FHIR Chat · Scopes in Standalone Patient App · inferno

Stream: inferno

Topic: Scopes in Standalone Patient App

view this post on Zulip Lakshmi Bhamidipati (Jul 08 2021 at 15:35):

In order to test Single Patient API, we are getting the token from the first tab - Standalone Patient -Full Access. When I look at the scopes in the token generation workflow, it does not have Related Person - "launch/patient openid fhirUser offline_access patient/Medication.read patient/AllergyIntolerance.read patient/CarePlan.read patient/CareTeam.read patient/Condition.read patient/Device.read patient/DiagnosticReport.read patient/DocumentReference.read patient/Encounter.read patient/Goal.read patient/Immunization.read patient/Location.read patient/MedicationRequest.read patient/Observation.read patient/Organization.read patient/Patient.read patient/Practitioner.read patient/Procedure.read patient/Provenance.read". Is it expected? Our FHIR server code is returning 403 because the resource is not present in the scope list. Thanks.

view this post on Zulip Lakshmi Bhamidipati (Jul 08 2021 at 19:02):

Since I've not heard from anyone, I am assuming that "RelatedPerson" is a resource that can be made available in the scopes picklist. Thanks.

view this post on Zulip Robert Scanlon (Jul 09 2021 at 15:48):

If you have RelatedPerson references then Inferno will follow them and will expect to have been granted access. Since RelatedPerson is not a required resource, we do not by default include it in the scope list. You can add it though. So yes, that is fine.

view this post on Zulip Robert Scanlon (Jul 09 2021 at 15:50):

We validate that input and fail if we see something that is disallowed (namely, non-standard scopes). So if you pass the launch tests, whatever scope you used should be valid from our perspective.

view this post on Zulip Robert Scanlon (Jul 09 2021 at 15:51):

If your server supports it, you could put patient/*.read instead of all resource-specific scopes here, as an example of a scope string that looks quite a bit different but still is allowed.

view this post on Zulip Robert Scanlon (Jul 09 2021 at 15:54):

The data we have on the reference server has 'PractitionerRole' references, so if you look at the 'Inferno Reference Server' preset on inferno.healthit.gov/inferno (using the dropdown below the 'start testing' input box) you'll see patient/PractitionerRole.read in the scope list when you start the first authorization tests. If we didn't have that, then we'd get an access denied when trying to follow those references in the single patient api section.

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -