Aidbox User Docs
Run Aidbox locallyRun Aidbox in SandboxTalk to us Ask community
  • Aidbox FHIR platform documentation
    • Features
    • Architecture
  • Getting Started
    • Run Aidbox in Sandbox
    • Run Aidbox locally
    • Run Aidbox on AWS
    • Upload Sample Data
  • Tutorials
    • CRUD, Search Tutorials
      • Delete data
      • Set up uniqueness in Resource
      • Search Tutorials
        • Custom SearchParameter tutorial
        • Create custom Aidbox Search resource
        • Multilingual search tutorial
        • Migrate from Aidbox SearchParameter to FHIR SearchParameter
        • Change sort order by locale collation
    • Bulk API Tutorials
      • 🎓Synthea by Bulk API
      • 🎓$dump-sql tutorial
    • Security & Access Control Tutorials
      • Authentication Tutorial
      • Allow patients to see their own data
      • Restrict operations on resource type
      • Relationship-based access control
      • Creating user & set up full user access
      • Restricting Access to Patient Data
      • Create and test access control
      • RBAC
        • Flexible RBAC built-in to Aidbox
        • RBAC with JWT containing role
        • RBAC with ACL
      • Set-up token introspection
      • Prohibit user to login
      • Debug access control
      • Managing Admin Access to the Aidbox UI Using Okta Groups
      • Run Multibox locally
      • How to enable labels-based access control
      • How to enable patient data access API
      • How to enable SMART on FHIR on Patient Access API
      • How to enable hierarchical access control
      • How to configure Audit Log
    • Terminology Tutorials
      • Load ICD-10 terminology into Aidbox
      • Uploading IG terminology content to external FHIR terminology server
    • Validation Tutorials
      • Upload FHIR Implementation Guide
        • Environment Variable
        • Aidbox UI
          • IG Package from Aidbox Registry
          • Public URL to IG Package
          • Local IG Package
        • Aidbox FHIR API
        • UploadFIG Tool
      • ISiK
      • Carin BB
      • US Core
      • Davinci Pdex
      • mCode
    • Integration Toolkit Tutorials
      • Postmark integration tutorial
      • Mailgun integration tutorial
    • Subscriptions Tutorials
      • AidboxTopicSubscription NATS tutorial
    • Other tutorials
      • Run Aidbox with FHIR R6
      • Migrate from Multibox to Aidbox
      • SDC with Custom Resources
      • How to create FHIR NPM package
      • Migrate from legacy licence portal to Aidbox portal
      • How to run Aidbox in GCP Cloud Run
  • Overview
    • Licensing and Support
    • Aidbox user portal
      • Projects
      • Licenses
      • Members
    • Aidbox UI
      • Aidbox Notebooks
      • REST Console
      • Database Console
      • Attrs stats
      • DB Tables
      • DB Queries
    • Versioning
    • Release Notes
    • Contact us
  • Configuration
    • Settings
    • Configure Aidbox and Multibox
    • Init Bundle
  • API
    • REST API
      • CRUD
        • Create
        • Read
        • Update
        • Patch
        • Delete
      • FHIR Search
        • SearchParameter
        • Include and Revinclude
        • Chaining
      • Aidbox Search
      • Bundle
      • History
      • $everything on Patient
      • Other
        • Aidbox & FHIR formats
        • Capability Statement
        • $document
        • Observation/$lastn
        • $validate
        • SQL endpoints
        • $matcho
        • $to-format
        • Aidbox version
        • Health check
    • Bulk API
      • Configure Access Policies for Bulk API
      • $dump
      • $dump-sql
      • $dump-csv
      • $export
      • $load & /fhir/$load
      • $import & /fhir/$import
      • aidbox.bulk data import
      • Bulk import from an S3 bucket
    • Batch/Transaction
    • GraphQL API
    • Other APIs
      • Plan API
        • Provider Directory API
          • Practitioner
          • PractitionerRole
          • Organization
          • OrganizationAffiliation
        • Plan API Overview
      • Archive/Restore API
        • create-archive
        • restore-archive
        • prune-archived-data
        • delete-archive
      • ETAG support
      • Cache
      • Changes API
      • RPC API
      • Sequence API
      • Encryption API
      • Batch Upsert
  • Modules
    • Profiling and validation
      • FHIR Schema Validator
        • Aidbox FHIR IGs Registry
        • Setup Aidbox with FHIR Schema validation engine
      • Skip validation of references in resource using request header
      • Asynchronous resource validation
    • Security & Access Control
      • Authentication Flows
        • Basic Auth
        • Client Credentials Grant
        • Resource Owner Grant
        • Authorization Code Grant
        • Implicit Grant
        • Two Factor Authentication
        • External OAuth 2.0 Providers
        • Token Exchange
      • External identity providers
        • Aidbox
        • Okta
        • Azure AD
        • Azure AD with certificate authentication
        • Keycloak
        • GitHub
        • Microsoft AD FS
        • Apple
      • Access Control
        • AccessPolicy
        • Evaluation engines
        • Role-Based Access Control (/RBAC)
        • Attribute-based Access Control (/ABAC)
        • Multitenancy
        • Access control lists (/ACL)
        • Access policy dev tool
        • AccessPolicy best practices
      • Audit
        • Audit Log
    • Observability
      • Getting started
        • Run Aidbox with OpenTelemetry locally
        • How to export telemetry to the OTEL collector
      • Logs
        • How-to guides
          • OpenTelemetry logs
          • Elastic Logs and Monitoring Integration
          • Datadog Log management integration
          • Loki Log management integration
        • Tutorials
          • Log analysis and visualization tutorial
          • Export logs to Datadog tutorial
        • Extending Aidbox Logs
        • Technical reference
          • Log appenders
          • Log transformations
          • Log Schema
          • OTEL logs exporter parameters
      • Metrics
        • How-to guides
          • How to export metrics to the OTEL collector
          • Use Aidbox Metrics Server
          • Set-up Grafana integration
        • Technical reference
          • OpenTelemetry Metrics
          • OTEL metrics exporter parameters
      • Traces
        • How to use tracing
        • OTEL traces exporter parameters
    • Subscriptions
      • Aidbox topic-based subscriptions
        • Kafka AidboxTopicDestination
        • Webhook AidboxTopicDestination
        • GCP Pub/Sub AidboxTopicDestination
        • Tutorial: produce QuestionnaireResponse to Kafka topic
      • Aidbox SubSubscriptions
    • Aidbox Forms
      • Getting started
      • Aidbox Forms Interface
      • Aidbox UI Builder
        • UI Builder Interface
        • Form creation
          • Form Settings
          • Widgets
          • Components
          • Versioning
          • Form customisation in Theme Editor
          • Form signature
          • How-to guides
            • How to: populate forms with data
            • How to extract data from forms
            • How to calculate form filling percentage
          • Multilingual forms
          • FHIRPath Editor
        • Import Questionnaire
        • Form sharing
        • Printing forms
          • Template-based PDF generation
        • FHIR versions
        • Offline forms
        • Embedding
          • Request Interception
        • Configuration
        • Forms multitenancy
        • Building reports using SQL on FHIR
        • Integration with external terminology servers
        • External FHIR servers as a data backend
        • Store attachments in S3-like storages
      • Access Control in Forms
      • Audit Logging in Forms
      • Aidbox Form Gallery
    • Define extensions
      • Extensions using StructureDefinition
      • Extensions using FHIRSchema
    • Custom Resources
      • Custom resources using FHIR Schema
      • Custom resources using StructureDefinition
      • Migrate to FHIR Schema
        • Migrate custom resources defined with Entity & Attributes to FHIR Schema
        • Migrate custom resources defined with Zen to FHIR Schema
    • Aidbox terminology module
      • Concept
        • $translate-concepts
        • Handling hierarchies using ancestors
      • ValueSet
        • ValueSet Expansion
        • ValueSet Code Validation
        • Create a ValueSet
      • CodeSystem
        • CodeSystem Concept Lookup
        • CodeSystem Subsumption testing
        • CodeSystem Code Composition
      • Import external terminologies
        • Import flat file (/CSV)
        • $import operation
        • Ready-to-use terminologies
      • $translate on ConceptMap
    • SQL on FHIR
