FHIR Chat · security testing · cds hooks

Stream: cds hooks

Topic: security testing

view this post on Zulip Isaac Vetter (Sep 06 2017 at 22:25):

Hey Everybody,

I've got a prototype of the CDS Hooks request message containing the fhirAuthorization json object, which contains an access_token that you should be able to use to authenticate to my protected FHIR server. (I haven't implemeted the JWT yet). Here's the version of the CDS Hooks spec that I'm following: https://cds-hooks-docs-pr-72.herokuapp.com/#fhir-resource-access

I implemented a dummy client_id of "6c12dff4-24e7-4475-a742-b08972c4ea27" that any CDS service can use.

Anybody interested in testing pre-connectathon? @Kalyani Yerra @Raj M ? Shoot me a pm.

p.s. Everybody that I've been testing with via Argonauts is already getting the fhirAuthorization in my request as of a 1/2 hour ago.

view this post on Zulip Raj M (Sep 07 2017 at 13:34):

@Isaac Vetter Our end point [http://prototypes.utdlab.com/argonaut/cds-services] support receiving fhirAuthorization and using it. Please test it out and let me know.

view this post on Zulip Isaac Vetter (Sep 07 2017 at 15:05):

Raj and I are successfully providing an access_token according to the draft security spec, and using it to authenticate to the FHIR server!

Nice work, Raj!

view this post on Zulip Isaac Vetter (Sep 07 2017 at 17:37):

Fyi - Kalyani from Premier is also successfully using the access_token provided in the new fhirAuthorization object in the CDS Hooks request! Congrats, Kalyani!

view this post on Zulip Kalyani Yerra (Sep 07 2017 at 17:54):

Thanks Isaac for getting EPIC system ready and testing the CDS services. Well done!

view this post on Zulip Chuck Feltner (Sep 07 2017 at 23:24):

I updated our T-System FHIR Server (https://fhirsandbox2.tsysinteropsvcs.net:8100/sites/123) to send an auth_token in the CDS Service Request according to the CDS Hooks draft security spec.

view this post on Zulip Robert Sax (Sep 09 2017 at 16:38):

FYI On the stanson service, if you try to send an Authorize header with a Bearer credential, it will try to authenticate, so you will likely get a 401

view this post on Zulip brian doolittle (Sep 09 2017 at 17:33):

I'm working on implementing the security model for my EHR-side CDS-Hooks implementation of discovery and service request. Does anyone have a service endpoint implemented on which I can test out authentication?

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -