FHIR Chat · Using OAuth · bulk data

Stream: bulk data

Topic: Using OAuth

view this post on Zulip ranjith (May 05 2021 at 14:32):

Hello All,

We are trying to implement inferno for bulk data and jus want to confirm whether we will be able to use OAuth authentication instead of JWT. Is there a way to dynamically pass the related headers from UI?

view this post on Zulip Yunwei Wang (May 05 2021 at 14:38):

Can you clarify your question?

view this post on Zulip Robert Scanlon (May 05 2021 at 14:38):

Is this specifically for the ONC Standardized API for Patient and Population Services criteria certification (which has requirements regarding using SMART Backend Services authorization), or are you more broadly asking if you could use a different authorization scheme outside the scope of that criteria?

view this post on Zulip ranjith (May 05 2021 at 15:11):

Mainly looking for standardized API which might help in setting up the required authorization and incase if we have options want to explore that as well.

view this post on Zulip Rahul Jain (May 05 2021 at 16:50):

Hi @Yunwei Wang
thanks for your response.

We have implemented Da Vinci - Risk Based Contracts Member Attribution (ATR) List - http://hl7.org/fhir/us/davinci-atr/2020Feb/spec.html

Now trying to implement Mitre inferno community edition in local network to validate above implementation (https://github.com/onc-healthit/inferno#installation-and-deployment)

We implemented OAuth 2.0 for API endpoints (Kickoff, status etc) - which works on client id and secret. But it seems Inferno needs JWT token based Authentication. - our question is - can Mitre inferno work on OAuth 2.0 client id and secret based authentication?

Thanks in advance..
Regards,
Rahul Jain

view this post on Zulip Michele Mottini (May 05 2021 at 17:22):

The standard call for JWT token based authentication, so that's what you should use really

view this post on Zulip Rahul Jain (May 05 2021 at 19:05):

thanks Michele - can you please point me to reference/implementation for JWT based authentication for Bulk FHIR APIs?

view this post on Zulip Josh Mandel (May 05 2021 at 19:10):

https://hl7.org/fhir/uv/bulkdata/authorization/index.html is the spec; https://github.com/smart-on-fhir/bulk-data-server is one reference server that supports this spec.

view this post on Zulip Rahul Jain (May 05 2021 at 19:15):

thanks - per OAuth 2.0 framework standards supported values for token_endpoint_auth_methods_supported are

client_secret_post
client_secret_basic
client_secret_jwt
private_key_jwt

then why is only private_key_jwt supported?

view this post on Zulip Josh Mandel (May 05 2021 at 20:01):

OAuth 2.0 is a framework, much like FHIR is a framework. Implementation guides are required to lock down details, layer on extensions, and support end-to-end interoperability.

view this post on Zulip Rahul Jain (May 18 2021 at 16:40):

We are still finding it bit tedious to implement Inferno as we dont know the internals
We have hosted community edition in docker.
Now finding it bit difficult to make it to work with our bulk export

Is there any professional support available for inferno?

Also - what is the value expected in Bulk Client ID -

image.png

In configuration - it seems to be JWT token, is it? if so it is already signed or just 64 bit encoded?

or is it the client id (client app id)?

Also - trying to understand how Bulk private key is populated here... we have private key available, already negotiated public key uploaded to FHIR auth server. Can it be just uploaded here in PEM format?

image.png

Thanks,
Rahul

view this post on Zulip Vladimir Ignatov (May 18 2021 at 17:13):

The first one should be the client_id and the second should be a JWK. Example:

Bulk Client:   my_client_id
Bulk Private Key:   {"kty":"EC","crv":"P-384","d":"...","x":"...","y":"...","key_ops":"sign"],"ext":true,"kid":"...","alg":"ES384"}

view this post on Zulip Yunwei Wang (May 18 2021 at 17:18):

@Rahul Jain Hi, Bulk Client ID is the client ID what server generated when registering client with server. Bulk Private Key is the private key you used to encrypt the handshake request.

view this post on Zulip Yunwei Wang (May 18 2021 at 17:19):

http://hl7.org/fhir/uv/bulkdata/authorization/index.html#registering-a-smart-backend-service-communicating-public-keys

view this post on Zulip Yunwei Wang (May 18 2021 at 17:21):

and here
http://hl7.org/fhir/uv/bulkdata/authorization/index.html#obtaining-an-access-token

view this post on Zulip Yan Wang (May 18 2021 at 21:50):

I am testing the authentication with SMART Bulk Data Server. I generated a Client ID:
image.png

Then put the Client ID (JWT) in the following Token Request
image.png

But received 400 error: {
"error": "invalid_request",
"error_description": "Invalid client details token: The token must be a string"
}

Am I missing anything?

Thanks,
Yan

view this post on Zulip Vladimir Ignatov (May 18 2021 at 22:11):

This may not be possible in Postman. You are missing a step here. client_assertion is not the client_id. Instead you need to take that id, put it in another structure, then sign that with your private key and use it as client_assertion. Here is a JS example: https://github.com/smart-on-fhir/sample-apps-stu3/blob/master/fhir-downloader/index.js#L530-L577

view this post on Zulip Yan Wang (May 18 2021 at 22:17):

Thanks @Vladimir Ignatov for the clarification.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -