Aidbox fully supports version 1 of SMART on FHIR scopes:
And support everything except search parameters in version 2 of SMART on FHIR scopes:
If a requested operation is not permitted by the scopes, Aidbox will deny access. If access is granted, Aidbox will retrieve and return only the data allowed by the specified scopes and context.
Access Token
To enable scope checking in the Access Control layer, the JWT access token must contain the following claims:
Claim name
Value type
Description
atv *
fixed value
Access Token Version
Fixed value - 2
scope *
valueString
String with scopes separated by space.
context.patient
valueString
Patient ID.
* - required claim
For scope checking, Aidbox accepts any valid JWT tokens issued by external servers if they contain the specified scopes and Aidbox can issue its own JWT tokens with all the required claims.
GET /fhir/Appointment/my-appointmentcontent-type:application/jsonaccept:application/json// Token with "patient/Patient.read patient/Observation.read" scopesAuthorization: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdHYiOjIsImF1ZCI6Imh0dHBzOi8vZzEwdGVzdC5lZGdlLmFpZGJveC5hcHAvZmhpciIsInN1YiI6IjNkMGVmYjgwLTkwMTktNDdhMS1iMzYxLWUwNDUzOGQ4NzFmZSIsImlzcyI6Imh0dHBzOi8vYXV0aC5leGFtcGxlLmNvbSIsImV4cCI6MTczMzIzNDk0ODQsInNjb3BlIjoibGF1bmNoL3BhdGllbnQgb3BlbmlkIGZoaXJVc2VyIG9mZmxpbmVfYWNjZXNzIHBhdGllbnQvUGF0aWVudC5yZWFkIHBhdGllbnQvT2JzZXJ2YXRpb24ucmVhZCIsImp0aSI6IjUzZWQ1MTZhLTNjODEtNGRjZC05NTUxLTdlOTUzYTkzZmMwZSIsImNvbnRleHQiOnsicGF0aWVudCI6InRlc3QtcHQtMSJ9LCJpYXQiOjE3MzMyMzQ2NDh9.PsYalqkaN-6V0tBqLn_9pkDrR0cLmEg237W8xz5Ymdo"
// Forbidden because the token doesn't have Appointment/read scope{"resourceType":"OperationOutcome","id":"forbidden","text": {"status":"generated","div":"Forbidden" },"issue": [ {"severity":"fatal","code":"forbidden","diagnostics":"Forbidden" } ]}
Permitted request based on allowed scopes:
GET /fhir/Patient/test-pt-1content-type:application/jsonaccept:application/json// Token with "patient/Patient.read patient/Observation.read" scopesAuthorization: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdHYiOjIsImF1ZCI6Imh0dHBzOi8vZzEwdGVzdC5lZGdlLmFpZGJveC5hcHAvZmhpciIsInN1YiI6IjNkMGVmYjgwLTkwMTktNDdhMS1iMzYxLWUwNDUzOGQ4NzFmZSIsImlzcyI6Imh0dHBzOi8vYXV0aC5leGFtcGxlLmNvbSIsImV4cCI6MTczMzIzNDk0ODQsInNjb3BlIjoibGF1bmNoL3BhdGllbnQgb3BlbmlkIGZoaXJVc2VyIG9mZmxpbmVfYWNjZXNzIHBhdGllbnQvUGF0aWVudC5yZWFkIHBhdGllbnQvT2JzZXJ2YXRpb24ucmVhZCIsImp0aSI6IjUzZWQ1MTZhLTNjODEtNGRjZC05NTUxLTdlOTUzYTkzZmMwZSIsImNvbnRleHQiOnsicGF0aWVudCI6InRlc3QtcHQtMSJ9LCJpYXQiOjE3MzMyMzQ2NDh9.PsYalqkaN-6V0tBqLn_9pkDrR0cLmEg237W8xz5Ymdo"
// 200 OK because the token has Patient/read scope{"name": [ {"given": ["Amy","V." ],"family":"Shaw","period": {"end":"2020-07-22","start":"2016-12-06" } } ],"birthDate":"1987-02-20","resourceType":"Patient","active":true,"id":"test-pt-1","gender":"female","birthsex":"F"}
Bundle
SMART does not define specific scopes for batch or transaction interactions. Aidbox allows Bundle requests regardless of scopes and applies Access Control restrictions to each element within Bundle.entry. This means that while the Bundle as a whole is accepted, Aidbox enforces scope Access Control restrictions on each entry in the Bundle.