      • Defining flat views with View Definitions
      • Query data from flat views
      • Reference
    • Integration toolkit
      • C-CDA / FHIR Converter
        • List of supported templates
          • Admission Diagnosis Section (/V3)
          • Advance Directives Section (/entries optional) (/V3)
          • Advance Directives Section (/entries required) (/V3)
          • Allergies and Intolerances Section (/entries optional) (/V3)
          • Allergies and Intolerances Section (/entries required) (/V3)
          • Assessment Section
          • Chief Complaint Section
          • Chief Complaint and Reason for Visit Section
          • Complications Section (/V3)
          • Course of Care Section
          • DICOM Object Catalog Section - DCM 121181
          • Default Section Rules
          • Discharge Diagnosis Section (/V3)
          • Document Header
          • Encounters Section (/entries optional) (/V3)
          • Encounters Section (/entries required) (/V3)
          • Family History Section (/V3)
          • Functional Status Section (/V2)
          • General Status Section
          • Goals Section
          • Health Concerns Section (/V2)
          • History of Present Illness Section
          • Hospital Consultations Section
          • Hospital Course Section
          • Hospital Discharge Instructions Section
          • Hospital Discharge Physical Section
          • Hospital Discharge Studies Summary Section
          • Immunizations Section (/entries optional) (/V3)
          • Immunizations Section (/entries required) (/V3)
          • Medical (/General) History Section
          • Medical Equipment Section (/V2)
          • Medications Administered Section (/V2)
          • Medications Section (/entries optional) (/V2)
          • Medications Section (/entries required) (/V2)
          • Mental Status Section (/V2)
          • Notes
          • Nutrition Section
          • Objective Section
          • Operative Note Fluids Section
          • Operative Note Surgical Procedure Section
          • Past Medical History (/V3)
          • Payers Section (/V3)
          • Plan of Treatment Section (/V2)
          • Postprocedure Diagnosis Section (/V3)
          • Preoperative Diagnosis Section (/V3)
          • Problem Section (/entries optional) (/V3)
          • Problem Section (/entries required) (/V3)
          • Procedure Description Section
          • Procedure Disposition Section
          • Procedure Estimated Blood Loss Section
          • Procedure Implants Section
          • Procedure Specimens Taken Section
          • Procedures Section (/entries optional) (/V2)
          • Procedures Section (/entries required) (/V2)
          • Reason for Visit Section
          • Results Section (/entries optional) (/V3)
          • Results Section (/entries required) (/V3)
          • Review of Systems Section
          • Social History Section (/V3)
          • Vital Signs Section (/entries optional) (/V3)
          • Vital Signs Section (/entries required) (/V3)
        • How to deploy the service
        • Producing C-CDA documents
        • How to customize conversion rules
      • HL7 v2 Integration
        • HL7 v2 integration with Aidbox Project
        • Mappings with lisp/mapping
      • X12 message converter
      • Analytics
        • Power BI
      • Mappings
      • Email Providers integration
        • Setup SMTP provider
    • SMARTbox | FHIR API for EHRs
      • Get started
        • Set up Smartbox locally
        • Deploy Smartbox with Kubernetes
      • (/g)(/10) Standardized API for patient and population services
      • The B11 Decision Support Interventions
        • Source attributes
        • Feedback Sections
      • How-to guides
        • Pass Inferno tests with Smartbox
        • Perform EHR launch
        • Pass Inferno Visual Inspection and Attestation
        • Revoke granted access
        • Set up EHR-level customization
        • Check email templates
        • Setup email provider
        • Register users
        • Set up SSO with Auth0
        • Publish Terms of Use link onto the documentation page
        • Find out what resources were exported during the $export operation
        • Find documentation endpoint
      • Background information
        • Considerations for Testing with Inferno ONC
        • Adding Clients for Inferno tests
        • Multitenancy approach
