Latest revision as of 19:48, 19 March 2019

Hiasobi SMART on FHIR R4

Implements SMART App Launch Framework as per http://www.hl7.org/fhir/smart-app-launch/
Auth service is built into Oridashi Hiasobi with the following features:
- Logged in user clinical system identity is used for authorisation (user authentication)
- Direct login with Oridashi customer credentials may be performed (where user is not logged into clinical system)
- Scopes supported are as per Oridashi Hiasobi capability statement read only for admin/health record + support for write document delivery/appointments

Registering Applications

Each customer has a self-managed application register
Registering application launch and redirect urls is needed to ensure secure launch of applications (Auth service confirms)
Access application manager at https://hiasobi-manager.azurewebsites.net/ login using customer credentials (see below for evaluation)

Evaluation Suite

Deploy evaluation adapter to desktop from http://oridashi.com.au/install/OridashiAdapterR4/OridashiAdapterR4.application
Login to https://hiasobi-manager.azurewebsites.net/ to register applications using credentials samples2 / 67763F1A6A6146D9B5ADA858
NOTE: this is visible to all evaluators if you require a private space let us know
Each customer has their own self managed apps register
See the registered sample application
- Id: 4ae955ea-3a6c-4128-8f7b-0d45ca4e4fff
- Display: Smart App Tester (R4) - sample javascript on these pages
- Launch Url: https://oridashi.com.au/site/apps/smart-launch2.html (launch sequence, find auth server, redirect to auth server)
- Redirect Url: https://oridashi.com.au/site/apps/smart-index2.html (destination redirect from auth server, token exchange for access token, example FHIR service call)
- A Javascript Library is supplied implementing launch and token exchange sequence https://oridashi.com.au/site/apps/smart2.js and used in the example app
Registered apps appear in the evaluation adapter (right click menu; refresh on restart of adapter)

Hiasobi Identity Scheme

Scope Request (fhirUser), Response: id_token

user claim details
id_token contains a JWT (JSON web token)
See: https://github.com/smart-on-fhir/smart-on-fhir.github.io/blob/master/authorization/smart-on-fhir-jwt-examples.ipynb
Example token exchange response includes JWT in id_token

 
{
  "access_token":"ZTQyNzVmOTctMGQxYy00NjZmLTgxM2MtNzk4Nzg0OTI0ODIx",
  "token_type":"Bearer",
 "expires_in":"86361",
 "scope":null,
  "state":"28564762",
  "patient":"36",
  "encounter":null,
 "location":null,
  "resource":null,
  "id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo4MTAyIiwic3ViIjoidGVzdFxcODAwMzYxMDgzMzM0MDg1MFxcMSIsImF1ZCI6Imh0dHBzOi8vb3JpZGFzaGkuY29tLmF1L3NpdGUvYXBwcy9zbWFydC1pbmRleC5odG1sIiwiZXhwIjoiMTQ2MTIwODIyMCJ9.CJxYaBP5K0gJLVZaVhyIYhc1RSqDLrm8coWlNs0AbXOrDhCRWssd7FsBoNDZNwXg8E+uW6XtpTFKSysdqJe55Tb0GKUqlMu1a+EqiApW46tBe5b67j//JkH/qRrdhM7ywZxebVzwgtuIa7EOJ59fqT4DgA6XadRsUP1nzo7OB+tYKLZnXMXGAVwVnFM527Hu4MjWyBExBkF2kPlX5ggu42tNfS+zPM1w3tZKjvnskpCv67F08SzMK0kkjaFeuCdO8fM1gqJnQPjkN36QXA8rUn3z8HsDZ1LJevUwHfOqEKEOaL1/hjKn9rmbE7w3rJs3/S9jB43W3V4V0dacVufBbQ==",
  "refresh_token":null
}

Example - decoded JWT example; this is a signed JWT with Oridashi certificate

{
  "iss":"https://localhost.oridashi.com.au:8102",
  "sub":"verified\bp.8003628233355286\1",
  "aud":"https://oridashi.com.au/site/apps/smart-index.html",
  "exp":"1460979592",
  "name":"Frederick Smith",
  "profile":"https://localhost:8102/Practitioner/1"
}

