Difference between revisions of "201709 Consumer Centered Data Exchange Implementation Notes for test.fhir.org"
Line 113: | Line 113: | ||
{ | { | ||
− | "access_token": "urn:oauth: | + | "access_token": "urn:oauth:e8a4131c-1c04-4c2f-aba0-985ce472b90d", |
"token_type": "Bearer", | "token_type": "Bearer", | ||
− | "expires_in": " | + | "expires_in": "7621372", |
"id_token": null, | "id_token": null, | ||
− | "scope": | + | "scope": "User/*.*", |
"patient": "example" | "patient": "example" | ||
} | } |
Revision as of 22:16, 3 August 2017
Contents
Using test.fhir.org as the target EHR
e.g information flows from another server to test.fhir.org
Sequence of steps:
- get the test.fhir.org JWT
- authorize the JWT on the other server
- Ask test.fhir.org to start copying data
- find out how copying data is going
- stop copying data
Acquiring test.fhir.org's JWT
you get the JWT by:
GET http://test.fhir.org/r3/$jwt?source=[uri]
Where [uri] is the address of the source system. Source is a mandatory parameter, though it does not make any difference to test.fhir.org
this returns a 200 OK with a body content type of application/jwt:
eyJhbGciIDogIlJTMjU2Iiwia2lkIiA6ICIvYXV0aF9rZXkiLCJ0eXAiIDogIkpXVCJ9.eyJleHAiIDogMTUwMTg2MzE3MCwiaWF0IiA6ICIxNTAxNzc2NzcwIiwiaXNzIiA6ICJsb2NhbC5maGlyLm9yZyIsInN1YiIgOiAibG9jYWwuZmhpci5vcmcifQ.RWhQyMf1Cr90kn1RtjV-BGAbi1lWobE0RQWTwYl_mBMcB8v4hpUzcjlay3miPRBrzxGYxhr0RPecv8zkk5KiGk_8VrVxqk21YGKjKoqXdi9fGkLuc4vw_sj_Nt6vDS3zdEyIYLMVELvu74Vemt2p16brQ-xKpJ-1PdUF8EVYI3n5r_b6xH6HcP9xgmSun38yDC-KbkfBYatdwZsVrnd2-VrOHBM-E8P44fu9-GQNyirvdD6rdpQQGtfcDyf4G940AJfW9WHUWLlWTyQ0uhYn1DD46Pc5wMqzHcja43u5O7r7g5oWxZ9Iiidq9tUV8UaGp_h2ejzdUds9uVA7Hd3VyVSBVUmIN-3oVH31-6o_MCKqeKOwB-Y9qFsN_8MTf77HS1xHXLeC4VPyKdk0rmb-v49b6_3DwI7SXLwYJu19kkqVWywHam-6_qaowB-8emdk-iE1QX9DXjna81CLGyFdsOPZ7kQEWlZrgsz7RmvLxrrJ0b8os8aqCW-3i7UDqUFIKXnvKwFPfsf7RMp_ruvxyyfIIcaI0T9RjZicME2-JBC3EoRTzAXkG9htX1KDe9vH3fcSTcjiCQ75gcGkKZWWDaN-6SV4itzoiFm0Re99E4mWmkQVj289y6jRAOercvioygyvUbgQ4rpLbZv1i2A5orx0Ze-6opc9Z1hGAQLcLn0
(note that some browsers don't like this content type in the return body)
Using test.fhir.org as the source EHR
Sequence of steps:
- set up consent on test.fhir.org JWT
- get a JWT form some other system
- connect that JWT to the consent using the $authorize function
Consent
Use this consent resource as the base for authorization (post it to the server, record the id that the server assigns):
<Consent xmlns="http://hl7.org/fhir"> <status value="active"/> <patient> <reference value="Patient/example"/> </patient> <policyRule value="http://hl7.org/fhir/ConsentDefinition/simple-oauth"/> <except> <type value="permit"/> <action> <coding> <system value="http://hl7.org/fhir/consentaction"/></coding> </action> <class> <system value="http://smarthealthit.org/fhir/scopes"/>
</class> </except> </Consent>
Notes:
- you can change the patient but it must be a patient that exists on the server. If you logged via smart on fhir, and you chose a particular patient during the login, the consent must refer to that patient.
- you can use json instead if you want
Authorization
This is what you post to the server as a body to the $authorize routine (this time in json):
POST http://test.fhir.org/r3/Consent[id]/$authorize
{ "resourceType" : "Parameters", "parameter" : [{ "name" : "duration", "valueDuration" : { "value" : "3", "system" : "http://unitsofmeasure.org", "code" : "mo" } }, { "name" : "jwt", "valueString" : "{packed JWT from the target server}" } ] }
The response contains a key value: the authorization token:
{ "resourceType": "Parameters", "parameter": [ { "name": "Message", "valueString": "Application Validation is not implemented yet" }, { "name": "id", "valueId": "a81de03d-cfad-462d-a81b-3f8254909622" } ] }
Acquiring an Access Token
Once $authorize has been called, the target EHR may acquire an access token for the FHIR API:
POST http://test.fhir.org/auth/token Authorization: Bearer [JWT] Content-Type: application/x-www-form-urlencoded grant_type=client_credentials&scope=[id]
where [JWT] is the JWT provided to $authorize in the previous step and [id] is the token returned from the $authorise operation above
The response will be:
{
"access_token": "urn:oauth:e8a4131c-1c04-4c2f-aba0-985ce472b90d", "token_type": "Bearer", "expires_in": "7621372", "id_token": null, "scope": "User/*.*", "patient": "example"
}