Stream: smart
Topic: September 2020 Connectathon
Gino Canessa (Aug 06 2020 at 21:44):
I'm working through the scenarios for the Granular Controls Track and thought we needed a slightly lower bar than the minimum we had listed. I added a draft for 'Scenario 0' - checking that the scopes work on Resource.operation mask, without any additional tagging. Feedback encouraged!
Isaac Vetter (Aug 07 2020 at 04:21):
I saw scenario 0 earlier today and immediately recognized it as a great idea, Gino! I'd suggest that scenarios 3 and 4 are what need additional thought.
Gino Canessa (Aug 11 2020 at 18:28):
No worries Isaac, just working my way down the list (want to make sure the core works first).
Gino Canessa (Aug 11 2020 at 18:29):
Along those lines - I've noticed that including the system in the tags is annoying to work with since there's already a use for the / as a separator. Not impossible, but thought I'd note those kinds of things.
Chuck Feltner (Aug 18 2020 at 20:30):
In the Connectathon scenarios, where are the ".rs" and ".crs" parts of the scopes defined?
Josh Mandel (Aug 18 2020 at 20:34):
Nowhere! Good point. We'll be adding docs. They are subsets of the letters in c r u d s -- so rs indicates read and search; crs indicates create read and search.
Chuck Feltner (Aug 18 2020 at 20:44):
Great. Thanks for the clarification.
Josh Mandel (Aug 18 2020 at 20:59):
Just wrote up some quick notes at https://github.com/HL7/smart-app-launch/blob/master/spec/scopes-and-launch-context/scopes-v2.md#draft-api-additions-for-smart-scopes-v2-work-in-progress and will link to these from the connectathon track. Feedback would be most welcome :-)
Chuck Feltner (Aug 28 2020 at 15:18):
Do the finer-grained resource constraints (e.g., category) only apply to the search access, since search is the only operation that uses query parameters? So "patient/Observation.rs?category==laboratory" would allow searching only on category=laboratory and reading any observation?
GET Observation?category==laboratory (allowed)
GET Observation/3 (allowed)
GET Observation?category==vital-signs (unauthorized)
GET Observation?code=789-8 (unauthorized)
Josh Mandel (Aug 28 2020 at 16:22):
They're intended as overall policies, so you could request patient/Observation.rs?category=laboratory and your reads would be limited to labs too.
Josh Mandel (Aug 28 2020 at 16:23):
Note that your examples above have "==" in some places where I think you meant "=".
Chuck Feltner (Aug 28 2020 at 17:27):
Thanks for the clarification. That definitely makes it more challenging.
Gino Canessa (Aug 28 2020 at 18:19):
Track orientation call will be (briefly) at the start of the next regular Granular Controls call - Wednesday September 02 @ 2:00 PM Eastern US time. Meeting link: https://meet.jit.si/argo2020.granular . A recording will be made available after the call.
Josh Mandel (Aug 28 2020 at 21:57):
Thanks for the clarification. That definitely makes it more challenging.
If you can support the search variants, you can always convert a read into a search by treating it as ?_id=123
Michele Mottini (Aug 29 2020 at 00:03):
...there are also include and operations to take care of...
Josh Mandel (Aug 29 2020 at 00:12):
Quite!
Josh Mandel (Aug 29 2020 at 00:12):
(Operations we don't have a solid proposal for yet.)
Michele Mottini (Aug 29 2020 at 02:14):
I meant: if you can see only lab observation you have to filter them also when doing /Patient?_revinclude=Observation:patient and Patient/$everything etc
Josh Mandel (Aug 29 2020 at 02:20):
For sure -- if you support access to resources, you'll need to enforce access policies across the entire API surface area.
Josh Mandel (Aug 29 2020 at 02:21):
That's true for today's SMART 1.0 scopes as well, of course.
Chuck Feltner (Aug 31 2020 at 13:29):
By challenging, I was meaning that with the basic scopes (e.g, patient/Observation.rs) you can tell in most cases just from the FHIR query whether the calling entity is authorized. But with the finer grained control (e.g., Observation?category=laboratory) and read, update and delete, you will not know whether it is authorized until you are way into processing the request.
Are update and delete on the resource in the main fine grained control use case? Or is the use case mainly restricting a patient application to just be authorized to retrieve a subset of resource data (e.g., vital signs, lab results)?
If so, then we could perhaps limit the constraint to the search.
