FHIR Chat · Final Rule, FHIR V4, SMART · Security and Privacy

Stream: Security and Privacy

Topic: Final Rule, FHIR V4, SMART

view this post on Zulip Sam Dikeman (Jun 03 2021 at 18:35):

I am hoping to learn from the experts to answer a question about the relationship between the CMS Interoperability and Patient Access (IPA) final rule requirements, and the current state of industry standards. Background: The CMS Final Rule requires entities to use FHIR V4. When I look at the HL7 page for SMART Application Launch Framework IG, it is based on FHIR R3 and SMARTv1. To use FHIR R4, I need to use the SMART IG v1.1.0 which is still in ballot mode. Documentation that I have reviewed seems to require public clients to use the OAuth authorization flow with PKCE, which won't be available until SMARTv2 is official. That would tell me that whatever I'm using as an authorization service to do IAM will need to use SMARTv1 with some additions to support PKCE. Question: Where can I test the SMART v1 that has been modified to support PKCE? The Inferno test page does not allow public clients using authorization flow to use PKCE. I feel like I'm missing some critical piece of information that will make this all clear.

view this post on Zulip Sam Dikeman (Jun 03 2021 at 18:36):

If I wasn't clear, we are starting to develop out API and would use Inferno to test our IAM flow to be able to hit the API.

view this post on Zulip Gino Canessa (Jun 03 2021 at 19:17):

Hi Sam,

The SMART App Launch Framework specifies that it is valid with any version of FHIR DSTU2 or higher (Profile audience and scope), so there is no requirement for a newer version.

There is a draft PR for adding the SMART v2 features (including PKCE) to the SMARTHealthIT launcher. I believe there is no rush to merge until the spec is finalized, given that anything is subject to change until then.

In the meantime, there is a test server at http://smart.argo.run , which is used for testing the v2 changes (e.g., at connectathons). It is just a fork of the SMARTHealthIT launcher where development has been taking place. If you select any of the 'standalone' launch types, there will be the additional option of launching the 'Granular Control Test App', which includes the client-side PKCE code. I would recommend checking out the connectathon report pages for SMARTv2 as well - I believe there are several sandbox environments that support PKCE, but cannot say off the top of my head.

Finally, in general if you have SMART specific questions, you'll get the best responses on the #smart stream.

Hope this helps!

view this post on Zulip Sam Dikeman (Jun 03 2021 at 19:24):

Thanks so much Gino. Will make sure I jump into the other stream for this kind of stuff.

view this post on Zulip Gino Canessa (Jun 03 2021 at 19:35):

No problem! I'm pretty sure there is a lot of overlap between these two streams, but the SMART one is more focused on those types of specifics. Cheers!

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -