZXhwIjoiMTQ2MTIwODIyMCJ9.CJxYaBP5K0gJLVZaVhyIYhc1RSqDLrm8coWlNs0AbXOrDhCRWssd7FsBoNDZNwXg8E+uW6XtpTFKSysdqJe55Tb0GKUqlMu1a+EqiApW46tBe5b67j//JkH/qRrdhM7ywZxebVzwgtuIa7EOJ59fqT4DgA6XadRsUP1nzo7OB+tYKLZnXMXGAVwVnFM527Hu4MjWyBExBkF2kPlX5ggu42tNfS+zPM1w3tZKjvnskpCv67F08SzMK0kkjaFeuCdO8fM1gqJnQPjkN36QXA8rUn3z8HsDZ1LJevUwHfOqEKEOaL1/hjKn9rmbE7w3rJs3/S9jB43W3V4V0dacVufBbQ==", | ||
| + | "refresh_token":null | ||
| + | } | ||
| + | </pre> | ||
| + | |||
| + | '''Example''' - decoded JWT example; this is a signed JWT with Oridashi certificate | ||
| + | |||
| + | <pre> | ||
| + | { | ||
| + | "iss":"https://localhost.oridashi.com.au:8102", | ||
| + | "sub":"verified\bp.8003628233355286\1", | ||
| + | "aud":"https://oridashi.com.au/site/apps/smart-index.html", | ||
| + | "exp":"1460979592", | ||
| + | "name":"Frederick Smith", | ||
| + | "profile":"https://localhost:8102/Practitioner/1" | ||
| + | } | ||
| + | </pre> | ||
| + | |||
| + | |||
| + | '''Structure''' - "sub" is the subject of the claim globally unique user identifier | ||
| + | <id status>\<clinical system id>.<site identifer>\<practitioner id> | ||
| + | |||
| + | '''<id status>''' | ||
| + | [verified|unverified|test] | ||
| + | a) 'test':samples/test mode; samples use always marked test to avoid production mismatch | ||
| + | b) 'verified': by certificate check; only HPI-O can be verified by certificate | ||
| + | c) 'unverified': asserted site id; only windows domain SID or generated instance identity | ||
| + | |||
| + | |||
| + | '''<clinical system id>''' | ||
| + | [md|bp|zedmed|genie|mt] - system type identifier | ||
| + | |||
| + | '''<site identifier>''' | ||
| + | a) HPIO as entered and validated against installed eHealth certificate e.g. 8003628233355286 | ||
| + | b) Windows domain SID where present e.g. S-1-5-21-7375663-6890924511-1272660413-2944159 | ||
| + | c) Ad-hoc uniquely generated site identifier e.g. 57401CE7C397337ABB1B1D237875CCC6 | ||
| + | |||
| + | '''<practitioner id>''' - internal site resource identifier string for the associated user Practitioner | ||
| + | |||
| + | '''Examples''' | ||
| + | * verified\bp.8003628233355286\1 | ||
| + | * unverified\md.S-1-5-21-7375663-6890924511-1272660413-2944159\3 | ||
| + | * unverified\zedmed.57401CE7C397337ABB1B1D237875CCC6\ADM | ||
| + | * test\bp.8003628233355311\4 | ||
Latest revision as of 18:48, 19 March 2019
Contents
Hiasobi SMART on FHIR R4
- Implements SMART App Launch Framework as per http://www.hl7.org/fhir/smart-app-launch/
- Auth service is built into Oridashi Hiasobi with the following features:
- Logged in user clinical system identity is used for authorisation (user authentication)
- Direct login with Oridashi customer credentials may be performed (where user is not logged into clinical system)
- Scopes supported are as per Oridashi Hiasobi capability statement read only for admin/health record + support for write document delivery/appointments
Registering Applications
- Each customer has a self-managed application register
- Registering application launch and redirect urls is needed to ensure secure launch of applications (Auth service confirms)
- Access application manager at https://hiasobi-manager.azurewebsites.net/ login using customer credentials (see below for evaluation)
Evaluation Suite
- Deploy evaluation adapter to desktop from http://oridashi.com.au/install/OridashiAdapterR4/OridashiAdapterR4.application
