Stream: smart
Topic: SMARTv2 Connectathon, Jan 2021
Josh Mandel (Jan 07 2021 at 21:11):
If you're participating in the SMARTv2 Connectathon track next week, please fill out the sign up sheet (and add to the "Servers and Clients" tab).
Josh Mandel (Jan 08 2021 at 23:12):
We've got the basics for Scenario 0-5 up and running at https://smart.argo.run/ (or, I hope we do -- I expect these updates will benefit from testing with y'all, in addition to our automated tests :-))
Josh Mandel (Jan 11 2021 at 17:54):
In case of any confusion about our schedule for the connectathon, here is the schedule we're planning:
- Wed 9a PT (12p ET). No meeting, but this is the target time for servers to be up, running, endpoints documented; stay online through the weekend or indefinitely
- Thu 8a PT (11am ET). Meet at gather.argo.run (password: "fhir") -- introductions, discuss plans / goals for the connectathon
- Thu 2p PT (5pm ET). Meet at gather.argo.run (password: "fhir") -- soft wrap for the day, share experiences, blockers
- Fri 8a PT (11am ET). Meet at gather.argo.run (password: "fhir") -- blockers, any hot topics
- Fri 2p PT (5p ET). Meet at gather.argo.run (password: "fhir") -- impressions, conclusions, next steps
Josh Mandel (Jan 11 2021 at 17:54):
(This is reflected on Confluence but not yet in the Whova schedule.)
Max Philips (Jan 13 2021 at 16:31):
It looks like perhaps the 'Additional Notes' column on that 'endpoints documented' spreadsheet wasn't cleared out since last connectathon? Any objections if I wipe it?
Josh Mandel (Jan 13 2021 at 16:56):
No objections!
Josh Mandel (Jan 13 2021 at 16:56):
Thanks.
John Moehrke (Jan 13 2021 at 17:07):
we are waiting for you @Josh Mandel
John Moehrke (Jan 13 2021 at 17:07):
the beer is flat
Josh Mandel (Jan 13 2021 at 17:08):
Haha, that's what I get for making the gather available before the official start of the event :-)
John Moehrke (Jan 13 2021 at 17:09):
I think now is your event time
Josh Mandel (Jan 13 2021 at 17:09):
I just put this time on the calendar to remind server developers to make sure their server is up not for a group meeting. But I'll drop in momentarily
John Moehrke (Jan 13 2021 at 17:09):
oh
John Moehrke (Jan 13 2021 at 17:09):
that was not clear
Josh Mandel (Jan 13 2021 at 17:09):
If you scroll up here, you'll see "No meeting"
John Moehrke (Jan 13 2021 at 17:09):
we are all calling for a Town Crier
Max Philips (Jan 13 2021 at 17:10):
Spreadsheet is updated with Cerner's info and barring any bugs I've introduced everything should be up and testable. I could not update this document for Cerner's test server however: https://confluence.hl7.org/display/FHIR/Test+Servers (asked about getting access in connectathon mgmt)
Josh Mandel (Jan 13 2021 at 17:22):
Thanks Max! And thanks everyone for checking out the "gather" -- that was super fun to see the turn-out even for our "non-meeting" :p
Josh Mandel (Jan 13 2021 at 17:22):
If anyone hits a limit and can't join the gather, please ping me here; I haven't signed up for a "full plan" because we were expecting <25 participants.
Josh Mandel (Jan 13 2021 at 17:22):
(If needed, I'll hit the upgrade button.)
Greg White (Jan 13 2021 at 22:04):
Quick Question - Wondering if security labels and/or other metadata tags are being leveraged to facilitate granular access permissions in the SMARTv2 testing
Josh Mandel (Jan 13 2021 at 22:37):
The "scope language" allow any query params to be attached to a granular scope, so _security= or _tag= can be applied. We tested these a bit at the 2020-09 connectathon, but we're not testing them explicitly this week. (We're focused this week on category-based scopes, plus a slew of other non-scope-related features of SMARTv2.)
