Pass Inferno Visual Inspection and Attestation
This guide explains how to pass the Inferno Visual Inspection and Attestation sequence
9.10.01 Health IT Module demonstrated support for application registration for single patients
Provided by certification buddy Tests steps
require demonstrating the process of application registration for single patients. You should switch to the Yes
option.
Smartbox supports several ways to register SMART applications
9.10.02 Health IT Module demonstrated support for application registration for multiple patients
Provided by certification buddy Tests steps
require demonstrating the process of application registration for multiple patients. You should switch to the Yes
option.
Smartbox supports several ways to register SMART applications
9.10.03 Health IT Module demonstrated a graphical user interface for user to authorize FHIR resources
During the test sessions, Smartbox shows users the Consent screen
. The Consent screen
is the graphical user interface.
9.10.04 Health IT Module informed patient when "offline_access" scope is being granted during authorization
During the test sessions, Smartbox shows users the Consent screen
. There is the Offline access
option on the Consent screen
.
9.10.05 Health IT Module attested that it is capable of issuing refresh tokens that are valid for a period of no shorter than three months
Default refresh_token
lifespan is unlimited.
To reduce the refresh_token lifespan use refresh_token_expiration documentation
9.10.06 Health IT developer demonstrated the ability of the Health IT Module / authorization server to validate token it has issued
Follow the guide of the 9.10.13 Health IT developer demonstrates support for issuing refresh tokens to native applications guide till the end
Smartbox allowed to fetch Patient
resource with the access_token
it issued.
9.10.07 Tester verifies that all information is accurate and without omission
Switch to the Yes
option. If something is lost, the tester says it.
9.10.08 Information returned no greater than scopes pre-authorized for multi-patient queries
To demonstrate that behavior
Add a Client with narrow pre-authorized
scope
Launch the
Multi-Patient Authorization and API
sequence with wide scope
Add a Client with the narrow pre-authorized scope
Mind the scope
property. It holds the system/Patient.read
value only. Access to the other resources is forbidden.
Launch the Multi-Patient Authorization and API sequence with wide scope
Start new Inferno session (it's important)
Switch to the
Multi-Patient Authorization and API
sequencePress the
Run tests
buttonSet up the test:
Bulk Data FHIR URL:
[aidbox-url]/tenant/my-clinic/bulk-api
Backend Services Token Endpoint:
[aidbox-url]/auth/token
Bulk Data Client ID:
inferno-my-clinic-bulk-client
Bulk Data Scopes:
system/Patient.read
Encryption method:
RS384
Group ID:
test-group-1
Patient IDs in exported Group:
test-pt-1,test-pt-2
Press the
Submit
button
You should receive a lot of errors as Smartbox doesn't issue the access token.
9.10.09 Health IT developer demonstrated the documentation is available at a publicly accessible URL
Smartbox has a documentation page. The address of the page is https://example.com/documentation
Here https://example.com
is the Smartbox domain
9.10.10 Health IT developer confirms the Health IT module does not cache the JWK Set received via a TLS-protected URL for longer than the cache-control header received by an application indicates
It is an attestation. You should state Smartbox never caches JWK
sets it receives during the token validations.
9.10.11 Health IT developer demonstrates support for the Patient Demographics Suffix USCDI v1 element
To demonstrate supporting of the Suffix
Open the result of the
1.7.02 Access to Patient resources granted
test casePress the
Details
buttonScroll down to the
name
array of the fetchedPatient
resourceSee the
Suffix
property inside onename
element
9.10.12 Health IT developer demonstrates support for the Patient Demographics Previous Name USCDI v1 element
To demonstrate supporting of the Previous Name
Open the result of the
1.7.02 Access to Patient resources granted
test casePress the
Details
buttonScroll down to the
name
property of the fetchedPatient
resourceThere are two items in the
name
arrayFirst
name
hasperiod.end
property. It means thatname
is theprevious
oneSecond
name
has noperiod.end
property. Thatname
iscurrent
one
9.10.13 Health IT developer demonstrates support for issuing refresh tokens to native applications
Native applications can register custom URL schemas
. Instead of the ordinary http://
prefix the URL of the native application can start with anything else. For example, my-awesome-smart-app://
is a legal custom URL schema.