        • What is Tenant
        • Email templating
    • ePrescription
      • Getting started
      • Authentication with mTLS
      • Pharmacies synchronization
      • Prescribing
        • NewRx Message
        • CancelRx Message
        • How to test Callback
      • Directory
        • DirectoryDownload Message
        • GetProviderLocation Message
        • AddProviderLocation Message
        • UpdateProviderLocation Message
        • DisableProviderLocation Message
      • Medications
        • FDB
      • References
        • Environment Variables
      • Frequently Asked Questions
    • Other modules
      • MDM
        • Train model
        • Configure MDM module
        • Find duplicates: $match
        • Mathematical details
      • MCP
  • Database
    • Database schema
    • PostgreSQL Extensions
    • AidboxDB
      • HA AidboxDB
    • Tutorials
      • Migrate to AidboxDB 16
      • Working with pgAgent
  • File storage
    • AWS S3
    • GCP Cloud Storage
    • Azure Blob Storage
    • Oracle Cloud Storage
  • Deployment and maintenance
    • Deploy Aidbox
      • Run Aidbox on Kubernetes
        • Deploy Production-ready Aidbox to Kubernetes
        • Deploy Aidbox with Helm Charts
        • Highly Available Aidbox
        • Self-signed SSL certificates
      • Run Aidbox on managed PostgreSQL
      • How to inject env variables into Init Bundle
    • Backup and Restore
      • Crunchy Operator (/pgBackRest)
      • pg_dump
      • pg_basebackup
      • WAL-G
    • Indexes
      • Get suggested indexes
      • Create indexes manually
  • App development
    • Use Aidbox with React
    • Aidbox SDK
      • Aidbox JavaScript SDK
      • Apps
      • NodeJs SDK
      • Python SDK
    • Examples
  • Reference
    • FHIR Schema reference
    • Settings reference
      • General
      • FHIR
      • Security & Access Control
      • Modules
      • Database
      • Web Server
      • Observability
      • Zen Project
    • Environment variables
      • Aidbox required environment variables
      • Optional environment variables
      • AidboxDB environment variables
    • System resources reference
      • IAM Module Resources
      • SDC Module Resources
      • Base Module Resources
      • Bulk Module Resources
      • AWF Module Resources
      • Cloud Module Resources
      • HL7v2 Module Resources
      • SQL on FHIR Module Resources
    • Email Providers reference
      • Notification resource reference
      • Mailgun environment variables
      • Postmark environment variables
    • Aidbox Forms reference
      • FHIR SDC API
      • Aidbox SDC API
      • Generating Questionnaire from PDF API
    • Aidbox SQL functions
  • Deprecated
    • Deprecated
      • Zen-related
        • RPC reference
          • aidbox
            • mdm
              • aidbox.mdm/update-mdm-tables
              • aidbox.mdm/match
        • FTR
        • Aidbox configuration project
          • Run Aidbox locally using Aidbox Configuraiton project
          • Aidbox configuration project structure
          • Set up and use configuration projects
          • Enable IGs
          • Repository
          • Seed Import
          • Manage Indexes in Zen Project
          • Seed v2
          • 🎓Migrate to git Aidbox Configuration Projects
          • Aidbox Configuration project reference
            • Zen Configuration
            • Aidbox project RPC reference
            • aidbox.config/config
          • Custom resources using Aidbox Project
          • First-Class Extensions using Zen
          • Zen Indexes
        • US Core IG
          • US Core IG support reference
        • Workflow Engine
          • Task
            • Aidbox Built-in Tasks
            • Task Executor API
            • Task User API
          • Workflow
            • Workflow User API
          • Services
          • Monitoring
        • FHIR conformance Deprecated guides
          • Touchstone FHIR 4.0.1 basic server
          • Touchstone FHIR USCore ClinData
          • How to enable US Core IG
            • Start Aidbox locally with US Core IG enabled
            • Add US Core IG to a running Aidbox instance
          • HL7 FHIR Da Vinci PDex Plan Net IG
        • Terminology Deprecated Tutorials
          • Inferno Test-Suite US Core 3.1.1
        • API constructor (/beta)
        • zen-lang validator
          • Write a custom zen profile
          • Load zen profiles into Aidbox