Brian Postlethwaite (Jan 14 2021 at 00:38):
The Windows Legacy App support for FHIR Smart App Launch has progressed quite well, and almost ready for NuGET packaging if anyone is interested to take a peek at it and try things out.
https://github.com/brianpos/smart-on-fhir
(Windows App being the launching host)
Greg White (Jan 14 2021 at 02:13):
Very helpful, thanks Josh
Gino Canessa (Jan 14 2021 at 15:46):
PSA: @Josh Mandel updated the server (http://smart.argo.run) and I've updated the client (https://smart.argo.run/granular/ , link shows on launcher if you have a 'standalone' launch selected) to test current scenarios - PKCE, POST-based auth flow, and token introspection.
The server-side features are available per the spec.
On the client, there are two checkboxes under the Client ID field, which are informationally named Use PKCE and Use POST, which turn on those features. At the bottom of that card, there are two new buttons as well: Get SMART Config, which fetches the .well-known configuration and Introspect Token, which uses the introspection url and displays the results. Token introspection is currently on available after going through an auth flow, and uses the URL fetched during that process.
I'll try to pop into the gather space as possible, but will be mostly in the Subscriptions track. Feel free to @ or PM me (or pop in there) with any issues or requests. Happy Connectathon-ing, cheers!
Josh Mandel (Jan 14 2021 at 16:06):
http://build.fhir.org/ig/HL7/smart-app-launch/
Josh Mandel (Jan 14 2021 at 16:07):
http://build.fhir.org/ig/HL7/smart-app-launch/scopes-v2-wip.html
Josh Mandel (Jan 14 2021 at 16:07):
http://build.fhir.org/ig/HL7/smart-app-launch/token-introspection.html
Josh Mandel (Jan 14 2021 at 16:07):
Tracking sheet: https://docs.google.com/spreadsheets/d/1No3gg2xpvnBGHzPuYlirGBfuufGobp8_SVpIhGg9Ipc/edit#gid=1995302742
Josh Mandel (Jan 14 2021 at 16:10):
Nick Steinwachs (Jan 14 2021 at 16:10):
order seems the same, FYI.
Jake Fisher (Jan 14 2021 at 16:35):
@Gino Canessa - Any way you could default Accept: application/json for the /.well-known/smart-configuration request? We are currently returning XML for Accept: */* which the test client is not expecting.
Josh Mandel (Jan 14 2021 at 16:47):
Question came up about "Why don't we support the implicit flow?" See https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-2.1.2 @Artem Sopin
Josh Mandel (Jan 14 2021 at 16:50):
For backend services, you want http://build.fhir.org/ig/HL7/bulk-data/branches/new-ig-template/authorization.html
Josh Mandel (Jan 14 2021 at 16:54):
@Gino Canessa added prototype SMARTv2 support in https://github.com/microsoft-healthcare-madison/client-js (will merge back into SMART when stable/ready)
Gino Canessa (Jan 14 2021 at 16:55):
@Jake Fisher for the button-press, or for the configuration loading as part of the workflow?
Jake Fisher (Jan 14 2021 at 17:05):
@Gino Canessa - I guess both? I've only tried the button press and it's not working because we're returning XML. Haven't tried the full workflow yet because we're waiting on our patient portal to be set up for this environment so we can't redirect to the login page yet.
Gino Canessa (Jan 14 2021 at 17:58):
@Jake Fisher , pushing now and should be available in a few minutes. The library had it set be default already, so it's just the ui-button one that needed changes.
Josh Mandel (Jan 14 2021 at 18:38):
@Michael Cox I see you added a server to our spreadsheet, thanks! Is this server supporting the SMARTv2 scenarios? (From the config endpoint I don't think so, but just wanted to double check if you're set up for our test scenarios.)
Josh Mandel (Jan 14 2021 at 18:41):
@adam strickland and @Jake Fisher just want to double check that you're still working on getting a patient login configured? Would love to test when this is ready.
Josh Mandel (Jan 14 2021 at 18:45):
@Max Philips just for visibility here -- thanks for helping get the SMART demo client registered. Will look forward to testing when you've got the registration ready.
Jake Fisher (Jan 14 2021 at 19:23):
@Josh Mandel we have a patient login and patient portal set up now (details in the google doc). But when I try to use the smart.argo.run it's not working so I'm troubleshooting that right now.
Update - appears to be an issue on our end redirecting to the login page. Should have this fixed soon.
Keller Martin (Jan 14 2021 at 19:58):
@Josh Mandel I'm currently making requests to your provided server with the scope patient/Observation.r. Using the fhir-client, I'm requesting what I think is just read rights to this resource: client.patient.request("Observation"). But I'm getting "Error": "Request too wide for granted scopes". When I use the v1 scope patient/Observation.read, I'm able to return data. Am I doing something wrong on the request?
Jake Fisher (Jan 14 2021 at 19:58):
@Josh Mandel our patient facing launch should be working now.
Josh Mandel (Jan 14 2021 at 20:06):
When I use the v1 scope patient/Observation.read, I'm able to return data. Am I doing something wrong on the request?
Thanks for the report. Can you send me a note with your access token so I can take a look?
Josh Mandel (Jan 14 2021 at 20:06):
Jake Fisher: @Josh Mandel our patient facing launch should be working now.
Thanks!
Gino Canessa (Jan 14 2021 at 20:07):
@Keller Martin , I believe when I added that call, I set the checks to make sure you are not asking for things beyond your scope. Can you try asking for the patient that is in scope only?
edit: this applies to only the v2 scopes, but it looks like it checks to make sure the request includes enough restrictions to satisfy the request. I did it that way since otherwise it is very difficult to check the various tags (e.g., if it auto-fills in the difference, you won't see failures).
Jake Fisher (Jan 14 2021 at 20:08):
@Josh Mandel The token introspection from smart.argo.run isn't working against our server. Looks like that's because you're using Content-Type: application/x-www-form-urlencoded. We're expecting JSON for that endpoint (see the Google Doc I linked from the server/client info sheet).
Keller Martin (Jan 14 2021 at 20:11):
@Gino Canessa I think that I'm requesting for only the patient in scope, but I'm new enough to not be 100% sure. Here is the GET: Observation?patient=689892bd-dcbe-41fc-8651-38a1d0893854
Keller Martin (Jan 14 2021 at 20:12):
@Josh Mandel Sent you one of my access tokens, thanks.
Gino Canessa (Jan 14 2021 at 20:13):
@Jake Fisher , in RFC 7662, it defines that the POST uses application/x-www-form-urlencoded. I could put in an option to bypass for testing if you need it, but it wouldn't be compliant.
Gino Canessa (Jan 14 2021 at 20:19):
@Keller Martin odd, let me check.
Josh Mandel (Jan 14 2021 at 20:30):
When I use the v1 scope patient/Observation.read, I'm able to return data. Am I doing something wrong on the request?
@Keller Martin thanks for sharing that access token. Looking inside, I see:
"scope": "launch online_access openid profile fhirUser user/*.read launch/patient patient/Observation.r"
So I think the issue is that in v2 you need patient/Observation.rs (not patient/Observation.r, which you've requested -- and which won't allow searches)
Gino Canessa (Jan 14 2021 at 20:31):
Josh to the rescue!
Jake Fisher (Jan 14 2021 at 20:34):
@Gino Canessa - nevermind that wasn't the problem. We have our server load balanced and the config isn't matching on both servers. Token introspection is working on one and not the other. I'll make sure both are correct and application/x-www-form-urlencoded should work too. Note that we do require Bearer token auth for the token introspection on this server - I think that's causing some requests to fail too.