- Login to https://hiasobi-manager.azurewebsites.net/ to register applications using credentials samples2 / 67763F1A6A6146D9B5ADA858
- NOTE: this is visible to all evaluators if you require a private space let us know
- Each customer has their own self managed apps register
- See the registered sample application
- Id: 4ae955ea-3a6c-4128-8f7b-0d45ca4e4fff
- Display: Smart App Tester (R4) - sample javascript on these pages
- Launch Url: https://oridashi.com.au/site/apps/smart-launch2.html (launch sequence, find auth server, redirect to auth server)
- Redirect Url: https://oridashi.com.au/site/apps/smart-index2.html (destination redirect from auth server, token exchange for access token, example FHIR service call)
- A Javascript Library is supplied implementing launch and token exchange sequence https://oridashi.com.au/site/apps/smart2.js and used in the example app
- Registered apps appear in the evaluation adapter (right click menu; refresh on restart of adapter)
Hiasobi Identity Scheme
Scope Request (fhirUser), Response: id_token
- user claim details
- id_token contains a JWT (JSON web token)
- See: https://github.com/smart-on-fhir/smart-on-fhir.github.io/blob/master/authorization/smart-on-fhir-jwt-examples.ipynb
- Example token exchange response includes JWT in id_token
{
"access_token":"ZTQyNzVmOTctMGQxYy00NjZmLTgxM2MtNzk4Nzg0OTI0ODIx",
"token_type":"Bearer",
"expires_in":"86361",
"scope":null,
"state":"28564762",
"patient":"36",
"encounter":null,
"location":null,
"resource":null,
"id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo4MTAyIiwic3ViIjoidGVzdFxcODAwMzYxMDgzMzM0MDg1MFxcMSIsImF1ZCI6Imh0dHBzOi8vb3JpZGFzaGkuY29tLmF1L3NpdGUvYXBwcy9zbWFydC1pbmRleC5odG1sIiwiZXhwIjoiMTQ2MTIwODIyMCJ9.CJxYaBP5K0gJLVZaVhyIYhc1RSqDLrm8coWlNs0AbXOrDhCRWssd7FsBoNDZNwXg8E+uW6XtpTFKSysdqJe55Tb0GKUqlMu1a+EqiApW46tBe5b67j//JkH/qRrdhM7ywZxebVzwgtuIa7EOJ59fqT4DgA6XadRsUP1nzo7OB+tYKLZnXMXGAVwVnFM527Hu4MjWyBExBkF2kPlX5ggu42tNfS+zPM1w3tZKjvnskpCv67F08SzMK0kkjaFeuCdO8fM1gqJnQPjkN36QXA8rUn3z8HsDZ1LJevUwHfOqEKEOaL1/hjKn9rmbE7w3rJs3/S9jB43W3V4V0dacVufBbQ==",
"refresh_token":null
}
Example - decoded JWT example; this is a signed JWT with Oridashi certificate
{
"iss":"https://localhost.oridashi.com.au:8102",
"sub":"verified\bp.8003628233355286\1",
"aud":"https://oridashi.com.au/site/apps/smart-index.html",
"exp":"1460979592",
"name":"Frederick Smith",
"profile":"https://localhost:8102/Practitioner/1"
}
Structure - "sub" is the subject of the claim globally unique user identifier
<id status>\<clinical system id>.<site identifer>\<practitioner id>
<id status>
[verified|unverified|test] a) 'test':samples/test mode; samples use always marked test to avoid production mismatch b) 'verified': by certificate check; only HPI-O can be verified by certificate c) 'unverified': asserted site id; only windows domain SID or generated instance identity
<clinical system id>
[md|bp|zedmed|genie|mt] - system type identifier
<site identifier>
a) HPIO as entered and validated against installed eHealth certificate e.g. 8003628233355286 b) Windows domain SID where present e.g. S-1-5-21-7375663-6890924511-1272660413-2944159 c) Ad-hoc uniquely generated site identifier e.g. 57401CE7C397337ABB1B1D237875CCC6
<practitioner id> - internal site resource identifier string for the associated user Practitioner
Examples
- verified\bp.8003628233355286\1
- unverified\md.S-1-5-21-7375663-6890924511-1272660413-2944159\3
- unverified\zedmed.57401CE7C397337ABB1B1D237875CCC6\ADM
- test\bp.8003628233355311\4
