Aidbox
Search…
Considerations for Testing with Inferno ONC

Aidbox minimum installation consists of tow mandatory components:
  1. 1.
    PostreSQL relations database management system as data persistence layer
  2. 2.
    Aidbox itself configured working to the PostgreSQL

As an Aidboxdb docker container can be got here. It has all necessary extensions on board.

The powerful FHIR-server. It also supports SMART on FHIR authorization flow.
Aidbox is distributed as a Docker container:

It could be configured in many ways but the minimum configuration is defined here.
Main configuration aspects:
  • S3 account & bucket should be prepared as Aidbox uploads exported data to the bucket
  • Aidbox should be configured as a zen-project
  • In minimum approach there should be defined endpoints for your SMART API. Consider using as a drat the prepared ONC Inferno tests ready zen-project

ONC Inferno requires certain TLS version usage over HTTP requests. The allowed versions are v1.2+.

There are two types of the applications using SMART on FHIR API:
  • confidential apps are able to protect issued secrets
  • public ones are not able to do it

PUT /Client/inferno-g10-client
content-type: text/yaml
accept: text/yaml
id: inferno-g10-client
resourceType: Client
secret: some-very-secret
grant_types:
- authorization_code
- basic # used to exchange authorization_code for access_token
auth:
authorization_code:
pkce: false # no PKCE allowed
audience:
- https://cmpl.aidbox.app/smart
redirect_uri: https://inferno.healthit.gov/suites/custom/smart/redirect
refresh_token: true
secret_required: true # secret is allowed
access_token_expiration: 3600 # 1 hour
smart:
launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch

public, which don't have backend service and are not able to keep secret securely, shouldn't have secret, basic grant type and auth.authorization_code.secret_required should be disabled. Example:
PUT /Client/inferno-g10-client
content-type: text/yaml
accept: text/yaml
id: inferno-g10-client
resourceType: Client
grant_types:
- authorization_code
auth:
authorization_code:
pkce: true # PKCE is activated
audience:
- https://cmpl.aidbox.app/smart
redirect_uri: https://inferno.healthit.gov/suites/custom/smart/redirect
refresh_token: true
secret_required: false # secret is disabled
access_token_expiration: 3600 # 1 hour
smart:
launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch

Client example for bulk application.
PUT /Client/inferno-g10-bulk-client
content-type: text/yaml
accept: text/yaml
id: inferno-g10-bulk-client
resourceType: Client
type: bulk
grant_types:
- client_credentials
auth:
client_credentials:
client_assertion_types:
- urn:ietf:params:oauth:client-assertion-type:jwt-bearer
access_token_expiration: 300 # 5 minutes
scope:
- system/*.read
jwks_uri: https://inferno.healthit.gov/suites/custom/g10_certification/.well-known/jwks.json

scope are used to let SMART on FHIR know what resources an application needs to have access to. scope can be defined in two ways:
  1. 1.
    Exact resource name like patient/Device.read. In this case read access to the Device is requested
  2. 2.
    Wildcard definition like patient/*.read says all the patients resources read access requested

patient/*.read expands to:
  • patient/Patient.read
  • patient/AllergyIntolerance.read
  • patient/CarePlan.read
  • patient/CareTeam.read
  • patient/Condition.read
  • patient/Device.read
  • patient/DiagnosticReport.read
  • patient/DocumentReference.read
  • patient/Goal.read
  • patient/Encounter.read
  • patient/Immunization.read
  • patient/MedicationRequest.read
  • patient/Observation.read
  • patient/Procedure.read
  • patient/Provenance.read
  • patient/Practitioner.read
  • patient/Organization.read
  • patient/Location.read
user/*.read expands to:
  • user/Patient.read
  • user/AllergyIntolerance.read
  • user/CarePlan.read
  • user/CareTeam.read
  • user/Condition.read
  • user/Device.read
  • user/DiagnosticReport.read
  • user/DocumentReference.read
  • user/Goal.read
  • user/Encounter.read
  • user/Immunization.read
  • user/MedicationRequest.read
  • user/Observation.read
  • user/Procedure.read
  • user/Provenance.read
  • user/Practitioner.read
  • user/Organization.read
  • user/Location.read
Copy link
Edit on GitHub
On this page
Mandatory software components & configurations
Mandatory software components
Mandatory software configurations
Setting up different SMART on FHIR application
confidential and public applications
confidential application
public application
bulk client for back-end application
Expanding scope
How Aidbox expands wildcard * scope