Michael Cox (Jan 14 2021 at 20:35):
Josh Mandel said:
Michael Cox I see you added a server to our spreadsheet, thanks! Is this server supporting the SMARTv2 scenarios? (From the config endpoint I don't think so, but just wanted to double check if you're set up for our test scenarios.)
Hey Josh! Yes you are correct we are not quite up to the v2 request as per that link you shared. But we want to get there asap, I think we are close!
Should we basically catch up to the requested items in the listed field for
"Scenario 0: capabilities[] with "permission-v2", "authorize-post", code_challenge_methods_supported[] with "S256", introspection_endpoint ""
And be good to go?
We are currently fully passing Inferno tests for UScore but that is for the inferno program edition, nothing to do yet with SMARTv2
Josh Mandel (Jan 14 2021 at 20:48):
Cool! If you add those fields to your introspection discovery endpoint and support the capabilities described by those fields, then you're ready to go ;-)
Michael Cox (Jan 14 2021 at 21:20):
Josh Mandel said:
Cool! If you add those fields to your introspection endpoint and support the capabilities described by those fields, then you're ready to go ;-)
I'm a little confused - you said add fields to my introspection endpoint... you mean I add those fields to my well-known/smart-confg JSON, right?
Gino Canessa (Jan 14 2021 at 21:24):
@Jake Fisher for the introspection auth header, which token is required?
Jake Fisher (Jan 14 2021 at 21:37):
@Gino Canessa a valid access token for a client scoped for the token introspection endpoint. For this smart.argo.run app, it'll just be the same token you're introspecting.
Gino Canessa (Jan 14 2021 at 21:41):
@Jake Fisher sounds good, it's pushing now so should be available in a few minutes.
Josh Mandel (Jan 14 2021 at 22:01):
We're about to check in at http://gather.argo.run for the afternoon
Josh Mandel (Jan 14 2021 at 22:07):
PKCE spec is at https://tools.ietf.org/html/rfc7636
Josh Mandel (Jan 14 2021 at 22:07):
http://build.fhir.org/ig/HL7/smart-app-launch/#considerations-for-pkce-support
Josh Mandel (Jan 15 2021 at 15:58):
Good morning, all! We'll be doing a quick "day 2 check-in" at http://gather.argo.run in 2min
Josh Mandel (Jan 15 2021 at 15:59):
Please bring any "hot topics" or "discovered issues" that you want to discuss :)
Brian Postlethwaite (Jan 15 2021 at 17:00):
Thanks for the great rundown this morning, do we have any finger in the air estimates on when we think scopes v2 might land?
(looking for information to help guide which way I push local Australian implementations)
Josh Mandel (Jan 15 2021 at 17:59):
My hope is: we move the draft material to FHIR-I + Security WG, and file the paperwork to bring this into the May ballot cycle. That's a best-case scenario and I should CC @Brett Marquard because I will definitely need help to stay on top of this.
Brian Postlethwaite (Jan 15 2021 at 18:09):
Thanks, so for my needs I think sticking with v1 is the best approach, with our extensions inline with the v2 concepts and keep others informed of the transition that will need to occur into the future.
Keller Martin (Jan 15 2021 at 19:58):
@Josh Mandel Getting an Internal Server Error from the token endpoint for smart.argo.run https://smart.argo.run/v/r4/auth/token. I'm trying to validate the PKCE code challenge. This is the correct endpoint to hit for this, right?
Josh Mandel (Jan 15 2021 at 20:02):
Can you say more about why authorize-post would be optional? It was the solution to our biggest problem involved in introducing granular scopes (unbounded URL length), and it's also a SHALL level requirement in OpenID Connect Core.
Josh Mandel (Jan 15 2021 at 20:03):
(I'll put the same note in the GH issue if you prefer to discuss there!)
