Stream: smart

Topic: OAuth-URIs Extension

Reece Adamson (Jul 15 2020 at 22:10):

The Issue

I have noticed that with a recent update of the FHIR Validator CapabilityStatements which list a revoke endpoint are now failing with the error:

FHIR Validation tool Version 5.0.12 (Git# b770fb8a2c35). Built 2020-07-07T02:30:50.915Z (8 days old)
...

Error @ CapabilityStatement.rest[0].security.extension[0].extension[2][url='revoke'] (line 36, col16) : Sub-extension url "revoke" is not defined by the Extension http://fhir-registry.smarthealthit.org/StructureDefinition/oauthshell

When I rolled back and tried with the 5.0.8 version I don't see this error or any other errors on CapabilityStatement.rest[0].security.extension[0]! I deleted my local ~/.fhir cache before each run to get a fresh slate.

Background

The SMART Application Launch Framework Implementation Guide 1.0.0 shows this example which includes revoke URLs:

{
  "resourceType": "CapabilityStatement",
...
  "rest": [{
   ...
      "security": {
        "service": [
          {
            "coding": [
              {
                "system": "http://hl7.org/fhir/restful-security-service",
                "code": "SMART-on-FHIR"
              }
            ],
            "text": "OAuth2 using SMART-on-FHIR profile (see http://docs.smarthealthit.org)"
          }
        ],
        "extension": [
          {
            "url": "http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris",
            "extension": [
              {
                "url": "token",
                "valueUri": "https://my-server.org/token"
              },
              {
                "url": "authorize",
                "valueUri": "https://my-server.org/authorize"
              },
              {
                "url": "manage",
                "valueUri": "https://my-server.org/authorizations/manage"
              }
              ,
              {
                "url": "introspect",
                "valueUri": "https://my-server.org/authorizations/introspect"
              },
              {
                "url": "revoke",
                "valueUri": "https://my-server.org/authorizations/revoke"
              }
            ]
          }
        ]

And the relevant extension that defines it (oauth-uris.

After doing some poking around I noticed that the base FHIR Spec also has an extension with the same URL (http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris), but is missing the revoke and introspect subextensions. I do realize the SMART spec indicates the extension is for STU3, but its a little confusing as to which one is correct seeing that they both share the same extension URL and folks are still using the IG for R4.

My guess is that the updated validator is using the base FHIR definition of the extension instead of the SMART version, but its still complete conjecture at this point.

Question

• What is the right extension definition for: http://fhir-registry.smarthealthit.org/StructureDefinition/oauth-uris
  • is it https://www.hl7.org/fhir/extension-oauth-uris.html or http://www.hl7.org/fhir/smart-app-launch/conformance/index.html#example

I'm not sure if there is an issue with the validator here, part of the spec, or I'm just overlooking something (which happens a lot!). It seems like something is amiss here though...

Relevant Artifacts:

• Example CapabilityStatement-with-revoke.json for reproducing
• 5.0.12 Validator Jar
• 5.0.8 Validator Jar

References and Links:

• SMART Extension Example
• SMART Extension Definition of OAuth URIs
• Base FHIR Extension Definition of OAuth URIs

Reece Adamson (Jul 16 2020 at 11:21):

Testing again this morning the issue seems to be no longer occurring. Not sure if this related to some other issues recently reported (here and here).

Still interested in clarification between the two extension definitions though if anyone has any insight.

Yunwei Wang (Jul 17 2020 at 14:14):

@Josh Mandel

Reece Adamson (Jul 17 2020 at 14:15):

I had an incorrect link in my original post. To clarify:

The two (different) extension definitions with the same URL are:

• https://www.hl7.org/fhir/extension-oauth-uris.html
• http://www.hl7.org/fhir/smart-app-launch/StructureDefinition-oauth-uris.html

The base FHIR version does not define the revoke or introspect subextensions.

Josh Mandel (Jul 17 2020 at 17:46):

The extension definition should provide a way to convey revoke and introspect. So from this perspective, the SMART IG is correct. I'm not sure why these extensions are repeated in the core FHIR release (it's... obviously an opportunity for things to get out of sync. @Grahame Grieve do you know how this linkage is established?)

Josh Mandel (Jul 17 2020 at 17:47):

(Also as a quick reminder, we're moving toward http://www.hl7.org/fhir/smart-app-launch/conformance/index.html#metadata in general; over time the plan is to deprecate the CapabilityStatement-based discovery of these endpoints.)

Grahame Grieve (Jul 20 2020 at 11:38):

not sure

Josh Mandel (Jul 20 2020 at 15:13):

OK -- for now we should be using the version from the SMART IT. (I submitted FHIR#28099 to address the out-of-sync content in the core spec.)

Last updated: Apr 12 2022 at 19:14 UTC