        • FHIR topic-based subscriptions
          • Set up SubscriptionTopic
          • Tutorial: Subscribe to Topic (/R4B)
          • API Reference
            • Subscription API
        • 🏗️FHIR Terminology Repository
          • FTR Specification
          • Create an FTR instance
            • FTR from CSV
            • FTR from FHIR IG
            • FTR from FTR — Direct Dependency
            • FTR from FTR — Supplement
          • FTR Manifest
          • Load SNOMED CT into Aidbox
          • Load LOINC into Aidbox
          • Load ICD-10-CM into Aidbox
          • Load RxNorm into Aidbox
          • Load US VSAC Package to Aidbox
          • Import via FTR
        • Zen Search Parameters
      • Entity / Attribute
        • Entities & Attributes
        • First-Class Extensions using Attribute
        • Custom Resources using Entity
        • Working with Extensions
        • Aidbox Search Parameters
      • Forms
      • Other
        • Custom Search
        • SearchQuery
        • Subscribe to new Patient resource
        • App Development Deprecated Tutorials
          • Receive logs from your app
            • X-Audit header
          • Working with Aidbox from .NET
          • Patient Encounter notification Application
        • Other Deprecated Tutorials
          • Resource generation with map-to-fhir-bundle-task and subscription triggers
          • APM Aidbox
          • Automatically archive AuditEvent resources in GCP storage guide
          • HL7 v2 pipeline with Patient mapping
          • How to migrate to Apline Linux
          • How to migrate transaction id to bigint
          • How to fix broken dates
          • Configure multi-tenancy
        • AidboxProfile
        • GCP Pub/Sub
Powered by GitBook
On this page
  • 9.10.01 Health IT Module demonstrated support for application registration for single patients
  • 9.10.02 Health IT Module demonstrated support for application registration for multiple patients
  • 9.10.03 Health IT Module demonstrated a graphical user interface for user to authorize FHIR resources
  • 9.10.04 Health IT Module informed patient when "offline_access" scope is being granted during authorization
  • 9.10.05 Health IT Module attested that it is capable of issuing refresh tokens that are valid for a period of no shorter than three months
  • 9.10.06 Health IT developer demonstrated the ability of the Health IT Module / authorization server to validate token it has issued
  • 9.10.07 Tester verifies that all information is accurate and without omission
  • 9.10.08 Information returned no greater than scopes pre-authorized for multi-patient queries
  • Add a Client with the narrow pre-authorized scope
  • Launch the Multi-Patient Authorization and API sequence with wide scope
  • 9.10.09 Health IT developer demonstrated the documentation is available at a publicly accessible URL
  • 9.10.10 Health IT developer confirms the Health IT module does not cache the JWK Set received via a TLS-protected URL for longer than the cache-control header received by an application indicates
  • 9.10.11 Health IT developer demonstrates support for the Patient Demographics Suffix USCDI v1 element
  • 9.10.12 Health IT developer demonstrates support for the Patient Demographics Previous Name USCDI v1 element
  • 9.10.13 Health IT developer demonstrates support for issuing refresh tokens to native applications
  • 1. Register an application with a custom URL schema
  • 2. Build the authorization request URL
  • 3. Open the URL in the browser
  • 4. Authenticate in the Smartbox (enter login and password)
  • 5. Authorize the launch (allow on the Consent screen)
  • 6. Receive the `code` from Smartbox
  • 7. Get the Postman collection installed
  • 8. Exchange the `code` to the `access_token` & `refresh_token`
  • 9. Use `access_token` to fetch resources from Smartbox
  • 10. Use `refresh_token` to get a new `access_token`
  • 11. Use updated `access_token` to fetch resources from Smartbox
  • 9.10.14 Health IT developer demonstrates the public location of its base URLs
  • 9.10.15 TLS version 1.2 or above must be enforced
  • 9.10.16 Health IT developer attested that the Health IT Module is capable of issuing refresh tokens valid for a new period of no shorter than three months without requiring re-authentication and re-authorization when a valid refresh token is supplied by the application

