SMART on FHIR App Launch
SMART on FHIR specifies authentication/authorization scheme for FHIR Applications. This scheme extends OAuth 2.0 and OpenID. To enable SMART on FHIR you need to create an Aidbox project and configure SMART API routes using the Aidbox API Constructor.
You can use the configuration provided in the Aidbox project samples repo.
Set Up Aidbox Project
Clone the Aidbox project samples repo:
In the aidbox-project-samples/smart-on-fhir/core.edn
file you can see example of the API constructor configuration.
Currently only two middlewares for SMART on FHIR authorization are implemented:
:smart.fhir/single-patient-auth-middleware
— Patient launch:smart.fhir/authorization-middleware
— Provider launch
Create Resources
To use SMART on FHIR you need to create a few resources like Client and AccessPolicies
Client
Let's create an Aidbox Client:
The launch_uri
parameter here specifies the launch URI for the EHR-based SMART App launch.
Access Policies
You likely want to add some Access Policies to allow users see their data. Here we provide some examples for reference:
Generate Launch URI for EHR Launch Sequence
To generate SMART App launch URI use RPC API method aidbox.smart/get-launch-uri
. The method accepts the following arguments:
user
: id of theUser
resourceiss
: Aidbox base URLclient
: id of theClient
resourcectx
: additional launch contextоpatient
: id ofPatient
resourceencounter
: id ofEncounter
resourcefhirContext
: array of objects referring to any resource type other thanPatient
orEncounter
(see more details)
Standalone Launch
Authorization code flow with SMART on FHIR Standalone Launch:
App requests SMART configuration from
base-url/.well-known/smart-configuration
App requests FHIR conformance statement from
base-url/metadata
App redirects to the EHR Authorization endpoint providing extra parameters:
scope
: OAuth scopes including scopes defined by SMART on FHIRaud
: FHIR Server base url
Authorization server checks asks user to grant access to resources requested by the App and redirects to the App with code
App exchanges code for token using the token endpoint
App uses the token for resource access
EHR Launch
Authorization code flow with SMART on FHIR EHR Launch:
EHR redirects to the App Launch URI (which is generated using Aidbox RPC)
App requests SMART configuration from
base-url/.well-known/smart-configuration
App requests FHIR conformance statement from
base-url/metadata
App redirects to the EHR Authorization endpoint providing extra parameters:
scope
: OAuth scopes including scopes defined by SMART on FHIRaud
: FHIR Server base url
Authorization server checks asks user to grant access to resources requested by the App and redirects to the App with
code
App exchanges
code
fortoken
using thetoken
endpointApp uses the
token
for resource access
The result of the exchanging of the code
for token
is a JSON object containing at least:
access_token
. The access token issued by the authorization servertoken_type
. Fixed value:Bearer
scope
. Scope of access authorized
More details can be found here
Inferno tests
The SMART on FHIR sample in the Aidbox Project Samples is ready to pass the Inferno ONC Program and most of the Inferno Community SMART on FHIR tests. Follow the README in the Aidbox Project Samples repository to set up Aidbox for running these tests.
Last updated