Stream: smart
Topic: Configuring the Smart on FHIR extension for Keycloak
Yannick Börner (Jul 13 2021 at 16:55):
Hi everyone,
I'm currently dipping my feet into Smart on FHIR, trying to secure a FHIR server and having an application write resources to it. My goal is the following: Open the application, authorize with the identity server and transmit Observations.
For this, I'm using the Keycloak extensions for FHIR and a Firely Server. This is what I have done so far:
- iOS App is developed
- Setup Firely Server
- Setup KeyCloak
- Add KeyCloak Smart on FHIR extension to Keycloak instance
- Connect Firely Server and KeyCloak
- The login window (Keycloak) and callback to the iOS application works! (yay)
At this point however, the patient context picker as seen here is not visible to me. I suspect that I am doing/understanding something wrong with regards to configuration. In general, this is a standalone launch sequence, my current scope is openid(Is this correct?). The resulting question:
How do I configure the SMART on FHIR extension for keycloak in order to achieve the workflow as outlined above?
Big thanks to @Lee Surprenant at this point for his work on the extension!
Lee Surprenant (Jul 13 2021 at 17:40):
How do I configure the SMART on FHIR extension for keycloak in order to achieve the workflow as outlined above?
A few options:
- manually configure a keycloak realm
- use the keycloak-config project (in the same repo)
- automate the config some other way (e.g. via standard realm import)
Lee Surprenant (Jul 13 2021 at 17:41):
I initially tried number 3, but it never worked well for me and so I helped build 2 (with a couple colleagues)
Lee Surprenant (Jul 13 2021 at 17:42):
did you try one of these 3 yet?
Yannick Börner (Jul 15 2021 at 07:32):
Lee Surprenant said:
did you try one of these 3 yet?
Hi Lee, yes, I tried number 2 which populates the keycloak instance with scopes and one realm I believe. Where I am struggling a bit is the next step. Do I need a patient resource per patient on the server and a user in Keycloak or is the patient sufficient?
Yannick Börner (Jul 15 2021 at 07:45):
It turns out that my assumption that the patient context picker will show up in any case is wrong. It will only show up when there are multiple resourceIds supplied, right?
Yannick Börner (Jul 15 2021 at 07:49):
And the final question: I tried to get an 'admin' user working that is capable of reading and writing to all resources on the server. I created the scope user/*.* for that purpose. Simply requesting a token with this scope did not bear any fruits however. Have you done this before?
Yannick Börner (Jul 15 2021 at 07:49):
Sorry for all of the questions!
Lee Surprenant (Jul 20 2021 at 16:57):
It will only show up when there are multiple resourceIds supplied, right?
Correct. No need to select "which patient" if there's only one the user has access to.
I created the scope user/. for that purpose. Simply requesting a token with this scope did not bear any fruits however. Have you done this before?
Did you get this working yet? I was more focused on the patient/ scopes and launch context for this project, so hadn't gotten around to the user/ ones yet. That said, I think its just a matter of associating the scopes with the client app. If using keycloak-config, you could add them to the following list so that they will be associated with each client when it gets registered: https://github.com/Alvearie/keycloak-extensions-for-fhir/blob/main/keycloak-config/src/test/resources/keycloak-config.json#L464-L491
note: for clients that already exist, you might need to manually add the new scopes since the defaults only apply when its first created.
Last updated: Apr 12 2022 at 19:14 UTC