Was this helpful?

Edit on GitHub
  1. Modules
  2. SMARTbox | FHIR API for EHRs
  3. How-to guides

Pass Inferno Visual Inspection and Attestation

This guide explains how to pass the Inferno Visual Inspection and Attestation sequence

PreviousPerform EHR launchNextRevoke granted access

Last updated 8 months ago

Was this helpful?

9.10.01 Health IT Module demonstrated support for application registration for single patients

Provided by certification buddy Tests steps require demonstrating the process of application registration for single patients. You should switch to the Yes option.

Smartbox supports to register SMART applications

9.10.02 Health IT Module demonstrated support for application registration for multiple patients

Provided by certification buddy Tests steps require demonstrating the process of application registration for multiple patients. You should switch to the Yes option.

Smartbox supports to register SMART applications

9.10.03 Health IT Module demonstrated a graphical user interface for user to authorize FHIR resources

During the test sessions, Smartbox shows users the Consent screen. The Consent screen is the graphical user interface.

9.10.04 Health IT Module informed patient when "offline_access" scope is being granted during authorization

During the test sessions, Smartbox shows users the Consent screen. There is the Offline access option on the Consent screen.

9.10.05 Health IT Module attested that it is capable of issuing refresh tokens that are valid for a period of no shorter than three months

Default refresh_token lifespan is unlimited.

9.10.06 Health IT developer demonstrated the ability of the Health IT Module / authorization server to validate token it has issued

Smartbox allowed to fetch Patient resource with the access_token it issued.

9.10.07 Tester verifies that all information is accurate and without omission

Switch to the Yes option. If something is lost, the tester says it.

9.10.08 Information returned no greater than scopes pre-authorized for multi-patient queries

To demonstrate that behavior

  • Add a Client with narrow pre-authorized scope

  • Launch the Multi-Patient Authorization and API sequence with wide scope

Add a Client with the narrow pre-authorized scope

Mind the scope property. It holds the system/Patient.read value only. Access to the other resources is forbidden.

PUT /Client/inferno-my-clinic-bulk-client
Content-Type: text/yaml

type: bulk-api-client
active: true
auth:
  client_credentials:
    client_assertion_types: ['urn:ietf:params:oauth:client-assertion-type:jwt-bearer']
    access_token_expiration: 300
scope: [system/Patient.read]
jwks_uri: https://inferno.healthit.gov/suites/custom/g10_certification/.well-known/jwks.json
grant_types:
- client_credentials
meta:
  tenant:
    id: my-clinic
    resourceType: Tenant

Launch the Multi-Patient Authorization and API sequence with wide scope

  1. Start new Inferno session (it's important)

  2. Switch to the Multi-Patient Authorization and API sequence

  3. Press the Run tests button

  4. Set up the test:

    • Bulk Data FHIR URL: [aidbox-url]/tenant/my-clinic/bulk-api

    • Backend Services Token Endpoint: [aidbox-url]/auth/token

    • Bulk Data Client ID: inferno-my-clinic-bulk-client

    • Bulk Data Scopes: system/Patient.read

    • Encryption method: RS384

    • Group ID: test-group-1

    • Patient IDs in exported Group: test-pt-1,test-pt-2

  5. Press the Submit button

You should receive a lot of errors as Smartbox doesn't issue the access token.

9.10.09 Health IT developer demonstrated the documentation is available at a publicly accessible URL

Smartbox has a documentation page. The address of the page is https://example.com/documentation

Here https://example.com is the Smartbox domain

9.10.10 Health IT developer confirms the Health IT module does not cache the JWK Set received via a TLS-protected URL for longer than the cache-control header received by an application indicates

It is an attestation. You should state Smartbox (Aidbox) caches JWK sets it receives during the token validations. Cached JWK lives for 5 minutes then it is deleted.

9.10.11 Health IT developer demonstrates support for the Patient Demographics Suffix USCDI v1 element

To demonstrate supporting of the Suffix

  1. Open the result of the 1.7.02 Access to Patient resources granted test case

  2. Press the Details button

  3. Scroll down to the name array of the fetched Patient resource

  4. See the Suffix property inside one name element

9.10.12 Health IT developer demonstrates support for the Patient Demographics Previous Name USCDI v1 element

To demonstrate supporting of the Previous Name

  1. Open the result of the 1.7.02 Access to Patient resources granted test case

  2. Press the Details button

  3. Scroll down to the name property of the fetched Patient resource

  4. There are two items in the name array

    1. First name has period.end property. It means that name is the previous one

    2. Second name has no period.end property. That name is current one

9.10.13 Health IT developer demonstrates support for issuing refresh tokens to native applications

Native applications can register custom URL schemas. Instead of the usual http://, the prefix the URL of the native application can start with anything else. For example, my-awesome-smart-app:// is a legal custom URL schema.

In terms of SMART App launch supporting native applications stands for allowing custom schemas in the redirect_uri property.

