Pass Inferno Visual Inspection and Attestation
This guide explains how to pass the Inferno Visual Inspection and Attestation sequence
Provided by certification buddy
Tests steps
require demonstrating the process of application registration for single patients. You should switch to the Yes
option.Provided by certification buddy
Tests steps
require demonstrating the process of application registration for multiple patients. You should switch to the Yes
option.During the test sessions, Smartbox shows users the
Consent screen
. The Consent screen
is the graphical user interface.During the test sessions, Smartbox shows users the
Consent screen
. There is the Offline access
option on the Consent screen
.Default
refresh_token
lifespan is unlimited.- 1.Follow the guide of the 9.10.13 Health IT developer demonstrates support for issuing refresh tokens to native applications guide till the end
Smartbox allowed to fetch
Patient
resource with the access_token
it issued.Switch to the
Yes
option. If something is lost, the tester says it.To demonstrate that behavior
- Add a Client with narrow pre-authorized
scope
- Launch the
Multi-Patient Authorization and API
sequence with wide scope
Mind the
scope
property. It holds the system/Patient.read
value only. Access to the other resources is forbidden.PUT /Client/inferno-my-clinic-bulk-client
Content-Type: text/yaml
type: bulk-api-client
active: true
auth:
client_credentials:
client_assertion_types: ['urn:ietf:params:oauth:client-assertion-type:jwt-bearer']
access_token_expiration: 300
scope: [system/Patient.read]
jwks_uri: https://inferno.healthit.gov/suites/custom/g10_certification/.well-known/jwks.json
grant_types:
- client_credentials
meta:
tenant:
id: my-clinic
resourceType: Tenant
- 1.Start new Inferno session (it's important)
- 2.Switch to the
Multi-Patient Authorization and API
sequence - 3.Press the
Run tests
button - 4.Set up the test:
- Bulk Data FHIR URL:
[aidbox-url]/tenant/my-clinic/bulk-api
- Backend Services Token Endpoint:
[aidbox-url]/auth/token
- Bulk Data Client ID:
inferno-my-clinic-bulk-client
- Bulk Data Scopes:
system/Patient.read
- Encryption method:
RS384
- Group ID:
test-group-1
- Patient IDs in exported Group:
test-pt-1,test-pt-2
- 5.Press the
Submit
button
You should receive a lot of errors as Smartbox doesn't issue the access token.
Smartbox has a documentation page. The address of the page is
https://example.com/documentation
Here
https://example.com
is the Smartbox domainIt is an attestation. You should state Smartbox (Aidbox) caches
JWK
sets it receives during the token validations. Cached JWK lives for 5 minutes then it is deleted.To demonstrate supporting of the
Suffix
- 1.Open the result of the
1.7.02 Access to Patient resources granted
test case - 2.Press the
Details
button - 3.Scroll down to the
name
array of the fetchedPatient
resource - 4.See the
Suffix
property inside onename
element
To demonstrate supporting of the
Previous Name
- 1.Open the result of the
1.7.02 Access to Patient resources granted
test case - 2.Press the
Details
button - 3.Scroll down to the
name
property of the fetchedPatient
resource - 4.There are two items in the
name
array- 1.First
name
hasperiod.end
property. It means thatname
is theprevious
one - 2.Second
name
has noperiod.end
property. Thatname
iscurrent
one
Native applications can register
custom URL schemas
. Instead of the ordinary http://
prefix the URL of the native application can start with anything else. For example, my-awesome-smart-app://
is a legal custom URL schema.In terms of
SMART App launch
supporting native applications stands for allowing custom schemas in the redirect_uri
property.To demonstrate native applications support
It is a good idea to perform this flow in the
Incognito mode
(Chrome) or Private Window
(Firefox)- 1.Register an application with a custom URL schema
- 2.Build the authorization request URL
- 3.Open the URL in the browser
- 4.Authenticate in the Smartbox (enter login and password)
- 5.Authorize the launch (allow on the Consent screen)
- 6.Receive the
code
from Smartbox - 7.Get Postman collection installed
- 8.Exchange the
code
to theaccess_token
andrefresh_token
- 9.Use
access_token
to fetch resources from Smartbox - 10.Use
refresh_token
to get a newaccess_token
- 11.Use updated
access_token
to fetch resources from Smartbox
PUT /Client/for-refresh-token
content-type: text/yaml
id: for-refresh-token
type: patient-facing-smart-app
grant_types:
- authorization_code
- basic
resourceType: Client
auth:
authorization_code:
pkce: false
redirect_uri: custom://redirect # custom schema is defined
refresh_token: true
secret_required: true
access_token_expiration: 300
secret: secret
active: true
smart:
launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch
The link should look like this
https://example.com/tenant/my-clinic/patient/auth/authorize?client_id=for-refresh-token&scope=launch/patient%20patient/Patient.read%20patient/Condition.read%20offline_access&state=my-state&response_type=code&redirect_uri=custom://redirect&aud=https://example.com/tenant/my-clinic/patient/smart-api
Instead of
https://example.com
use your Smartbox base url.In your web browser:
- 1.Open a new private tab in the browser
- 2.Open developer console to be able to see all the http requests the browser does
- 3.Put the link to the URL bar and press enter
Still on the browser enter your pateint login and password credentials
Still on the browser press the
Allow
buttonAfter press the
Allow
button Smartbox redirects user back to the Consent screen
.In the list of the https requests find the latest one
GET
request with the code 302
. The location
header should start with the custom://redirect?
string.
Fetch the code
parameter from the location. Mind there are other parameters in that link. You do not need them.- 1.Open Postman
- 2.
- 3.Update the
host
variable with your Smartbox base url
In the Postman
- 1.Open
Exchange code for access_token
request - 2.Put the
code
to thecode
parameter - 3.Press the
Send
button
The result of the request is a JSON-object containing
access_token
and refresh_token
properties.Smartbox allows to exchange
code
to token
in no more than 5 minutes after the code
was issuedStill in postman:
- 1.Open the
Get Patient Resource
request - 2.Copy the
access_token
to thetoken
input - 3.Press the
Send
button
The result of the request is a JSON-object of the
Patient
resource. Access token works.Still in postman:
- 1.Open the
Refresh access token
request - 2.Copy the
refresh_token
to therefresh_token
parameter - 3.Press the
Send
button
The result of the request is a JSON-object containing the
access_token
.Still in postman:
- 1.Open the
Get Patient Resource
request - 2.Copy the freshly issued
access_token
to thetoken
input - 3.Press the
Send
button
The result of the request is the JSON-object of the
Patient
resource. Updated access_token
worksSmartbox generates the list of the base URLs. The address of the list is
https://example.com/service-base-urls
Here
https://example.com
is the Smartbox domainThat behavior is not related to the Smartbox settings. Setting the TLS versions and enforcement to the wanted versions is out of the Smartbox setup scope
It is an attestation. You should state Smartbox is capable of issuing refresh tokens valid for a new period of no shorter than three months.
Last modified 2mo ago