Example
POST /fhircontent-type:application/jsonaccept:application/json// Token with "patient/Patient.read patient/Observation.read" scopesAuthorization: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdHYiOjIsImF1ZCI6Imh0dHBzOi8vZzEwdGVzdC5lZGdlLmFpZGJveC5hcHAvZmhpciIsInN1YiI6IjNkMGVmYjgwLTkwMTktNDdhMS1iMzYxLWUwNDUzOGQ4NzFmZSIsImlzcyI6Imh0dHBzOi8vYXV0aC5leGFtcGxlLmNvbSIsImV4cCI6MTczMzIzNDk0ODQsInNjb3BlIjoibGF1bmNoL3BhdGllbnQgb3BlbmlkIGZoaXJVc2VyIG9mZmxpbmVfYWNjZXNzIHBhdGllbnQvUGF0aWVudC5yZWFkIHBhdGllbnQvT2JzZXJ2YXRpb24ucmVhZCIsImp0aSI6IjUzZWQ1MTZhLTNjODEtNGRjZC05NTUxLTdlOTUzYTkzZmMwZSIsImNvbnRleHQiOnsicGF0aWVudCI6InRlc3QtcHQtMSJ9LCJpYXQiOjE3MzMyMzQ2NDh9.PsYalqkaN-6V0tBqLn_9pkDrR0cLmEg237W8xz5Ymdo"
{"resoruceType":"Bundle","type":"batch","entry": [ {"request": {"method":"GET","url":"Encounter" } }, {"request": {"method":"GET","url":"Patient/test-pt-1" } } ]}
// 200 OK{"type":"batch-response","resourceType":"Bundle","entry": [// first entry is Forbidden because token doesn't have// patient.Encounter/read scope {"resource": {"resourceType":"OperationOutcome","id":"forbidden","text": {"status":"generated","div":"Forbidden" },"issue": [ {"severity":"fatal","code":"forbidden","diagnostics":"Forbidden" } ] },"response": {"status":"403" } },// second entry is allowed because // token has patient/Patient.read scope {"resource": {"name": [ {"given": ["Amy","V." ],"family":"Shaw","period": {"end":"2020-07-22","start":"2016-12-06" } } ],"birthDate":"1987-02-20","resourceType":"Patient","active":true,"id":"test-pt-1","gender":"female","birthsex":"F" } } ]}
Patient data access API
Patient-level access control in Aidbox enables restricting data access to resources associated with a specific patient. When users interact with the FHIR API, they can access only the resources that belong to that patient.
To achieve this behavior, the request must include:
// Search over all ObservationsGET /fhir/Observationcontent-type: application/jsonaccept: application/json// Token with "patient/Observation.read" scope and "contest.patient" = "test-pt-1"Authorization: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdHYiOjIsImF1ZCI6Imh0dHBzOi8vZzEwdGVzdC5lZGdlLmFpZGJveC5hcHAvZmhpciIsInN1YiI6IjNkMGVmYjgwLTkwMTktNDdhMS1iMzYxLWUwNDUzOGQ4NzFmZSIsImlzcyI6Imh0dHBzOi8vYXV0aC5leGFtcGxlLmNvbSIsImV4cCI6MTczMzIzNDk0ODQsInNjb3BlIjoibGF1bmNoL3BhdGllbnQgb3BlbmlkIGZoaXJVc2VyIG9mZmxpbmVfYWNjZXNzIHBhdGllbnQvUGF0aWVudC5yZWFkIHBhdGllbnQvT2JzZXJ2YXRpb24ucmVhZCIsImp0aSI6IjUzZWQ1MTZhLTNjODEtNGRjZC05NTUxLTdlOTUzYTkzZmMwZSIsImNvbnRleHQiOnsicGF0aWVudCI6InRlc3QtcHQtMSJ9LCJpYXQiOjE3MzMyMzQ2NDh9.PsYalqkaN-6V0tBqLn_9pkDrR0cLmEg237W8xz5Ymdo"
// 200 OK Return Observation only // with reference to "test-pt-1" Patient (from "contest.patient" claim){"resourceType":"Bundle","type":"searchset","total":3,"entry": [ {"resource": {"resourceType":"Observation","id":"test-blood-pressure","status":"final","code": {"text":"Blood pressure systolic and diastolic","coding": [ {"code":"85354-9","system":"http://loinc.org","display":"Blood pressure panel with all children optional" } ] },"subject": {"reference":"Patient/test-pt-1" } } }, {"resource": {"resourceType":"Observation","id":"test-heart-rate","status":"final","code": {"text":"heart_rate","coding": [ {"code":"8867-4","system":"http://loinc.org","display":"Heart Rate" } ] },"subject": {"reference":"Patient/test-pt-1" } } }, {"resource": {"resourceType":"Observation","id":"test-height","status":"final","code": {"text":"height","coding": [ {"code":"8302-2","system":"http://loinc.org","display":"Body height" } ] },"subject": {"reference":"Patient/test-pt-1" } } } ]}