In terms of SMART App launch
supporting native applications stands for allowing custom schemas in the redirect_uri
property.
To demonstrate native applications support
It is a good idea to perform this flow in the Incognito mode
(Chrome) or Private Window
(Firefox)
Register an application with a custom URL schema
Build the authorization request URL
Open the URL in the browser
Authenticate in the Smartbox (enter login and password)
Authorize the launch (allow on the Consent screen)
Receive the
code
from SmartboxGet Postman collection installed
Exchange the
code
to theaccess_token
andrefresh_token
Use
access_token
to fetch resources from SmartboxUse
refresh_token
to get a newaccess_token
Use updated
access_token
to fetch resources from Smartbox
1. Register an application with a custom URL schema
2. Build the authorization request URL
The link should look like this https://example.com/tenant/my-clinic/patient/auth/authorize?client_id=for-refresh-token&scope=launch/patient%20patient/Patient.read%20patient/Condition.read%20offline_access&state=my-state&response_type=code&redirect_uri=custom://redirect&aud=https://example.com/tenant/my-clinic/patient/smart-api
Instead of https://example.com
use your Smartbox base url.
3. Open the URL in the browser
In your web browser:
Open a new private tab in the browser
Open developer console to be able to see all the http requests the browser does
Put the link to the URL bar and press enter
4. Authenticate in the Smartbox (enter login and password)
Still on the browser enter your pateint login and password credentials
5. Authorize the launch (allow on the Consent screen)
Still on the browser press the Allow
button
6. Receive the `code` from Smartbox
After press the Allow
button Smartbox redirects user back to the Consent screen
.
In the list of the https requests find the latest one GET
request with the code 302
. The location
header should start with the custom://redirect?
string.
Fetch the code
parameter from the location. Mind there are other parameters in that link. You do not need them.
7. Get the Postman collection installed
Open Postman
Import the collection
Update the
host
variable with your Smartbox base url
8. Exchange the `code` to the `access_token` & `refresh_token`
In the Postman
Open
Exchange code for access_token
requestPut the
code
to thecode
parameterPress the
Send
button
The result of the request is a JSON-object containing access_token
and refresh_token
properties.
Smartbox allows to exchange code
to token
in no more than 5 minutes after the code
was issued
9. Use `access_token` to fetch resources from Smartbox
Still in postman:
Open the
Get Patient Resource
requestCopy the
access_token
to thetoken
inputPress the
Send
button
The result of the request is a JSON-object of the Patient
resource. Access token works.
10. Use `refresh_token` to get a new `access_token`
Still in postman:
Open the
Refresh access token
requestCopy the
refresh_token
to therefresh_token
parameterPress the
Send
button
The result of the request is a JSON-object containing the access_token
.
11. Use updated `access_token` to fetch resources from Smartbox
Still in postman:
Open the
Get Patient Resource
requestCopy the freshly issued
access_token
to thetoken
inputPress the
Send
button
The result of the request is the JSON-object of the Patient
resource. Updated access_token
works
9.10.14 Health IT developer demonstrates the public location of its base URLs
Smartbox generates the list of the base URLs. The address of the list is https://example.com/service-base-urls
Here https://example.com
is the Smartbox domain
9.10.15 TLS version 1.2 or above must be enforced
That behavior is not related to the Smartbox settings. Setting the TLS versions and enforcement to the wanted versions is out of the Smartbox setup scope
9.10.16 Health IT developer attested that the Health IT Module is capable of issuing refresh tokens valid for a new period of no shorter than three months without requiring re-authentication and re-authorization when a valid refresh token is supplied by the application
It is an attestation. You should state Smartbox is capable of issuing refresh tokens valid for a new period of no shorter than three months.
Last updated