Stream: smart
Topic: SMART on FHIR EHR Launch flow
Kalyan Dasika (Oct 21 2021 at 21:35):
Hi All,
We are building a proof of concept, to launch a SMART app, from within our EHR. (EHR launch sequence). We use Keycloak as the Authz server. We are blocked on 2 aspects of this flow.
-
At the point of launching the SMART app, user is authn'd and athuz'd and we have a patient in context in the EHR. We are seeding the SMART app with a launch parameter (a launch code that has knowledge of the EHR context) and the fhir resource server url. The expectation is that when tokens are being issued (by keycloak) we would see the patient_id as one of the properties in the json. We are seeing tokens issued. I was expecting to have access to that launch code at the point of setting claims or transforming the access token response but cannot find a way to do that.
-
I created a custom user attribute mapper to transform the token response to include the patient_id (even hard coding is fine.. at this point) but I just cannot seem to see it in the output. I also tried with a custom OIDCProtocolMapper.. same results.
I'm totally missing something at this point. Any inputs are highly appreciated.
Josh Mandel (Oct 21 2021 at 21:39):
These sound like keycloak questions; I wonder if @Lee Surprenant might have insight
Lee Surprenant (Oct 22 2021 at 12:01):
Hi Kalyan, did you have a look at https://github.com/Alvearie/keycloak-extensions-for-fhir yet?
Lee Surprenant (Oct 22 2021 at 12:01):
I havn't done much with the EHR launch sequence, but maybe the work I did to support standalone app launch could be informative
Kalyan Dasika (Oct 22 2021 at 16:21):
@Lee Surprenant Thank you for that link. Yes it is very informative. With the help of your project and Niko's videos I am able to make some progress on step 2. I was able to use this call,
accessTokenResponse.setOtherClaims(mappingModel.getConfig().get("claim.name"), "SOME_PATIENT_ID2");
in the overridden setClaim method, the one that uses has AccessTokenResponse and now the patient property shows in the token response payload as a top level property (not as a claim in the JWT token) as shown in the sequence diagrams here http://hl7.org/fhir/smart-app-launch/index.html. I can make an additional call to get the patient in context from the EHR database (from the authz server) for the EHR user associated with the keycloak session to get the actual patient id.
But to get that EHR state look up, I would really like to make use of the launch parameter that initiates this EHR launch sequence. That is getting lost somewhere in the flow, and by the time it gets to token issue time, I don't have that anywhere. Any ideas on this front, on how other authz servers are keeping track of the launch parameter, would be greatly appreciated.
Kalyan Dasika (Oct 27 2021 at 16:39):
Lee Surprenant said:
I havn't done much with the EHR launch sequence, but maybe the work I did to support standalone app launch could be informative
I have a question regarding the standalone launch project you have in git hub.
How did you get the patient ids for selection?
I see that there is a resourceId attribute set up for the user but did not quite follow where in the flow do the patient ids get set prior to looking up the resource server for selection. I'm assuming that its space separated string of ids.
Lee Surprenant (Oct 27 2021 at 17:23):
Hi Kalyan. Yes, the assumption is that this happens out-of-band somehow and we have that id. Its possible to do otherwise, but obviously you need to start with SOMETHING that could get you to the resource id(s).
Lee Surprenant (Oct 27 2021 at 17:25):
I'm assuming that its space separated string of ids.
correct
Kalyan Dasika (Oct 27 2021 at 20:12):
@Lee Surprenant thank you
Kalyan Dasika (Nov 03 2021 at 20:54):
@Lee Surprenant Thank you so much for sharing your work in the github project. It provided enough ideas for us to implement both the EHR launch and Standalone launch proof of concepts.
Grey Faulkenberry (Dec 08 2021 at 14:50):
Could I follow up on this question? I'm having a little trouble understanding how to pull information from the context of a SMART on FHIR EHR launch. I can perform an external launch with authentication without issue, but in these cases, I have a patient ID or I search for it. However, my understanding is that with an EHR launch, this information is somehow passed through the context of the launch, and not something that must be known a priori.
I think this example on the HL7 website is where I get stuck. I can authenticate, including getting the access token, and then write to the server. But in the box "Issue POST to the token endpoint:" where does the patient ID come from?
Josh Mandel (Dec 08 2021 at 14:53):
The EHR sends along an opaque parameter called launch (i.e., as a query param) to the app when it opens the app's launch endpoint. The app echoes this parameter back when it redirects to the EHR's "authorize" endpoint. The EHR uses this value to tie the session together and based on this value it knows how to populate the patient and any other required context in the access token response (if access is indeed granted).
Josh Mandel (Dec 08 2021 at 14:54):
The example all you pointed to is showing a standalone launch, so it does not demonstrate this perimeter. http://www.hl7.org/fhir/smart-app-launch/app-launch.html#request-2 is the source of truth and includes an example.
Grey Faulkenberry (Dec 08 2021 at 16:52):
@Josh Mandel Haha! That's exactly what I needed. And then currently, the only 2 contexts that are generally used are launch/patient and launch/encounter? (with the understanding there may be more in the future)
Josh Mandel (Dec 08 2021 at 19:41):
Yes, that's the right.
Michael Albrecht (Dec 19 2021 at 01:08):
Hello, I'm a physician who makes apps as a hobby and I'm new to FHIR development. I've been through the HL7 FHIR Intermediate course. However, I'm not understanding something. If I want to make a third-party app that allows patients access to their data, how can the patient setup a username and password to access their specific EHR data. Can someone walk me through this?
Josh Mandel (Dec 19 2021 at 01:14):
They set that up with a healthcare provider, using their portal (e.g., MyChart from Epic)
Josh Mandel (Dec 19 2021 at 01:15):
As an app, you don't see these usernames or passwords ; the OAuth workflow keeps those away from you
Michael Albrecht (Dec 19 2021 at 01:16):
So the patient would have to access any app that I create from their portal? I really just want them to login from my app.
Josh Mandel (Dec 19 2021 at 01:17):
It's a bad security prospect to force users to share their EHR password with anyone though -- you can see why this is the case?
Michael Albrecht (Dec 19 2021 at 01:19):
@Josh Mandel. I'm a newbie trying to understand how this would work. The patient logs into their portal. How then do they access the app?
Josh Mandel (Dec 19 2021 at 01:23):
https://youtu.be/vYZ2G8hx6DY at 11 min has a demo from my personal portal account
Michael Albrecht (Dec 19 2021 at 01:38):
Thank you! I will watch the full video later. I will be trying to figure this out for the Meditech EHR, which is what my hospital uses.
Josh Mandel (Dec 19 2021 at 01:40):
Sure, the workflow with Meditech will be the same as with Epic, Cerner, etc
Michael Albrecht (Dec 19 2021 at 01:42):
Did you have to contact EPIC to find the tools to set up this workflow? I sent a request earlier today to get started with Meditech Greenfield. I didn't see a way for developers to get started with Meditech otherwise.
Josh Mandel (Dec 19 2021 at 01:53):
There shouldn't be a cost, but you'll need to register with the EHR as a developer to create a Patient facing app.
Michael Albrecht (Dec 19 2021 at 01:55):
Thank you for clearing this up for me.
Last updated: Apr 12 2022 at 19:14 UTC