To demonstrate native applications support

It is a good idea to perform this flow in the Incognito mode (Chrome) or Private Window (Firefox)

  1. Register an application with a custom URL schema

  2. Build the authorization request URL

  3. Open the URL in the browser

  4. Authenticate in the Smartbox (enter login and password)

  5. Authorize the launch (allow on the Consent screen)

  6. Receive the code from Smartbox

  7. Get Postman collection installed

  8. Exchange the code to the access_token and refresh_token

  9. Use access_token to fetch resources from Smartbox

  10. Use refresh_token to get a new access_token

  11. Use updated access_token to fetch resources from Smartbox

1. Register an application with a custom URL schema

PUT /Client/for-refresh-token
content-type: text/yaml

id: for-refresh-token
type: patient-facing-smart-app
grant_types:
  - authorization_code
  - basic
resourceType: Client
auth:
  authorization_code:
    pkce: false
    redirect_uri: custom://redirect     # custom schema is defined
    refresh_token: true
    secret_required: true
    access_token_expiration: 300
secret: secret
active: true
smart:
  launch_uri: https://inferno.healthit.gov/suites/custom/smart/launch

2. Build the authorization request URL

The link should look like this https://example.com/tenant/my-clinic/patient/auth/authorize?client_id=for-refresh-token&scope=launch/patient%20patient/Patient.read%20patient/Condition.read%20offline_access&state=my-state&response_type=code&redirect_uri=custom://redirect&aud=https://example.com/tenant/my-clinic/patient/smart-api

Instead of https://example.com use your Smartbox base url.

3. Open the URL in the browser

In your web browser:

  1. Open a new private tab in the browser

  2. Open developer console to be able to see all the http requests the browser does

  3. Put the link to the URL bar and press enter

4. Authenticate in the Smartbox (enter login and password)

Still on the browser enter your pateint login and password credentials

5. Authorize the launch (allow on the Consent screen)

Still on the browser press the Allow button

6. Receive the `code` from Smartbox

After press the Allow button Smartbox redirects user back to the Consent screen.

In the list of the https requests find the latest one GET request with the code 302. The location header should start with the custom://redirect? string. Fetch the code parameter from the location. Mind there are other parameters in that link. You do not need them.

7. Get the Postman collection installed

  1. Open Postman

  2. Update the host variable with your Smartbox base url

8. Exchange the `code` to the `access_token` & `refresh_token`

In the Postman

  1. Open Exchange code for access_token request

  2. Put the code to the code parameter

  3. Press the Send button

The result of the request is a JSON-object containing access_token and refresh_token properties.

Smartbox allows to exchange code to token in no more than 5 minutes after the code was issued

9. Use `access_token` to fetch resources from Smartbox

Still in postman:

  1. Open the Get Patient Resource request

  2. Copy the access_token to the token input

  3. Press the Send button

The result of the request is a JSON-object of the Patient resource. Access token works.

10. Use `refresh_token` to get a new `access_token`

Still in postman:

  1. Open the Refresh access token request

  2. Copy the refresh_token to the refresh_token parameter

  3. Press the Send button

The result of the request is a JSON-object containing the access_token.

11. Use updated `access_token` to fetch resources from Smartbox

Still in postman:

  1. Open the Get Patient Resource request

  2. Copy the freshly issued access_token to the token input

  3. Press the Send button

The result of the request is the JSON-object of the Patient resource. Updated access_token works

9.10.14 Health IT developer demonstrates the public location of its base URLs

Smartbox generates the list of the base URLs. The address of the list is https://example.com/service-base-urls

Here https://example.com is the Smartbox domain

9.10.15 TLS version 1.2 or above must be enforced

That behavior is not related to the Smartbox settings. Setting the TLS versions and enforcement to the wanted versions is out of the Smartbox setup scope

9.10.16 Health IT developer attested that the Health IT Module is capable of issuing refresh tokens valid for a new period of no shorter than three months without requiring re-authentication and re-authorization when a valid refresh token is supplied by the application

It is an attestation. You should state Smartbox is capable of issuing refresh tokens valid for a new period of no shorter than three months.

To reduce the refresh_token lifespan use

Follow the guide of the guide till the end

Import the

several ways
several ways
collection
refresh_token_expiration documentation
9.10.13 Health IT developer demonstrates support for issuing refresh tokens to native applications