Structure - "sub" is the subject of the claim globally unique user identifier

<id status>\<clinical system id>.<site identifer>\<practitioner id>

<id status>

[verified|unverified|test] 
a) 'test':samples/test mode; samples use always marked test to avoid production mismatch
b) 'verified': by certificate check; only HPI-O can be verified by certificate
c) 'unverified': asserted site id; only windows domain SID or generated instance identity

<clinical system id>

[md|bp|zedmed|genie|mt] - system type identifier

<site identifier>

a) HPIO as entered and validated against installed eHealth certificate e.g. 8003628233355286
b) Windows domain SID where present e.g. S-1-5-21-7375663-6890924511-1272660413-2944159
c) Ad-hoc uniquely generated site identifier e.g. 57401CE7C397337ABB1B1D237875CCC6

<practitioner id> - internal site resource identifier string for the associated user Practitioner

Examples

verified\bp.8003628233355286\1
unverified\md.S-1-5-21-7375663-6890924511-1272660413-2944159\3
unverified\zedmed.57401CE7C397337ABB1B1D237875CCC6\ADM
test\bp.8003628233355311\4

@@ Line 1: / Line 1: @@
-== Oridashi-Hiasobi Adapters ==
+=Hiasobi SMART on FHIR R4=
-* Applications run on the clinical desktop as "Oridashi-Hiasobi adapters"
+* Implements SMART App Launch Framework as per http://www.hl7.org/fhir/smart-app-launch/
-* Adapters can be custom branded and include custom features as needed
+* Auth service is built into Oridashi Hiasobi with the following features:
-* Adapters are started on windows login and run in the users windows session
+** Logged in user clinical system identity is used for authorisation (user authentication)
-* Core adapter support includes hosing secured FHIR servers for all clinical products
+** Direct login with Oridashi customer credentials may be performed (where user is not logged into clinical system)
-* Automatic or manual selection of the clinical system is supported
+** Scopes supported are as per Oridashi Hiasobi capability statement read only for admin/health record + support for write document delivery/appointments
-* Manual switch to 'samples' supported for evaluation and testing
-* Click-once deployed into user profile (no admin)
-== SMART on FHIR ==
+=Registering Applications=
-* Oridashi-Hiasobi implements the SMART-on-FHIR Authorisation profile http://docs.smarthealthit.org/authorization/
+* Each customer has a self-managed application register
-* Hiasobi supports a local Auth server interface to enable authorisation
+* Registering application launch and redirect urls is needed to ensure secure launch of applications (Auth service confirms)
-* OAuth2 authorisation challenge is made to establish access
+* Access application manager at https://hiasobi-manager.azurewebsites.net/ login using customer credentials (see below for evaluation)
-* Authorisation can only occur when a user is logged into the clinical system
-* Specific authorisation of requested resources and context is made and recorded in the user profile
-* A unique token is supplied to the web application to use for access to the local FHIR service
-* Web applications need to be registered with the Hiasobi Apps Manager, this includes:
-** Specific launch and application urls for the app needed for launch and authorisation
-** Allocation if a unique application client id needed for authorisation
-** Display names needed for dynamic population of launch urls in adapters
-== FHIR DSTU2 Support ==
+=Evaluation Suite=
-* Draft standard for trial use 2 is the nominal supported version for Hiasobi as per http://hl7.org/fhir/DSTU2/index.html
+* Deploy evaluation adapter to desktop from http://oridashi.com.au/install/OridashiAdapterR4/OridashiAdapterR4.application
-* Check the [base]/metadata content of Hiasobi servers for details of specific resource and search parameter support.
+* Login to https://hiasobi-manager.azurewebsites.net/ to register applications using credentials '''samples2''' / '''67763F1A6A6146D9B5ADA858'''
+* NOTE: this is visible to all evaluators if you require a private space let us know
