FHIR Chat · Epic backend services

Stream: smart

Topic: Epic backend services

Josh Mandel (Jan 11 2022 at 19:48):

Configuring my client at fhir.epic.com:

image.png

Do I need to provide a JWK if I'm also providing a JWKS URI, or is just one of these sufficient @adam strickland ?

adam strickland (Jan 11 2022 at 19:48):

Just one is sufficient

Josh Mandel (Jan 11 2022 at 20:22):

OK, I've successfully introspected a token!

{
  active: true,
  scope: 'patient/AllergyIntolerance.Read patient/AllergyIntolerance.read patient/Binary.Read patient/Binary.read patient/CarePlan.Read patient/CarePlan.read patient/CareTeam.read patient/Condition.Read patient/Condition.read patient/Device.Read patient/Device.read patient/DiagnosticReport.Read patient/DiagnosticReport.read patient/DocumentReference.Read patient/DocumentReference.read patient/Encounter.Read patient/Encounter.read patient/Goal.Read patient/Goal.read patient/Immunization.Read patient/Immunization.read patient/Location.Read patient/Location.read patient/Medication.Read patient/Medication.read patient/MedicationOrder.Read patient/MedicationRequest.Read patient/MedicationRequest.read patient/MedicationStatement.Read patient/Observation.Read patient/Observation.read patient/Organization.Read patient/Organization.read patient/Patient.Read patient/Patient.read patient/Practitioner.Read patient/Practitioner.read patient/PractitionerRole.Read patient/PractitionerRole.read patient/Procedure.Read patient/Procedure.read patient/Provenance.read patient/RelatedPerson.Read launch/patient',
  client_id: '077799c7-667d-47fe-acec-b0ca0eed5ad8',
  username: 'FHIRJASON',
  exp: 1641935957,
  sub: 'https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4/Patient/eD.LxhDyX35TntF77l7etUA3',
  iss: 'https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token',
  jti: 'AD7C197B6FA14D4F945E4F233BFAFA8A',
  epic_user_type: 'WPR'
}

QQ @adam strickland: Scope suffixes for SMARTv1 should be lowercase, but I see a mixture of Read and read in this response -- is this a known issue?

Josh Mandel (Jan 11 2022 at 20:23):

(Also we discussed offline: the response doesn't yet include the standardized patient property t, but I'm working around this with sub for now.)

adam strickland (Jan 11 2022 at 20:25):

Hey Josh, yeah you'll see the mix of scope syntaxes if you have APIs of mixed FHIR versions chosen. We standardized the syntax for R4 (and maybe STU3?) but not DSTU2.

Josh Mandel (Jan 12 2022 at 18:38):

Here's the demo I've put together -- quick and dirty, but I had a chance to clean up the authz logic a bit: https://github.com/jmandel/smart-imaging-c10n-2022-01/tree/main/src

Main showstopping issue at this point is that the Epic MyChart approval screen has no way to prompt a user about whether they want to share imaging data. It'd be good to build out this support or some flexibility for Epic sites to add it as an extension within their own deployments.

Josh Mandel (Jan 12 2022 at 20:35):

Hmm, one strange behavior I'm seeing when I try to use a Backend Services token to resolve information about the Patient and user (RelatedPerson) associated with a launch:

Fetching "RelatedPerson" fails

curl https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4/RelatedPerson/e7HX4h-dgVCK1nrPaxurPiNMmumY.H07djk.qfouVJKE3 \
 -H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ1cm46b2lkOmZoaXIiLCJjbGllbnRfaWQiOiJlMjc0ODQ0NS03MmUzLTQxNjAtODAxMS0wZmE1MjZjNjE2YTUiLCJlcGljLmVjaSI6InVybjplcGljOk9wZW4uRXBpYy1jdXJyZW50IiwiZXBpYy5tZXRhZGF0YSI6IjhKR25rcDdxT3NyNkpZcWRiV004UExlSFg3Z2VJa3NWR25mM3RRaWo5bnF4ZXhXNjhfbFU4cGNnUGtFS0ZNbmtmVHZoc3ozNnUwWmdDWG5HUGY3bHdLVy1oZEx5c2ctbXh5YUlBeEhJVGxTaUk5TUpMZEw0TkRENDRPdnlvSW5aIiwiZXBpYy50b2tlbnR5cGUiOiJhY2Nlc3MiLCJleHAiOjE2NDIwMjMwMjIsImlhdCI6MTY0MjAxOTQyMiwiaXNzIjoidXJuOm9pZDpmaGlyIiwianRpIjoiMzVhZThlMjctYzc3Yi00MTNkLThjYTEtZGU1MWRlZWY5YjYxIiwibmJmIjoxNjQyMDE5NDIyLCJzdWIiOiJleGZvNkU0RVhqV3NuaEExT0dWRWxndzMifQ.fb8br2lWU8b2O8-EXAWzPEYHyjLgYqy9gNl8ooQ4D5h0SDG8v2n0skihNm7RbrZmN96dQ6ll0Aaj4W4wyH3eQpFj5UzIxkcboVJYHouBDY7FzTPukd3GMbHnyBqq9-moA4YRDsxnOssUNoMFBh8APzpf3Xf43eGYYiueyAnas7QMGMrjeWAzLMjkj6k7S1-ZfqTK2Y_qrJLbO0u6Uw7DRlEK784ORPH4dl4AqxlGVPgAjIm2m9hk0HDP9nRcUDFmvtzprNWVm6eYEhpgwpn0dKpxFeZlPxCNWH5NdbTZyfWPESVYJvn9x7QQlBa6pF9d5dx2gYErDOeTrnI95FmU3w"

