Set up SMART on FHIR in Aidbox

SMART on FHIR specifies authentication/authorization scheme for FHIR Applications. This scheme extends OAuth 2.0 and OpenID. To enable you need to create an and configure SMART API routes using the .

Set Up Aidbox Project

Clone the repo:

$ git clone https://github.com/Aidbox/aidbox-project-samples.git

In the aidbox-project-samples/smart-on-fhir/core.edn file you can see example of the API constructor configuration.

Currently only two middlewares for SMART on FHIR authorization are implemented:

• :smart.fhir/single-patient-auth-middleware — Patient launch

• :smart.fhir/authorization-middleware — Provider launch

Create Resources

To use SMART on FHIR you need to create a few resources like Client and AccessPolicies

Client

Let's create an :

POST /Client
Content-Type: text/yaml
Accept: text/yaml

resourceType: Client
id: smart-client
secret: some-secret
auth:
  authorization_code:
    redirect_uri: https://your/redirect/uri
    refresh_token: true
    secret_required: true
    access_token_expiration: 36000
smart:
  launch_uri: https://your/launch/uri
grant_types:
  - authorization_code

The launch_uri parameter here specifies the launch URI for the EHR-based SMART App launch.

Access Policies

PUT /
Content-Type: text/yaml
Accept: text/yaml

# Allow patients to search resources linked with them
- resourceType: AccessPolicy
  engine: matcho
  matcho:
    uri: '#/smart/.*'
    params:
      patient: .role.links.patient.id
  roleName: patient
  id: patient-smart

# Allow patients to read their info
- resourceType: AccessPolicy
  engine: matcho
  matcho:
    uri: '#/smart/Patient/.*'
    params:
      id: .role.links.patient.id
  roleName: patient
  id: smart-patient-read

# Allow patients to read their info
- resourceType: AccessPolicy
  engine: matcho
  matcho:
    uri: '#/smart/Patient'
    params:
      _id: .role.links.patient.id
  roleName: patient
  id: smart-patient-search-self

Generate Launch URI for EHR Launch Sequence

• user: id of the User resource

• iss: Aidbox base URL

• client: id of the Client resource

• ctx: additional launch contextо

  • patient: id of Patient resource

  • encounter: id of Encounter resource

Standalone Launch

Authorization code flow with SMART on FHIR Standalone Launch:

• App requests SMART configuration from base-url/.well-known/smart-configuration

• App requests FHIR conformance statement from base-url/metadata

• App redirects to the EHR Authorization endpoint providing extra parameters:

  • scope: OAuth scopes including scopes defined by SMART on FHIR

  • aud: FHIR Server base url

• Authorization server checks asks user to grant access to resources requested by the App and redirects to the App with code

• App exchanges code for token using the token endpoint

• App uses the token for resource access

EHR Launch

Authorization code flow with SMART on FHIR EHR Launch:

• App requests SMART configuration from base-url/.well-known/smart-configuration

• App requests FHIR conformance statement from base-url/metadata

• App redirects to the EHR Authorization endpoint providing extra parameters:

  • scope: OAuth scopes including scopes defined by SMART on FHIR

  • aud: FHIR Server base url

• Authorization server checks asks user to grant access to resources requested by the App and redirects to the App with code

• App exchanges code for token using the token endpoint

• App uses the token for resource access

Inferno tests