Brian Postlethwaite (Jan 15 2021 at 20:29):
Anyone interested in a quick demo of the Legacy App FHIR Smart App Launch project?
i.e. Old Windows App -> Smart On FHIR Web app (in my case and SDC forms app)
Josh Mandel (Jan 15 2021 at 20:31):
I would love to see a demo (and record for posterity if it's OK with you) but I'm probably swamped this afternoon. If you're game to repeat down the line, that'd be awesome.
Josh Mandel (Jan 15 2021 at 21:57):
We'll do our wrap-up session in a few minutes, at http://gather.arg.run
Brian Postlethwaite (Jan 15 2021 at 22:02):
image.png
where did that laptop go?
image.png
Brian Postlethwaite (Jan 15 2021 at 22:04):
And thanks for creating a report out session table Travis!
image.png
Keller Martin (Jan 15 2021 at 22:13):
@Josh Mandel PKCE info from my most recent request:
code_verifier: a6f193cfa32b37020e927582d6c6a6a8e33e5af512a19fb2de1831bd
code_challenge: Wi717QuV_kzsrGlQRRtmkKktR1LdS5XNeAgTmUcdBoQ
Josh Mandel (Jan 15 2021 at 22:37):
Well that was a perfect time for the internet connection on my desktop to die :-) anyway it's been a blast working with you all this week.
Keller Martin (Jan 15 2021 at 22:37):
Using this tool, it looks like this is correct? https://example-app.com/pkce
Max Philips (Jan 15 2021 at 22:39):
thanks @Josh Mandel for leading this track!
Josh Mandel (Jan 15 2021 at 22:42):
@Keller Martin that challenge/verifier pair looks good to me, although I will note that your verifier appears to have less than the recommended 32 bytes of entropy assuming this is generated as a hexadecimal random value.
Josh Mandel (Jan 15 2021 at 22:43):
If you have a way to share the complete submission of your request of a token API endpoint, that would be awesome, for next steps in debugging. (Another thing we can do is just make sure that we are returning a stack Trace in the debug response; I assume you are not getting a factory currently?)
Keller Martin (Jan 15 2021 at 22:50):
{
method=POST,
url=https://smart.argo.run/v/r4/auth/token,
headers=
[Content-Type:application/x-www-form-urlencoded,
Accept:application/json,
Authorization:Bearer <access_token>,
Connection:keep-alive,
cache-control:no-cache]
body={
'code': <access_token>',
'grant_type': 'authorization_code',
'client_id': <client_id>,
'redirect_uri: <uri>,
'code_verifier': <code_verifier>
}
}
Keller Martin (Jan 15 2021 at 22:51):
Let me know if it would help to have any of the redacted data - was trying to make it easier to read.
Keller Martin (Jan 15 2021 at 22:52):
The response is just html - seems like I'm hitting an uncaught error:
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Internal Server Error</pre>
</body>
</html>
Josh Mandel (Jan 15 2021 at 22:55):
There are two things here I find surprising. you shouldn't have a bearer token in the authorization header, and the body's code value should include an authorization code not an access token, but I am expecting that might just be a typo in your redaction.
Keller Martin (Jan 15 2021 at 23:00):
I was a bit confused by the token type. That should be Basic, right? I wasn't sure what the Basic token value should be. I'm also unsure what the authorization code is - I assumed it was referring to the access token. Although I was confused why I would have that in the header AND the body. So that makes sense that that was incorrect.
Keller Martin (Jan 15 2021 at 23:02):
I think I see how I misunderstood this.
code
REQUIRED. The authorization code received from the
authorization server.
I was thinking this was from the original authorize request. Is this referring to a separate endpoint? (https://smart.argo.run/v/r4/auth/authorize) I have thought up until this point that those were the same endpoints.
Josh Mandel (Jan 16 2021 at 00:28):
The code is the return value, from after you redirect to the authorize endpoint and the endpoint redirects back to you.
Last updated: Apr 12 2022 at 19:14 UTC