+* Each customer has their own self managed apps register
+* See the registered sample application
+** Id: 4ae955ea-3a6c-4128-8f7b-0d45ca4e4fff
+** Display: Smart App Tester (R4) - sample javascript on these pages
+** Launch Url: https://oridashi.com.au/site/apps/smart-launch2.html (launch sequence, find auth server, redirect to auth server)
+** Redirect Url: https://oridashi.com.au/site/apps/smart-index2.html (destination redirect from auth server, token exchange for access token, example FHIR service call)
+** A Javascript Library is supplied implementing launch and token exchange sequence https://oridashi.com.au/site/apps/smart2.js and used in the example app
+* Registered apps appear in the evaluation adapter (right click menu; refresh on restart of adapter)
-== FHIR STU3 Support ==
+=Hiasobi Identity Scheme=
-* Standard for trial use 3 is the nominal supported version for Hiasobi as per http://hl7.org/fhir/DSTU3/index.html
-* Check the [base]/metadata content of Hiasobi servers for details of specific resource and search parameter support.
+Scope Request ('''fhirUser'''),
+Response: '''id_token'''
+* user claim details
+* id_token contains a JWT (JSON web token)
+* See:  https://github.com/smart-on-fhir/smart-on-fhir.github.io/blob/master/authorization/smart-on-fhir-jwt-examples.ipynb
+* Example token exchange response includes JWT in id_token
+<pre>
+{
+  "access_token":"ZTQyNzVmOTctMGQxYy00NjZmLTgxM2MtNzk4Nzg0OTI0ODIx",
+  "token_type":"Bearer",
+ "expires_in":"86361",
+ "scope":null,
+  "state":"28564762",
+  "patient":"36",
+  "encounter":null,
+ "location":null,
+  "resource":null,
+  "id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo4MTAyIiwic3ViIjoidGVzdFxcODAwMzYxMDgzMzM0MDg1MFxcMSIsImF1ZCI6Imh0dHBzOi8vb3JpZGFzaGkuY29tLmF1L3NpdGUvYXBwcy9zbWFydC1pbmRleC5odG1sIiwiZXhwIjoiMTQ2MTIwODIyMCJ9.CJxYaBP5K0gJLVZaVhyIYhc1RSqDLrm8coWlNs0AbXOrDhCRWssd7FsBoNDZNwXg8E+uW6XtpTFKSysdqJe55Tb0GKUqlMu1a+EqiApW46tBe5b67j//JkH/qRrdhM7ywZxebVzwgtuIa7EOJ59fqT4DgA6XadRsUP1nzo7OB+tYKLZnXMXGAVwVnFM527Hu4MjWyBExBkF2kPlX5ggu42tNfS+zPM1w3tZKjvnskpCv67F08SzMK0kkjaFeuCdO8fM1gqJnQPjkN36QXA8rUn3z8HsDZ1LJevUwHfOqEKEOaL1/hjKn9rmbE7w3rJs3/S9jB43W3V4V0dacVufBbQ==",
+  "refresh_token":null
+}
+</pre>
+'''Example''' - decoded JWT example; this is a signed JWT with Oridashi certificate
+<pre>
+{
+  "iss":"https://localhost.oridashi.com.au:8102",
+  "sub":"verified\bp.8003628233355286\1",
+  "aud":"https://oridashi.com.au/site/apps/smart-index.html",
+  "exp":"1460979592",
+  "name":"Frederick Smith",
+  "profile":"https://localhost:8102/Practitioner/1"
+}
+</pre>
+'''Structure''' - "sub" is the subject of the claim globally unique user identifier
+ <id status>\<clinical system id>.<site identifer>\<practitioner id>
+'''<id status>'''
+ [verified|unverified|test]
+ a) 'test':samples/test mode; samples use always marked test to avoid production mismatch
+ b) 'verified': by certificate check; only HPI-O can be verified by certificate
+ c) 'unverified': asserted site id; only windows domain SID or generated instance identity
+'''<clinical system id>'''
+ [md|bp|zedmed|genie|mt] - system type identifier
+'''<site identifier>'''
+ a) HPIO as entered and validated against installed eHealth certificate e.g. 8003628233355286
+ b) Windows domain SID where present e.g. S-1-5-21-7375663-6890924511-1272660413-2944159
+ c) Ad-hoc uniquely generated site identifier e.g. 57401CE7C397337ABB1B1D237875CCC6
+'''<practitioner id>''' - internal site resource identifier string for the associated user Practitioner
+'''Examples'''
+* verified\bp.8003628233355286\1
+* unverified\md.S-1-5-21-7375663-6890924511-1272660413-2944159\3
+* unverified\zedmed.57401CE7C397337ABB1B1D237875CCC6\ADM
+* test\bp.8003628233355311\4

Difference between revisions of "SMART on FHIR Apps"

Latest revision as of 19:48, 19 March 2019

Contents

Hiasobi SMART on FHIR R4

Registering Applications

Evaluation Suite

Hiasobi Identity Scheme

Navigation menu

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation

Tools