Considerations for Testing with Inferno ONC

Mandatory software components & configurations

Mandatory software components

Aidbox minimum installation consists of tow mandatory components:
  1. 1.
    PostreSQL relations database management system as data persistence layer
  2. 2.
    Aidbox itself configured working to the PostgreSQL

PostgresSQL

As an Aidboxdb docker container can be got here. It has all necessary extensions on board.

Aidbox

The powerful FHIR-server. It also supports SMART on FHIR authorization flow.
Aidbox is distributed as a Docker container:

Mandatory software configurations

Aidbox

It could be configured in many ways but the minimum configuration is defined here.
Main configuration aspects:
  • S3 account & bucket should be prepared as Aidbox uploads exported data to the bucket
  • Aidbox should be configured as a zen-project​
  • In minimum approach there should be defined endpoints for your SMART API. Consider using as a drat the prepared ONC Inferno tests ready zen-project​

TLS for HTTP

ONC Inferno requires certain TLS version usage over HTTP requests. The allowed versions are v1.2+.

Setting up different SMART on FHIR application

confidential and public applications

There are two types of the applications using SMART on FHIR API:
  • confidential apps are able to protect issued secrets
  • public ones are not able to do it

confidential application

1
PUT /Client/inferno-g10-client
2
content-type: text/yaml
3
accept: text/yaml
4
​
5
id: inferno-g10-client
6
resourceType: Client
7
secret: some-very-secret
8
grant_types:
9
- authorization_code
10
- basic # used to exchange authorization_code for access_token
11
auth:
12
authorization_code:
13
pkce: false # no PKCE allowed
14
audience:
15
- https://cmpl.aidbox.app/smart
16
redirect_uri: https://inferno.healthit.gov/suites/custom/smart/redirect
17
refresh_token: true
18
secret_required: true # secret is allowed
19
access_token_expiration: 3600 # 1 hour
20
smart:
21
launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch
Copied!

public application

public, which don't have backend service and are not able to keep secret securely, shouldn't have secret, basic grant type and auth.authorization_code.secret_required should be disabled. Example:
1
PUT /Client/inferno-g10-client
2
content-type: text/yaml
3
accept: text/yaml
4
​
5
id: inferno-g10-client
6
resourceType: Client
7
grant_types:
8
- authorization_code
9
auth:
10
authorization_code:
11
pkce: true # PKCE is activated
12
audience:
13
- https://cmpl.aidbox.app/smart
14
redirect_uri: https://inferno.healthit.gov/suites/custom/smart/redirect
15
refresh_token: true
16
secret_required: false # secret is disabled
17
access_token_expiration: 3600 # 1 hour
18
smart:
19
launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch
Copied!

bulk client for back-end application

Client example for bulk application.
1
id: inferno-g10-bulk-client
2
resourceType: Client
3
grant_types:
4
- client_credentials
5
auth:
6
client_credentials:
7
client_assertion_types:
8
- urn:ietf:params:oauth:client-assertion-type:jwt-bearer
9
access_token_expiration: 300 # 5 minutes
10
scope:
11
- system/*.read
12
jwks_uri: https://inferno.healthit.gov/suites/custom/g10_certification/.well-known/jwks.json
Copied!

Expanding scope

scope are used to let SMART on FHIR know what resources an application needs to have access to. scope can be defined in two ways:
  1. 1.
    Exact resource name like patient/Device.read. In this case read access to the Device is requested
  2. 2.
    Wildcard definition like patient/*.read says all the patients resources read access requested

How Aidbox expands wildcard * scope

patient/*.read expands to:
  • patient/Patient.read
  • patient/AllergyIntolerance.read
  • patient/CarePlan.read
  • patient/CareTeam.read
  • patient/Condition.read
  • patient/Device.read
  • patient/DiagnosticReport.read
  • patient/DocumentReference.read
  • patient/Goal.read
  • patient/Encounter.read
  • patient/Immunization.read
  • patient/MedicationRequest.read
  • patient/Observation.read
  • patient/Procedure.read
  • patient/Provenance.read
  • patient/Practitioner.read
  • patient/Organization.read
  • patient/Location.read
user/*.read expands to:
  • user/Patient.read
  • user/AllergyIntolerance.read
  • user/CarePlan.read
  • user/CareTeam.read
  • user/Condition.read
  • user/Device.read
  • user/DiagnosticReport.read
  • user/DocumentReference.read
  • user/Goal.read
  • user/Encounter.read
  • user/Immunization.read
  • user/MedicationRequest.read
  • user/Observation.read
  • user/Procedure.read
  • user/Provenance.read
  • user/Practitioner.read
  • user/Organization.read
  • user/Location.read