GET Observation?patient=456&category=laboratory
GET Observation?_id=123&category=laboratory
Josh Mandel (Aug 31 2020 at 15:12):
The idea here is describing access protocols for potentially any create read update delete or search operations. The key use case from the Argonaut community today is read +search access, but as we start describing more opportunities for patients to write back data and corrections into the health record, it's important that these same mechanisms also enable fine write access. Any given server might decide not to support some of these write-back capabilities.
Gino Canessa (Sep 02 2020 at 17:55):
FYI: The track orientation will be at the start of the regular call (2:00 PM ET - a few minutes out). I've pre-recorded a session with all the general connectathon info, which is available here. Link to join the call is here. Cheers!
Max Philips (Sep 08 2020 at 18:10):
clarification question for scenarios outlined on https://confluence.hl7.org/display/FHIR/2020-09+Argonaut+Granular+Controls : when the notation "GET Observation?patient={}" is used, the curly brace characters are not literal, correct? that just indicates 'fill this parameter out'?
Josh Mandel (Sep 08 2020 at 18:22):
That's correct!
Max Philips (Sep 08 2020 at 18:23):
thanks!
Josh Mandel (Sep 08 2020 at 18:23):
So for example
GET Observation?patient=123orGET Observation?patient=Patient/123
Max Philips (Sep 08 2020 at 19:20):
on the wiki page, it also looks like the link 'See "v2 scopes" overview here' has moved from its current address to https://github.com/HL7/smart-app-launch/blob/master/fsh/ig-data/input/pages/scopes-v2-wip.md
Josh Mandel (Sep 08 2020 at 23:29):
Thanks, good catch! In theory you can edit the confluence page accordingly, but I'll take care of it :-)
Josh Mandel (Sep 08 2020 at 23:32):
(Done.)
Pascal Pfiffner (Sep 09 2020 at 20:09):
Will the server endpoints/client credentials be published on the wiki or is there another space?
Josh Mandel (Sep 09 2020 at 20:13):
We'd love it if folks provide any relevant detail in the:
"Servers and Clients" tab of the sign-up spreadsheet
Feel free to add columns if you like, too!
Pascal Pfiffner (Sep 09 2020 at 20:38):
Totally missed that tab, thanks! Can the server providers include client-id/client-secret and account login information? @Chuck Feltner I'd love to try your server.
Max Philips (Sep 09 2020 at 21:01):
I'll be adding Cerner's server info (including login info) yet today / tomorrow AM
Gino Canessa (Sep 09 2020 at 21:08):
/poll When should we kick off tomorrow?
9AM ET
10AM ET
11AM ET
Gino Canessa (Sep 10 2020 at 01:19):
Looks like 10:00 AM ET is the winner - look forward to seeing everyone then. Cheers!
Christiaan Knaap (Sep 10 2020 at 13:19):
A bit late to the party, but I will join the track as well! Checking the the introvideo right now.
Josh Mandel (Sep 10 2020 at 14:03):
Kick-off is live! You can find + join us in Whova.
Max Philips (Sep 10 2020 at 14:06):
If anything has started in Whova, unfortunately I've missed it
Max Philips (Sep 10 2020 at 14:07):
found it
Max Philips (Sep 10 2020 at 14:32):
I've jumped onto another call quickly and will return ASAP
Max Philips (Sep 10 2020 at 14:44):
i'm back in the call
Gino Canessa (Sep 10 2020 at 15:28):
FYI: the Granular Test App at smart.argo.run is now working correctly for the standalone launches. Make sure to select a valid patient for full functionality.
Josh Mandel (Sep 10 2020 at 15:29):
I'm still getting:
When I click on the granular app link
Gino Canessa (Sep 10 2020 at 15:32):
That's not a Standalone launch
Josh Mandel (Sep 10 2020 at 15:35):
Ah, thanks! Maybe would be good to hide the button in places where it doesn't work. For now, steps to try are:
- Open https://smart.argo.run/
- Click "Patient standalone launch"
- Enter a sample patient (e.g., "155d3d80-f3f0-4b39-9207-0d122cf94a11")
- Click "Granular Control Test App"
- Pick scopes and "Launch auth redirect"
Or if you want a shortcut for (1--4), click here directly
Gino Canessa (Sep 10 2020 at 15:43):
Pushing now - will only show the link when standalone launch options are selected
Max Philips (Sep 10 2020 at 15:44):
Notes about interacting with Cerner's connectathon server are updated and linked in the registration sheet, also posting here: https://github.com/MaxPhilips/wgm_notes/blob/25/argonaut_granular_controls/test_server_faq.md
Gino Canessa (Sep 10 2020 at 15:47):
Notes from the kickoff this morning:
- We will be using the normal meeting doc to track discussions
- We will have check-ins at 10:00 AM, 1:00 PM, and 5:00 PM ET today and tomorrow
- I'll have the meeting open and will be around most of the time. When I'm not, I'll leave a note up.
