Stream: smart
Topic: HL7 Australia localization of SMART App Launch
Brian Postlethwaite (Jul 20 2021 at 06:52):
A first daft of a proposed HL7 Australia Profile is now available here:
https://confluence.hl7australia.com/display/PA/FHIR+SMART+App+Launch+Australian+Profile+-+EHR+Launch
Along with a walkthrough illustrating it in action:
https://confluence.hl7australia.com/display/PA/FHIR+SMART+App+Launch+Walkthrough
This is not intended to change the base SMART stuff, but refine usage, digital certificates used in Australia (which have an organizational identifier in them, and widely used), and how to access practitionerRole data to get at the most commonly used practitioner identifier (which is at the location level, not on the practitioner)
Any feedback on these will be welcomed.
Isaac Vetter (Jul 26 2021 at 17:46):
For developers writing confidential apps now (without legacy SMART support), the SMARTv2 defined capability of "client-confidential-asymmetric" should definitely be used. It's just better security.
Isaac Vetter (Jul 26 2021 at 17:48):
We went for a few years without OIDC support as part of our OAuth2/SMART server and it was a bit painful. It'll be easier/better in the long run to require OIDC out of the box. It's necessary for more advanced federation scenarios or complex app architectures, and consistently a strong recommendation from identity architects.
Brian Postlethwaite (Aug 11 2021 at 10:35):
@Josh Mandel, @Gino Canessa , @Isaac Vetter just seeking an opinion on the extra claim in the id_token having the PractitionerRole or practitionerrole or practitionerRole claim (case sensitivity question)
Australian documentation has pR my code has pr
Brian Postlethwaite (Aug 11 2021 at 10:37):
(code not in prod yet, so can change either relatively easily)
Josh Mandel (Aug 11 2021 at 15:01):
In our launch context requests we settled on all lowercase (for context based on resources). But I don't have a strong opinion.
Brian Postlethwaite (Aug 11 2021 at 20:07):
(phew, that's what the sample code has, so I'll arbitrarily select to go with you and update the documentation - and that's quicker)
Brian Postlethwaite (Aug 11 2021 at 20:33):
I've written a test SMART App that can assist in debugging your SMART host...
https://smartqedit4.azurewebsites.net/ts/Tester/smart-launch.html
try it out here:
https://launch.smarthealthit.org/ehr.html?app=https%3A%2F%2Fsmartqedit4.azurewebsites.net%2Fts%2FTester%2Fsmart-launch.html%3Flaunch%3DeyJhIjoiMSIsImUiOiI2MGM5ZmU2My1kOWU2LTRlNWUtOGQ1Yy1mOTFiN2ZjNzU0MTkiLCJmIjoiMSJ9%26iss%3Dhttps%253A%252F%252Flaunch.smarthealthit.org%252Fv%252Fr4%252Ffhir&user=60c9fe63-d9e6-4e5e-8d5c-f91b7fc75419
Brian Postlethwaite (Aug 11 2021 at 20:36):
And using it I notice that the profile/fhirUser properties in the launch.smarthealthir.org test host don't have full URLs for the practitioner - should they?
{
"profile": "Practitioner/60c9fe63-d9e6-4e5e-8d5c-f91b7fc75419",
"fhirUser": "Practitioner/60c9fe63-d9e6-4e5e-8d5c-f91b7fc75419",
"aud": "16cbfe7c-6c56-4876-944f-534f9306bf8b",
"sub": "c39e6e5f8ba2fb8c105ebe5d7e778412d43bd7ceceb3bcc569ea6b75928a535d",
"iss": "https://launch.smarthealthit.org/v/r4/fhir",
"iat": 1628714028,
"exp": 1628717628
}
Josh Mandel (Aug 11 2021 at 21:07):
We specify that they can be absolute, or relative to the "aud" server for a given launch.
Josh Mandel (Aug 11 2021 at 21:08):
(Clarified this in the latest SMARTv2 block vote.)
Brian Postlethwaite (Aug 11 2021 at 21:45):
Relative to the auth server, will correct that in my code then. Thanks.
Josh Mandel (Aug 11 2021 at 23:26):
Relative to the FHIR resource server passed into the authorization endpoint as aud.
Brian Postlethwaite (Aug 12 2021 at 02:53):
Cool, then I'm all good already then - thanks for the clarification.
Last updated: Apr 12 2022 at 19:14 UTC
