This wiki has undergone a migration to Confluence found Here
<meta name="googlebot" content="noindex">

201709 Consumer Centered Data Exchange Implementation Notes for

From HL7Wiki
Jump to navigation Jump to search

Using as the target EHR

e.g information flows from another server to

Sequence of steps:

  1. get the JWT
  2. authorize the JWT on the other server
  3. Ask to start copying data
  4. find out how copying data is going
  5. stop copying data

Acquiring's JWT

you get the JWT by:


Where [uri] is the address of the source system. Source is a mandatory parameter, though it does not make any difference to

this returns a 200 OK with a body content type of application/jwt:


(note that some browsers don't like this content type in the return body)

Using as the source EHR

Sequence of steps:

  1. set up consent on JWT
  2. get a JWT form some other system
  3. connect that JWT to the consent using the $authorize function


Use this consent resource as the base for authorization (post it to the server, record the id that the server assigns):

<Consent xmlns=""> 
 <status value="active"/>
   <reference value="Patient/example"/>
 <policyRule value=""/>  
   <type value="permit"/>
       <system value=""/>
     <system value=""/>


  • you can change the patient but it must be a patient that exists on the server. If you logged via smart on fhir, and you chose a particular patient during the login, the consent must refer to that patient.
  • you can use json instead if you want


This is what you post to the server as a body to the $authorize routine (this time in json):

 "resourceType" : "Parameters",
 "parameter" : [{
    "name" : "duration",
    "valueDuration" : {
      "value" : "3",
      "system" : "",
      "code" : "mo"
  }, {
    "name" : "jwt",
    "valueString" : "{packed JWT from the target server}"

The response contains a key value: the authorization token:

   "resourceType": "Parameters",
   "parameter": [
           "name": "Message",
           "valueString": "Application Validation is not implemented yet"
           "name": "id",
           "valueId": "a81de03d-cfad-462d-a81b-3f8254909622"

Acquiring an Access Token

Once $authorize has been called, the target EHR may acquire an access token for the FHIR API:

 Authorization: Bearer [JWT]
 Content-Type: application/x-www-form-urlencoded

where [JWT] is the JWT provided to $authorize in the previous step and [id] is the token returned from the $authorise operation above

The response will be:


   "access_token": "urn:oauth:eebfa88c-af7d-4a45-a9ed-7ce090308e7c",
   "token_type": "Bearer",
   "expires_in": "7621907",
   "id_token": null,
   "scope": null,
   "patient": "example"