Pascal Pfiffner (Sep 10 2020 at 16:43):
These times are ET I assume? Sorry had to miss the kick-off, the kids were not cooperating :grinning:
Josh Mandel (Sep 10 2020 at 16:47):
Welcome -- and indeed all ET.
Max Philips (Sep 10 2020 at 16:53):
I've been playing with smart.argo.run for a bit and it is working well/as expected
Josh Mandel (Sep 10 2020 at 17:12):
For @Christiaan Knaap https://github.com/HL7/smart-app-launch/blob/master/fsh/ig-data/input/pages/scopes-v2-wip.md has a write-up of what we've defined so far. (It's linked from the connectathon track page too.)
Pascal Pfiffner (Sep 10 2020 at 18:26):
If I set up a client for standalone launch against smart.argo.run it doesn't prompt for a patient nor return a default patient ID in the response, even if I specify launch/patient. Do I need to specify something?
Gino Canessa (Sep 10 2020 at 18:31):
What is the Fhir Server Url provided with your configuration?
Pascal Pfiffner (Sep 10 2020 at 18:50):
https://smart.argo.run/v/r4/fhir
Gino Canessa (Sep 10 2020 at 18:57):
Ahh, those options need to be set in the App Launcher - it builds a custom URL to handle all the different configuration options. You'll probably want to try with something like https://smart.argo.run/v/r4/sim/eyJrIjoiMSIsImIiOiIxNTVkM2Q4MC1mM2YwLTRiMzktOTIwNy0wZDEyMmNmOTRhMTEifQ/fhir
Pascal Pfiffner (Sep 10 2020 at 18:58):
Ah I didn't bother configuring, I just grabbed what's there! :)
Gino Canessa (Sep 10 2020 at 18:59):
Well, you did configure it - just via the longer method of pinging me :-)
Pascal Pfiffner (Sep 10 2020 at 19:13):
It doesn't like the aud value, do I need to provide a separate URL for it?
Pascal Pfiffner (Sep 10 2020 at 19:13):
(it uses the baseURL)
Pascal Pfiffner (Sep 10 2020 at 19:14):
(I get bad_audience)
Josh Mandel (Sep 10 2020 at 19:17):
The FHIR server base URL should be a valid aud.
Pascal Pfiffner (Sep 10 2020 at 19:55):
It's happy with https://smart.argo.run/v/r4/fhir but not with the state-containing one Gino shared above.
Pascal Pfiffner (Sep 10 2020 at 19:58):
And I don't get `patient. Let me restart that.
Josh Mandel (Sep 10 2020 at 19:58):
Here's an example of a request that works for me:
Josh Mandel (Sep 10 2020 at 19:58):
That's generated by the sample app; you can reproduce with this link and clicking "Launch Auth Redirect"
Pascal Pfiffner (Sep 10 2020 at 20:05):
Interesting, I'll try again w/o the aud workaround. I still don't get any patient back though, even if pre-configuring.
Pascal Pfiffner (Sep 10 2020 at 20:06):
Is there a good place to discuss these server results/issues, other than here? In the spreadsheet, maybe?
Josh Mandel (Sep 10 2020 at 20:07):
I'd create a sub-topic like C25 -- Testing with smart.argo.run but wherever you like is fine :)
Christiaan Knaap (Sep 11 2020 at 18:11):
Sorry my connection dropped. Trying to restore it.
Gino Canessa (Sep 11 2020 at 19:40):
FYI - our wrap-up call will be at 5:00 ET today. Thanks in advance!
Max Philips (Sep 11 2020 at 21:32):
agreed, thank you Gino for coordinating the track!
Josh Mandel (Sep 11 2020 at 21:33):
Indeed, thanks!! This has been a lot of fun and productive.
Brian Postlethwaite (Sep 11 2020 at 21:37):
Yes thanks, I only stopped by for a little while, but it added to my value for the connectathon. Hope to have more to contribute out of time...
Pascal Pfiffner (Sep 11 2020 at 22:34):
Damn TZ difference, totally missed the party – thanks all, this was good!!
Keith Carlson (Sep 12 2020 at 13:58):
Thanks all! It was a great first connectathon experience for me
Last updated: Apr 12 2022 at 19:14 UTC