<OperationOutcome xmlns="http://hl7.org/fhir"><issue><severity value="fatal" /><code value="processing" /><details><coding><system value="urn:oid:1.2.840.114350.1.13.0.1.7.2.657369" /><code value="4118" /><display value="The authenticated user is not authorized to view the requested data." /></coding><text value="The authenticated user is not authorized to view the requested data." /></details></issue></OperationOutcome>

Fetching "Patient" works

$ curl  https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4/Patient/evYS76EX6LLeCX2PlRLhvwg3 \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ1cm46b2lkOmZoaXIiLCJjbGllbnRfaWQiOiJlMjc0ODQ0NS03MmUzLTQxNjAtODAxMS0wZmE1MjZjNjE2YTUiLCJlcGljLmVjaSI6InVybjplcGljOk9wZW4uRXBpYy1jdXJyZW50IiwiZXBpYy5tZXRhZGF0YSI6IjhKR25rcDdxT3NyNkpZcWRiV004UExlSFg3Z2VJa3NWR25mM3RRaWo5bnF4ZXhXNjhfbFU4cGNnUGtFS0ZNbmtmVHZoc3ozNnUwWmdDWG5HUGY3bHdLVy1oZEx5c2ctbXh5YUlBeEhJVGxTaUk5TUpMZEw0TkRENDRPdnlvSW5aIiwiZXBpYy50b2tlbnR5cGUiOiJhY2Nlc3MiLCJleHAiOjE2NDIwMjMwMjIsImlhdCI6MTY0MjAxOTQyMiwiaXNzIjoidXJuOm9pZDpmaGlyIiwianRpIjoiMzVhZThlMjctYzc3Yi00MTNkLThjYTEtZGU1MWRlZWY5YjYxIiwibmJmIjoxNjQyMDE5NDIyLCJzdWIiOiJleGZvNkU0RVhqV3NuaEExT0dWRWxndzMifQ.fb8br2lWU8b2O8-EXAWzPEYHyjLgYqy9gNl8ooQ4D5h0SDG8v2n0skihNm7RbrZmN96dQ6ll0Aaj4W4wyH3eQpFj5UzIxkcboVJYHouBDY7FzTPukd3GMbHnyBqq9-moA4YRDsxnOssUNoMFBh8APzpf3Xf43eGYYiueyAnas7QMGMrjeWAzLMjkj6k7S1-ZfqTK2Y_qrJLbO0u6Uw7DRlEK784ORPH4dl4AqxlGVPgAjIm2m9hk0HDP9nRcUDFmvtzprNWVm6eYEhpgwpn0dKpxFeZlPxCNWH5NdbTZyfWPESVYJvn9x7QQlBa6pF9d5dx2gYErDOeTrnI95FmU3w"

<Patient xmlns="http://hl7.org/fhir"><id value="evYS76EX6LLeCX2PlRLhvwg3" /> ...

@adam strickland my client scopes include "RelatedPerson.Read" in the Epic client config

image.png

Any idea about why I might be unauthoirzed?

adam strickland (Jan 12 2022 at 20:35):

Hey Josh, I think this is a bug. I'll look into this now!

adam strickland (Jan 12 2022 at 20:36):

@Cooper Thompson

Josh Mandel (Jan 12 2022 at 20:39):

Related context: if I get a backend services token and introspect that

Introspecting my own backend services token

{
  active: true,
  scope: 'system/AllergyIntolerance.Read system/AllergyIntolerance.read system/Binary.Read system/Binary.read system/CarePlan.Read system/CarePlan.read system/CareTeam.read system/Condition.Read system/Condition.read system/Device.Read system/Device.read system/DiagnosticReport.Read system/DiagnosticReport.read system/DocumentReference.Read system/DocumentReference.read system/Encounter.Read system/Encounter.read system/Goal.Read system/Goal.read system/Immunization.Read system/Immunization.read system/Location.Read system/Location.read system/Medication.Read system/Medication.read system/MedicationOrder.Read system/MedicationRequest.Read system/MedicationRequest.read system/MedicationStatement.Read system/Observation.Read system/Observation.read system/Organization.Read system/Organization.read system/Patient.Read system/Patient.read system/Practitioner.Read system/Practitioner.read system/PractitionerRole.Read system/PractitionerRole.read system/Procedure.Read system/Procedure.read system/Provenance.read system/RelatedPerson.Read',
  client_id: 'e2748445-72e3-4160-8011-0fa526c616a5',
  username: 'USCDIFHIR',
  exp: 1642023435,
  sub: 'https://fhir.epic.com/interconnect-fhir-oauth/api/FHIR/R4/Practitioner/exfo6E4EXjWsnhA1OGVElgw3',
  iss: 'https://fhir.epic.com/interconnect-fhir-oauth/oauth2/token',
  jti: '4AE6167F0BD443B8B691739F260AAEAE',
  epic_user_type: 'EMP'
}

... is it expected that the sub for this token is a Practitioner with "username" of "USCDIFHIR"?

adam strickland (Jan 12 2022 at 22:44):

Yep that’s expected. There is a background user associated with your client, and that’s the owner of your tokens

Last updated: Apr 12 2022 at 19:14 UTC

Main menu

FHIR Chat · Epic backend services · smart